Power Plant Plight: US utilities’ soft underbelly for hackers
In fact, researchers Chris Sistrunk and Adam Crain have discovered 25 different security system weaknesses that could potentially permit hackers to sabotage or crash servers that control water systems and electric substations.
Throughout the course of their research, Sistrunk and Crain discovered that the products of more than 20 vendors had significant security vulnerabilities. Hackers could, for example, crash a power station’s master server by guiding it into an infinite loop, or cause power outages by remotely injecting their own make-shift code into a server.
“Every substation is controlled by the master, which is controlled by the operator,” Sistrunk told Wired, which broke the story. “If you have control of the master, you have control of the whole system, and you can turn on and off power at will.”
These security holes have generally been found in serial and networking devices used to communicate between servers and substations. Since most efforts have gone into preventing cyberattacks via IP networks, the possibility of a security breach through serial communication products has generally been deemed as less of a risk. The truth of the matter, as Crain tells it, is that hacking into a power system via serial communication devices may be easier than going through the internet.
Part of the reason why is that substations generally have very lax security; they are rarely manned and often surrounded only by a fence and monitored by a security camera. If physical access isn't possible, hackers could crack into a utility's wireless radio network and use that as a means for delivery.
“If someone tries to breach the control center through the Internet, they have to bypass layers of firewalls,” Crain said. “But someone could go out to a remote substation that has very little physical security and get on the network and take out hundreds of substations potentially. And they don’t necessarily have to get into the substation either.”
Of the more than two dozen vulnerabilities discovered, vendors have released security patches for nine of them. Bafflingly, however, many utilities have yet to install them because they underestimate the potential risk of attack. The fact that the security standards established by theNorth American Electric Reliability Corporation focus solely on IP communication also makes the problem worse.
In an attempt to raise awareness about the issue, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued multiple reports on the security weaknesses. Additionally, Crain and Sistrunk will speak on their research during Florida’s S4 security conference in January.