Hackers discover flaws that may leave water and electricity networks vulnerable

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.telegraph.co.uk/technology/internet-security/10568299/Hackers-discover-flaws-that-may-leave-water-and-electricity-networks-vulnerable.html

Researchers have discovered flaws in the SCADA computer systems which
control major infrastructure, including energy, oil and gas and
transportation.

Information security firm Positive Technologies discovered vulnerabilities
in the way that Siemens’ WinCC software encrypts and stores passwords in
its Project database. Hackers could exploit the flaws to gain access to
Programmable Logic Controllers - the systems responsible for controlling
machinery and other processes.

Researchers also found a vulnerability in another system, DAQConnect,
allowing hackers running a demonstration kiosk to access other SCADA
installations, but were simply told to “not do” the attacks by the
software’s manufacturer.

Supervisory control and data acquisition (SCADA) systems monitor and
control physical industrial processes and are used widely in industry.

The researchers estimate that 90 per cent of the systems they tested can be
hacked with Metasploit, a penetration testing software package which
simulates attacks on computers and networks. They also discovered 60,000
industrial control system devices at risk of attack; many of them were home
systems.

The company reported the vulnerabilities to manufacturers and computer
emergency response teams.

Daniel Tarasov, executive vice president at Positive Technologies, said
that if hackers were to attack utility companies’ SCADA systems, then water
and electricity supplies could easily be switched off.

Mr Tarasov said: “If this happens in IT systems, the worst that can happen
is your system stops working, but when you’re talking about power plants,
then your power stops working.

“Anything that’s connected to critical infrastructure is very serious,
basically the consequence can be from really small to really huge and
catastrophic.

“The main problem is that this world of ICS and SCADA systems was
historically offline, so if you put the system in place, you could control
your train and it was not in any way connected to your office network or
corporate network or the internet, but now the situation is changing. Most
of the equipment is now connected to your corporate network, which in turn
is connected to the outside world.”

The Telegraph has contacted Siemens for comment.

In June 2010, a computer worm caused damage at Iran’s Natanz nuclear plant
by tampering with SCADA control systems.

Stuxnet allows hackers to secretly take control of industrial equipment and
is designed to ‘pass over’ personal computer systems.

Internet security organisation Norton said: “It is the first computer virus
to be able to wreak havoc in the physical world. It is sophisticated,
well-funded, and there are not many groups that could pull this kind of
threat off. It is also the first cyberattack we’ve seen specifically
targeting industrial control systems.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.