28 April 2009 | 3,799 views

Industrial Control Systems Safe? I Think Not

Check For Vulnerabilities with Acunetix

It seems like there is some serious hacking going on, attacks on power stations and industrial control systems.

You’d think most of these systems would be offline, or at least behind a solid DMZ. But as we’ve seen before they often get exposed by people plugging into the LAN then accessing the net through dial-up or nowadays through mobile data (HSDPA/3G etc.).

The sad thing is deaths have actually resulted from such intrusions.

The networks powering industrial control systems have been breached more than 125 times in the past decade, with one resulting in U.S. deaths, a control systems expert said Thursday.

Joseph Weiss, managing partner of control systems security consultancy Applied Control Solutions, didn’t detail the breach that caused deaths during his testimony before a U.S. Senate committee, but he did say he’s been able to find evidence of more than 125 control systems breaches involving systems in nuclear power plants, hydroelectric plants, water utilities, the oil industry and agribusiness.

“The impacts have ranged from trivial to significant environmental damage to significant equipment damage to deaths,” he told the Senate Commerce, Science and Transportation Committee. “We’ve already had a cyber incident in the United States that has killed people.”

More than 125 breaches? That’s quite a significant number. The scary part is the Nuclear plants, imagine if a cyberterrorist or hacker can cause a Nuclear meltdown or malfunction in a Nuclear facility?

I’d like to see the US government look into this area a little more and perhaps implement some new standards for Control System security.

It’s an area that really needs tighter security and legislation.

At other times, Weiss has talked about a June 1999 gasoline pipeline rupture near Bellingham, Washington. That rupture spilled more than 200,000 gallons of gasoline into two creeks, which ignited and killed three people. Investigators found several problems that contributed to the rupture, but Weiss has identified a computer failure in the pipeline’s central control room as part of the problem.

It could take the U.S. a long time to dig out from coordinated attacks on infrastructure using control systems, Weiss told senators. Damaged equipment could take several weeks to replace, he said. A coordinated attack “could be devastating to the U.S. economy and security,” he said. “We’re talking months to recover. We’re not talking days.”

The industrial control system industry is years behind the IT industry in protecting cybersecurity, and some of the techniques used in IT security would damage control systems, Weiss added. “If you penetration-test a legacy industrial control system, you will shut it down or kill it,” he said. “You will be your own hacker.”

The problem with these kind of attacks is they might involve multiple vectors in one attack which means it takes a long long time to investigate and work out what actually happened.

It’s backwards too because Industrial Control Systems are so important in our lives but their security is so so far behind.

Definitely an area to watch, I hope some positive improvements are made.

Source: CIO (Thanks Navin)



Recent in General Hacking:
- Dradis v2.9 – Information Sharing For Security Assessments
- MagicTree v1.3 Available For Download – Pentesting Productivity
- Kvasir – Penetration Testing Data Management Tool

Related Posts:
- Exploits For Popular SCADA Programs Made Public
- Smart Grid Security Risks – Not So Smart Electricity Meters
- Obama To Create Cyber Security Czar In White House

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,136,328 views
- Hack Tools/Exploits - 579,903 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 413,500 views

Low-cost VPS Hosting

3 Responses to “Industrial Control Systems Safe? I Think Not”

  1. Alan 28 April 2009 at 10:53 am Permalink

    Having studied and worked briefly in control systems and PLC before starting my IT career, which led into IT Security, I can say that I am not in the least bit surprised as I have seen the slow grinding of the wheels leading up to this.

    Control systems were traditionally seperate from TCP networks due to differences in protocols used and in many cases equipment used in IT cannot withstand the environments most industrial control systems run in, but the biggest safe point was that control systems as a whole are usually self contained as one complete system.

    The problem that we see in this article is that the convenience of remote monitoring and the monitoring of multiple control systems that are hard to replace/upgrade into more intelligent control systems and campus wide monitoring has invariably led to rather sloppy integration, poor sanity checks and also allowing these monitoring systems to influence and control these legacy systems.

    The biggest mistake is making it possible for people to attach these systems to any ‘public’ network and by public I mean any network that would break the self containment of the system.

    Most of these system were designed as a complete solution and meant to run for decades with no change other than wear and tear replacements. They have no chance against modern systems and anything further than monitoring is tantamount to suicide.

  2. Navin 28 April 2009 at 11:41 am Permalink

    yeah I completely agree with darknet….see we all point fingers at the taliban saying tht they may get their hands on pakistani nukes….but the fact is tht the probability of the same being done by a cyber security n00b…..I’m pretty sure U heard of the CERN LHC being hacked as well….this shows how major establishments are under threat!!

  3. Morgan Storey 29 April 2009 at 4:49 am Permalink

    Geez airgap people. I found it amusing that in BSG they didn’t network their systems to guard against compromise, maybe we should take a leaf out of this sci-fi book.
    Critical systems should simply either not be networked at all, or in a minor fashion, but never connected to a non-critical or internet network.
    Lock down the physical so you can’t plug in a USB wireless/pcmcia device.