It's Just Too Easy': Hackers Share Their Thoughts on the Security of Industrial Control Systems

We all know there are professional hackers -- good and bad -- constantly revealing vulnerabilities in both private and government systems. Over the weekend in a Washington Post investigative piece, many of them spoke out on just how insecure systems are -- especially with all the industrial entities hooking up to the Internet.

The Post's "Cyber search engine Shodan exposes industrial control systems to new risks" explains that the Stuxnet worm, which allegedly attacked Iranian nuclear facilities in 2010, is what really turned the eye of hackers onto the vulnerabilities of industrial systems. But John Matherly created a search engine -- Shodan -- that showcased industrial vulnerabilities even before this high-profile attack and has been doing so ever since:

Matherly and other Shodan users quickly realized they were revealing an astonishing fact: Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers.

[...]

“There’s no reason these systems should be exposed that way,” Matherly said. “It just seems ludicrous.”

The rise of Shodan illuminates the rapid convergence of the real world and cyberspace, and the degree to which machines that millions of people depend on every day are becoming vulnerable to intrusion and digital sabotage. It also shows that the online world is more interconnected and complex than anyone fully understands, leaving us more exposed than we previously imagined.

Shodan is described as “the world’s first computer search engine that lets you search the Internet for computers. . . . Find devices based on city, country, latitude/longitude, hostname, operating system and IP.” It is a website that Matherly told the Post he hopes will improve security.

The security firm Digital Bond, according to the Post, recently conducted a review of seven major control systems, six of which they were able to gain access to through software flaws. K. Reid Wightman, who is a former Pentagon employee and now works for Digital Bond as a researcher, said that the team was able to hack most of the controllers within a day.

Watch the Post's video report on system security:

“It’s just too easy," he told the Post. "If we can do it, imagine what a well-funded foreign power could do.”

There are competitive benefits to hooking up industry infrastructure as is reported to help streamline procedures and cut costs. The alleged hack of a Springfield, Ill., water utility in November 2011 highlights how these security flaws can get concerning. The Blaze reported at the time that it appeared the utility was being accessed from an IP address in Russia -- corresponding with the timing of a malfunction in equipment. It was later revealed it was a false alarm. It wasn't a hack at all, but a contractor just taking a moment to do his job while he was on vacation with his family in Russia. Still, the incident was eye opening for many involved though.

Shortly thereafter the Post reports, an anonymous hacker wanted to show how easy it would be to infiltrate a similar system. How easy was it? The hacker wrote that breaking into a Houston, Texas, water utility "required almost no skill." To the utility's defense though, the Post reports, the compromised controller was installed more than 10 years ago before anyone thought hacking would ever be a possibility:

“Nobody gave it a second thought,” Mayor Joe Soto said. “When it was put in, we didn’t have terrorists.”

The intrusion took all of 10 minutes. The hacker did not cause any damage. Instead, he recorded images of the control system as proof of how easy it was for him to get in.

“I didn’t actually know what the machine was going to control when I started, but I logged in, and well, saw the stuff I took screen shots of,” he said in an e-mail exchange. “I was just amazed.”

So was Soto, after he saw images of the plant’s control panels on the Internet. He and other town officials ordered the gap closed immediately and then considered the implications.

“We’re probably not the only one who is wide open,” Soto said later. “He caught everyone with our pants down.”

Just as foreign attacks are of concern, the Post also notes one industrious hacker saying he believes it doesn't take a nation to take down systems like this. Dillon Beresford, a security consultant, went about hacking into Siemens S7 line of controllers. It took several weeks, but he did crack them.

“I crushed it,” he said to the Post. “All average guys, your typical hacker, could very easily replicate this.”

The Post reports he sent his findings to the Department of Homeland Security, which confirmed he had revealed vulnerabilities and issued a security announcement about them.

Last month, the DHS also confirmed a slew of cyberattacks dating back to December. Real News for the Blaze recently discussed these cybersecurity issues -- check out it out here.

Read more of the Washington Post's in-depth feature on the state of critical infrastructure from the hacker's perspective here.