- Sebelius calls for review of Obamacare rollout woes
- American dream dying, but many see free market as solution: Poll
- Air Force base in South Carolina boots Nativity scene
- Israel poised for a $173M boost from the U.S. for missile defense
- Leon Panetta named as source of ‘Zero Dark Thirty’ scriptwriter’s information
- Mandela service sign language interpreter: ‘He made up his own signs’
- Pope Francis named Time’s ‘Person of the Year’
- Ben Affleck: Fundraising for Democrats started to ‘feel gross’
- Vladimir Putin orders military to boost presence in Arctic
- Brooklyn, N.Y.: ‘Lesbian capital’ of the Northeast
Mediocre hackers can cause major damage
Researchers find vital infrastructure, factories at risk
The computer systems that control vital industrial machinery in nuclear power plants, water treatment facilities and many other factories are vulnerable to deadly sabotage by hackers with even moderate skills, security researchers say.
Dillon Beresford, who works for security firm NSS Labs, showed at a security conference in Las Vegas how he had successfully hacked into special computer systems that are made by Siemens and other companies and are used in thousands of industrial plants.
The Siemens equipment that Mr. Beresford hacked, called Industrial Control Systems or ICS, is the same product targeted by Stuxnet, the sophisticated computer worm discovered last year to have crippled Iran's nuclear program.
Stuxnet reprogrammed the computer-controlled centrifuges used to enrich uranium so that they spun out of control and destroyed themselves.
What Mr. Beresford's work shows is "you don't need Stuxnet to do real damage" to industrial plants, Vikram Phatak, chief technology officer of NSS Labs, told The Washington Times.
Joe Weiss, a veteran consultant on ICS security for several industries, said the key issue was that Mr. Beresford was able to hack the equipment even with no experience with ICS systems, a small budget and limited time.
"You don't have to be a nation state" to hack ICS systems, Mr. Weiss said. "The game has fundamentally changed."
Mr. Beresford, who devised the hacking technique over 2½ months in his bedroom, found a "back door" coded into the Siemens ICS system and several other security weaknesses. These vulnerabilities could allow a hacker with access to the computer network at the plant to shut down or even damage the machinery that the system controls, Mr. Phatak said.
"These systems were never designed with security in mind," said a senior Homeland Security cybersecurity official, speaking on the condition of anonymity because of department ground rules.
"Traditionally, these networks were not connected" to the public Internet, the official said.
However, in recent years, demands for greater productivity prompted more and more companies to connect their industrial networks to other company networks linked to the Internet.
Mr. Weiss said that in more than a dozen vulnerability assessments he had completed for clients, he found in every case "at least one remote access point connecting an ICS system to the 'outside world' [his clients] didn't know existed."
A spokesman for Siemens stressed that the company has worked for months with NSS Labs, Homeland Security and their clients to fix the vulnerabilities.
He noted that one of the company's computer-security specialists, Thomas Brandstetter, joined Mr. Beresford onstage for his presentation earlier this month at the Black Hat Security Conference in Las Vegas.
Last month, the Homeland Security Department issued a bulletin to critical infrastructure owners warning that the loose-knit Internet hacker collective called Anonymous had threatened attacks on U.S. and Canadian oil and gas companies.
The bulletin stated that the skill level associated with Anonymous attacks to date - like those involving the penetration of Web and email servers of state and local law enforcement - was low. The bulletin said it was on a par with the skill level of "script kiddies" - young, untrained hackers.
Yet hackers with more rudimentary skills can quickly exploit security flaws like those identified by Mr. Beresford. "Once the vulnerabilities make their way into open source, that lowers the [skill] bar down to a 'script kiddie' level," said the Homeland Security official.
Mr. Weiss said the exact level of skill required to hack an ICS system would depend on the setup at the facility and the kind of attack the hackers wanted to carry out.
"If you just want to stop the facility, that's one thing," he said. "If you want to destroy the machinery [as Stuxnet did], that's harder."
© Copyright 2013 The Washington Times, LLC. Click here for reprint permission.
About the Author
By Donald Lambro
Growth spikes are little more than trend-free anomalies
- Teen thugs in DC run wild -- even while wearing GPS ankle bracelets
- New budget accord saves $23 billion -- after $65 billion spending spree
- VEGAS RULES: Harry Reid pushed feds to change ruling for casino's big-money foreigners
- More than a quarter million sign up for Obamacare in November
- Obama takes 'selfie' at Mandela's funeral service
- CARSON: Why did the founders give us the Second Amendment?
- Obama's antics at Nelson Mandela tribute: Jovial conversation, handshake with Raul Castro
- MILLER: Dick Heller challenges D.C.s gun registration, files for summary judgement in Heller II
- Gov't Motors: Obama fudges math on auto bailout, $10.5 billion loss for taxpayers
- FITTON: A closer look at the Benghazi lie
Independent voices from the The Washington Times Communities
All of the world’s problems, solved on your back porch
Human interest stories to feed interest, satisfy curiosity and see outside the box.
Politics, economics, and business from a real world perspective.
News and views on the Civil War.
White House pets gone wild!
Let it snow