‘It’s Just Too Easy’: Hackers Share Their Thoughts on the Security of Industrial Control Systems
- Posted on June 6, 2012 at 8:48am by
Liz Klimas
- Print »
- Email »
(Image: Shutterstock)
We all know there are professional hackers — good and bad — constantly revealing vulnerabilities in both private and government systems. Over the weekend in a Washington Post investigative piece, many of them spoke out on just how insecure systems are — especially with all the industrial entities hooking up to the Internet.
The Post’s “Cyber search engine Shodan exposes industrial control systems to new risks” explains that the Stuxnet worm, which allegedly attacked Iranian nuclear facilities in 2010, is what really turned the eye of hackers onto the vulnerabilities of industrial systems. But John Matherly created a search engine — Shodan — that showcased industrial vulnerabilities even before this high-profile attack and has been doing so ever since:
Matherly and other Shodan users quickly realized they were revealing an astonishing fact: Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers.
[...]
“There’s no reason these systems should be exposed that way,” Matherly said. “It just seems ludicrous.”
The rise of Shodan illuminates the rapid convergence of the real world and cyberspace, and the degree to which machines that millions of people depend on every day are becoming vulnerable to intrusion and digital sabotage. It also shows that the online world is more interconnected and complex than anyone fully understands, leaving us more exposed than we previously imagined.
Shodan is described as “the world’s first computer search engine that lets you search the Internet for computers. . . . Find devices based on city, country, latitude/longitude, hostname, operating system and IP.” It is a website that Matherly told the Post he hopes will improve security.
The security firm Digital Bond, according to the Post, recently conducted a review of seven major control systems, six of which they were able to gain access to through software flaws. K. Reid Wightman, who is a former Pentagon employee and now works for Digital Bond as a researcher, said that the team was able to hack most of the controllers within a day.
Watch the Post’s video report on system security:
“It’s just too easy,” he told the Post. “If we can do it, imagine what a well-funded foreign power could do.”
There are competitive benefits to hooking up industry infrastructure as is reported to help streamline procedures and cut costs. The alleged hack of a Springfield, Ill., water utility in November 2011 highlights how these security flaws can get concerning. The Blaze reported at the time that it appeared the utility was being accessed from an IP address in Russia — corresponding with the timing of a malfunction in equipment. It was later revealed it was a false alarm. It wasn’t a hack at all, but a contractor just taking a moment to do his job while he was on vacation with his family in Russia. Still, the incident was eye opening for many involved though.
Shortly thereafter the Post reports, an anonymous hacker wanted to show how easy it would be to infiltrate a similar system. How easy was it? The hacker wrote that breaking into a Houston, Texas, water utility “required almost no skill.” To the utility’s defense though, the Post reports, the compromised controller was installed more than 10 years ago before anyone thought hacking would ever be a possibility:
“Nobody gave it a second thought,” Mayor Joe Soto said. “When it was put in, we didn’t have terrorists.”
The intrusion took all of 10 minutes. The hacker did not cause any damage. Instead, he recorded images of the control system as proof of how easy it was for him to get in.
“I didn’t actually know what the machine was going to control when I started, but I logged in, and well, saw the stuff I took screen shots of,” he said in an e-mail exchange. “I was just amazed.”
So was Soto, after he saw images of the plant’s control panels on the Internet. He and other town officials ordered the gap closed immediately and then considered the implications.
“We’re probably not the only one who is wide open,” Soto said later. “He caught everyone with our pants down.”
Just as foreign attacks are of concern, the Post also notes one industrious hacker saying he believes it doesn’t take a nation to take down systems like this. Dillon Beresford, a security consultant, went about hacking into Siemens S7 line of controllers. It took several weeks, but he did crack them.
“I crushed it,” he said to the Post. “All average guys, your typical hacker, could very easily replicate this.”
The Post reports he sent his findings to the Department of Homeland Security, which confirmed he had revealed vulnerabilities and issued a security announcement about them.
Last month, the DHS also confirmed a slew of cyberattacks dating back to December. Real News for the Blaze recently discussed these cybersecurity issues — check out it out here.
Read more of the Washington Post’s in-depth feature on the state of critical infrastructure from the hacker’s perspective here.
Comments (4)
Sign In To Post Comments! Sign In
Popular Stories
Does Misstated Marathon Claim Prove Paul Ryan Is Dishonest? (POLL) 700 Comments
Paper Details Obama Admin’s Alleged Secret Note Sent to Iran: If Israel Attacks, We Won’t Get Involved 530 Comments
‘Made Up Religion’: TV Historian Enrages Muslims, Receives Threats After Producing UK Documentary Questioning Islam’s Beginnings 358 Comments
Roseanne Barr: Most Billionaires ‘Violent Pedophiles’ & ‘Heartless’ Cocaine Addicts 356 Comments
This Is the Creationists‘ Response to Scientist Bill Nye’s Viral Pro-Evolution Video Claiming They Harm Children 347 Comments
Faith
- This Is the Creationists‘ Response to Scientist Bill Nye’s Viral Pro-Evolution Video Claiming They Harm Children 347 Comments
Pakistani Muslim Cleric Accused of Framing Disabled Christian Girl in Koran-Burning Case Read More- ‘Made Up Religion’: TV Historian Enrages Muslims, Receives Threats After Producing UK Documentary Questioning Islam’s Beginnings 358 Comments
Meet the Controversial German Imam Accused of Brutally Beating His Wife & Pushing Sharia Law Read More
‘Self-Proclaimed Messiah’ & Unification Church Leader the Rev. Sun Myung Moon Has Died — Here’s His Life Story Read More
Business
- President Obama Issues Major ‘Green Energy’ Executive Order 272 Comments
- Germany’s Upcoming Court Ruling Will be Huge for the EU Read More
Ford Looks to Beat Toyota for Best-Selling Car in 2012 With This Model 148 Comments
Bernanke & QE3: Here’s What You Need to Know Read More- ‘Extortion’: Why Did the Labor Department ‘Drop the Hammer’ on Oregon Farmers? 302 Comments
Technology
- This Is the Creationists‘ Response to Scientist Bill Nye’s Viral Pro-Evolution Video Claiming They Harm Children 347 Comments
‘TaserDrone’: Hackers Weaponize Quadcopter With Actual ‘Shocking’ Technology Read More
Ever Heard of the Wild ‘Burning Man’ Festival in the Middle of the Nev. Desert? Here’s Your Primer Read More
Stanford Develops Technology ‘Better Than Steroids’ for Athlete Recovery Read More
Have You Pretended to Know What ‘the Cloud’ Is? You’re Not Alone Read More
Submitting your tip... please wait!
imfrzn
Posted on June 7, 2012 at 8:00amThe rationale for networking industrial systems is primarily driven by cost savings. It generally means jobs lost and slow response when equipment fails. Another sound reason to unplug from the Internet.
Report Post »poweruser19
Posted on June 7, 2012 at 4:55amThis is a sobering story, a lot of companies across America are running some kind of networked system to have control over plant processes, this could have a affect on not only government control systems but private corporations that have to conform to government regulations on manufacturing processes.
Report Post »Wake up America the geeks have taken over“revenge of the nerds”.
ICanComment
Posted on June 7, 2012 at 6:23amI can’t speak within the context of power plants, utilities, etc, but I can tell you with a reasonable amount of certainty:
Within the context of companies running control systems for internal processes, security is barely an afterthought. This is because the engineers and techs that set up these systems are thinking about how to control the process rather than the potential for someone to gain access. Often it’s very difficult to secure the control systems because they were never designed with security in mind. Sure, they’re password protected, but often the password isn’t set or is weak, and the device or PC has no other security measures in place. (Resisting a dictionary attack, exploits, etc)
That being said, most of those processes are inside professionally maintained internal networks. (I hope?) If an intruder gained access to the average company LAN, there are often all sorts of dangerous processes that are left all but wide open. While this isn’t quite my area of expertise, my thinking is that the best way to secure these processes is to isolate them. At the very least, put them on private subnets that are at least moderately formidable to breach. Better still, physically isolate these internal networks from the outside world, as is insinuated by this article.
Report Post »gmontie
Posted on June 6, 2012 at 10:21pmIf it’s on the internet it will be hacked. Infrastructure like this should have never been put on the Internet EVER.
Report Post »