Not cyber myths: Hacking oil rigs, water plants, industrial infrastructure

Security researchers explain that hacking oil rigs, pipelines, water pumps, industrial facilities, and the power grid are not myths born in the cyber-mist, but realities.

If about 55 million people were to suddenly lose power and be plunged into darkness because malware attacked the smart grid, would you rank that as a large-scale cyberattack? It happened a decade ago, according to Eugene Kaspersky of Kaspersky Lab. At the AFCEA Global Intelligence Forum, he said a worm designed to attack Windows systems unexpectedly attacked Unix servers instead, and that malware was responsible for the infamous Northeast blackout of 2003. However, "power companies do not admit that the blackout was caused by malware." The official public statement, Kaspersky said, is "that a control room software bug allowed an outage to cascade throughout the grid."

When the same worm struck Windows and "caused an epidemic that affected other users ranging from the U.S. Marine Corps to Australian rail," Kaspersky said a "cyberhooligan" wanted to criticize Microsoft and made it display "a message addressed to Microsoft founder Bill Gates." Kaspersky predicted that "we will see some really bad attacks" on critical infrastructure.

China's hackers take over decoy water plants

But we've been warned for years about SCADA, ICS, PLC and how vulnerable U.S. critical infrastructure is to attack. So when the Chinese army hackers "Comment Crew" infiltrated a water control system, it was a good thing their target turned out to be a decoy set up by Trend Micro's Kyle Wilhoit. He deployed 12 honeypots that attackers mistook for actual industrial control systems (ICS) at water plants, with about half of the 74 critical attacks being credited to China. Ten of those attacks were "sophisticated enough to wrest complete control of the dummy control system." He described [pdf] many attackers as "opportunists" and only "one appeared to be the work of Comment Crew." Wilhoit said, "These attacks are happening and the engineers likely don't know."

Script kiddies can hack oil rigs, 'cause a complete environmental catastrophe'

At Black Hat, Cimation engineers Eric Forner and Brian Meixell took remote control of the programmable logic controller (PLC) on a simulation oil rig, turned the pumps on and off so it sprayed liquid - which would have been an oil pipeline rupture in real life - while sending data that made it appear as if nothing happened. Forner said, "We only had a 24-volt pump in the demo, but this [attack] could cause a complete environmental catastrophe."

Modern Human Machine Interfaces (HMIs) "are usually Windows workstation class machines running a display of the process being controlled," they wrote [pdf]. Also during their live demo, "they hacked the remote terminal unit's HMI interface and inserted a game of Solitaire on its screen." Their slides [pdf] go into more detail about attack vectors and owning a Windows workstation class machine, a Windows server class machine and a Windows engineering workstation. In fact, they said it wouldn't take a nation state to pull off this attack since script kiddies could do it. "Most Windows based machines are woefully out of date" and "many controllers are laughably insecure."

$40 to compromise an industrial facility from 40 miles away

Also at Black Hat, during a presentation called Compromising Industrial Facilities From 40 Miles Away, security researchers from IOActive shared their findings about industrial automation and control systems (IACS) that use wireless sensors to collect data. Critical decisions are made from the remote sensor measurements, so sending false data could have disastrous consequences. Lucas Apa and Carlos Penagos showed a live demo of "temperature injection," reporting [pdf slides] that the cost of the attack was a mere $40.

They were able to send fake measurements to the sensor data system and warned, "An untrusted user or group within a 40-mile range could read from and inject data into these devices using radio frequency (RF) transceivers."

For example, if a low-temperature measurement is faked and sent to a system that expects a constant temperature, the system will then raise the temperature in the industrial process, even though it's not required. That increase in internal temperature could have catastrophic implications, with overheated systems that could explode.

After reviewing the security of several widely used industrial wireless devices, they concluded [pdf] that the device vendors only have a "vague concern" about security; faulty implementation could potentially lead to an outsider compromising the network; and that vulnerabilities are "due to contradictions in their documentation relating to security features." They also warned that attackers can remotely and wirelessly exploit a memory corruption vulnerability that could "disable all the sensor nodes and forever shut down an entire facility."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)