10K Reasons to Worry About Critical Infrastructure

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/

By Kim Zetter
Threat Level
Wired.com
January 24, 2012

MIAMI, Florida -- A security researcher was able to locate and map more 
than 10,000 industrial control systems hooked up to the public internet, 
including water and sewage plants, and found that many could be open to 
easy hack attacks, due to lax security practices.

Infrastructure software vendors and critical infrastructure owners have 
long maintained that industrial control systems (ICSes) — even if rife 
with security vulnerabilities — are not at risk of penetration by 
outsiders because they’re “air-gapped” from the internet — that is, 
they’re not online.

But Eireann Leverett, a computer science doctoral student at Cambridge 
University, has developed a tool that matches information about ICSes 
that are connected to the internet with information about known 
vulnerabilities to show how easy it could be for an attacker to locate 
and target an industrial control system.

“Vendors say they don’t need to do security testing because the systems 
are never connected to the internet; it’s a very dangerous claim,” 
Leverett said last week at the S4 conference, which focuses on the 
security of Supervisory Control and Data Acquisition systems (SCADA) 
that are used for everything from controlling critical functions at 
power plants and water treatment facilities to operating the assembly 
lines at food processing and automobile assembly plants.

[...]

_____________________________________________________
Did a friend send you this article? Make it your
New Year's Resolution to subscribe to InfoSec News!
http://www.infosecnews.org/mailman/listinfo/isn