Researchers have discovered flaws in the SCADA computer systems which
control major infrastructure, including energy, oil and gas and
transportation.
Information security firm Positive Technologies discovered vulnerabilities in the way that Siemens’ WinCC software encrypts and stores passwords in its Project database. Hackers could exploit the flaws to gain access to Programmable Logic Controllers - the systems responsible for controlling machinery and other processes.
Researchers also found a vulnerability in another system, DAQConnect, allowing hackers running a demonstration kiosk to access other SCADA installations, but were simply told to “not do” the attacks by the software’s manufacturer.
Supervisory control and data acquisition (SCADA) systems monitor and control physical industrial processes and are used widely in industry.
The researchers estimate that 90 per cent of the systems they tested can be hacked with Metasploit, a penetration testing software package which simulates attacks on computers and networks. They also discovered 60,000 industrial control system devices at risk of attack; many of them were home systems.
The company reported the vulnerabilities to manufacturers and computer emergency response teams.
Daniel Tarasov, executive vice president at Positive Technologies, said that if hackers were to attack utility companies’ SCADA systems, then water and electricity supplies could easily be switched off.
Mr Tarasov said: “If this happens in IT systems, the worst that can happen is your system stops working, but when you’re talking about power plants, then your power stops working.
“Anything that’s connected to critical infrastructure is very serious, basically the consequence can be from really small to really huge and catastrophic.
“The main problem is that this world of ICS and SCADA systems was historically offline, so if you put the system in place, you could control your train and it was not in any way connected to your office network or corporate network or the internet, but now the situation is changing. Most of the equipment is now connected to your corporate network, which in turn is connected to the outside world.”
The Telegraph has contacted Siemens for comment.
In June 2010, a computer worm caused damage at Iran’s Natanz nuclear plant by tampering with SCADA control systems.
Stuxnet allows hackers to secretly take control of industrial equipment and is designed to ‘pass over’ personal computer systems.
Internet security organisation Norton said: “It is the first computer virus to be able to wreak havoc in the physical world. It is sophisticated, well-funded, and there are not many groups that could pull this kind of threat off. It is also the first cyberattack we’ve seen specifically targeting industrial control systems.”
Information security firm Positive Technologies discovered vulnerabilities in the way that Siemens’ WinCC software encrypts and stores passwords in its Project database. Hackers could exploit the flaws to gain access to Programmable Logic Controllers - the systems responsible for controlling machinery and other processes.
Researchers also found a vulnerability in another system, DAQConnect, allowing hackers running a demonstration kiosk to access other SCADA installations, but were simply told to “not do” the attacks by the software’s manufacturer.
Supervisory control and data acquisition (SCADA) systems monitor and control physical industrial processes and are used widely in industry.
The researchers estimate that 90 per cent of the systems they tested can be hacked with Metasploit, a penetration testing software package which simulates attacks on computers and networks. They also discovered 60,000 industrial control system devices at risk of attack; many of them were home systems.
The company reported the vulnerabilities to manufacturers and computer emergency response teams.
Daniel Tarasov, executive vice president at Positive Technologies, said that if hackers were to attack utility companies’ SCADA systems, then water and electricity supplies could easily be switched off.
Mr Tarasov said: “If this happens in IT systems, the worst that can happen is your system stops working, but when you’re talking about power plants, then your power stops working.
“Anything that’s connected to critical infrastructure is very serious, basically the consequence can be from really small to really huge and catastrophic.
“The main problem is that this world of ICS and SCADA systems was historically offline, so if you put the system in place, you could control your train and it was not in any way connected to your office network or corporate network or the internet, but now the situation is changing. Most of the equipment is now connected to your corporate network, which in turn is connected to the outside world.”
The Telegraph has contacted Siemens for comment.
In June 2010, a computer worm caused damage at Iran’s Natanz nuclear plant by tampering with SCADA control systems.
Stuxnet allows hackers to secretly take control of industrial equipment and is designed to ‘pass over’ personal computer systems.
Internet security organisation Norton said: “It is the first computer virus to be able to wreak havoc in the physical world. It is sophisticated, well-funded, and there are not many groups that could pull this kind of threat off. It is also the first cyberattack we’ve seen specifically targeting industrial control systems.”
No comments:
Post a Comment