It seems like there is some serious hacking going on, attacks on power stations and industrial control systems.
You’d think most of these systems would be offline, or at least behind a solid DMZ. But as we’ve seen before they often get exposed by people plugging into the LAN then accessing the net through dial-up or nowadays through mobile data (HSDPA/3G etc.).
The sad thing is deaths have actually resulted from such intrusions.
The networks powering industrial control systems have been breached more than 125 times in the past decade, with one resulting in U.S. deaths, a control systems expert said Thursday.
Joseph Weiss, managing partner of control systems security consultancy Applied Control Solutions, didn’t detail the breach that caused deaths during his testimony before a U.S. Senate committee, but he did say he’s been able to find evidence of more than 125 control systems breaches involving systems in nuclear power plants, hydroelectric plants, water utilities, the oil industry and agribusiness.
“The impacts have ranged from trivial to significant environmental damage to significant equipment damage to deaths,” he told the Senate Commerce, Science and Transportation Committee. “We’ve already had a cyber incident in the United States that has killed people.”
More than 125 breaches? That’s quite a significant number. The scary part is the Nuclear plants, imagine if a cyberterrorist or hacker can cause a Nuclear meltdown or malfunction in a Nuclear facility?
I’d like to see the US government look into this area a little more and perhaps implement some new standards for Control System security.
It’s an area that really needs tighter security and legislation.
At other times, Weiss has talked about a June 1999 gasoline pipeline rupture near Bellingham, Washington. That rupture spilled more than 200,000 gallons of gasoline into two creeks, which ignited and killed three people. Investigators found several problems that contributed to the rupture, but Weiss has identified a computer failure in the pipeline’s central control room as part of the problem.
It could take the U.S. a long time to dig out from coordinated attacks on infrastructure using control systems, Weiss told senators. Damaged equipment could take several weeks to replace, he said. A coordinated attack “could be devastating to the U.S. economy and security,” he said. “We’re talking months to recover. We’re not talking days.”
The industrial control system industry is years behind the IT industry in protecting cybersecurity, and some of the techniques used in IT security would damage control systems, Weiss added. “If you penetration-test a legacy industrial control system, you will shut it down or kill it,” he said. “You will be your own hacker.”
The problem with these kind of attacks is they might involve multiple vectors in one attack which means it takes a long long time to investigate and work out what actually happened.
It’s backwards too because Industrial Control Systems are so important in our lives but their security is so so far behind.
Definitely an area to watch, I hope some positive improvements are made.
Source: CIO (Thanks Navin)
- Dradis v2.9 – Information Sharing For Security Assessments
- MagicTree v1.3 Available For Download – Pentesting Productivity
- Kvasir – Penetration Testing Data Management Tool
- Exploits For Popular SCADA Programs Made Public
- Smart Grid Security Risks – Not So Smart Electricity Meters
- Obama To Create Cyber Security Czar In White House
Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,136,328 views
- Hack Tools/Exploits - 579,903 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 413,500 views