US regulators have warned electricity utilities to protect themselves from hacking attacks involving a simpler variation of the Stuxnet program that damaged Iran’s nuclear infrastructure last year.
The attacks target a common type of programmable equipment that is used to control power generation as well as various factory processes.
The North American Electric Reliability Corporation (Nerc) issued an alert hours before a security researcher showed at the Black Hat security conference in Las Vegas last week that he could break into programmable logic controllers – computers that control automated processes – made by Siemens even if they were protected by passwords. Other researchers at the conference said criminals and intelligence agencies would be able to use the internet to hack into controllers made by other companies as well.
Researcher Dillon Beresford of NSS Labs warned of widespread vulnerabilities in machines that are installed in tens of thousands of utilities and other industries. Siemens has fixed some of the issues – though it is up to customers to install the patches – and has begun work on others.
“We have an ongoing process to develop mitigation strategies and will post these to our service and support website on testing and completion,” Frank Garrabrant, a Siemens industry automation official, said in a written statement.
With the recommendations to utilities in the US and Canada, “we will take some of that risk off the table”, said Tim Roxey, Nerc director of risk assessment. “The true solution is clearly not in the short term, it is mid to long term at a minimum”.
Some of the problems will take years to fix. Siemens’ machinery is set up to be able to communicate with similar controllers from General Electric and Honeywell. The industry standards do not call for those transmissions to be encrypted, which makes them easier targets for hackers.
Controllers had been ignored by hackers and researchers for decades because they relied on specialised programming languages and are often not connected to the internet.
That changed last year, when Iran conceded that its nuclear programme had been damaged by the malicious Stuxnet program, which infected hundreds of thousands of personal computers and spread itself as it looked for the small number that had Siemens software installed. Once it found that software, known as Step7, it looked for a certain configuration that would only appear with a set kind of centrifuges. Then it issued commands that disabled them and hid its tracks.
Stuxnet has been called the first true cyberweapon. But Mr Beresford said his research showed that similar attacks would not need to be nearly as complex. Among other things, he found that he could bypass the Step7 software and issue commands to the equipment directly, assuming that the facility’s network was connected to the internet. If the facility was isolated, it could be penetrated with a handheld storage device.
“It is only a matter of time before criminal elements get their hands on this type of code,” he said. “We need better access controls” on the equipment.
John Pollet, whose Red Tiger Security has performed security audits for oil and gas companies for years, said that Mr Beresford had “opened a can of worms”.
“There is a systemic problem across all control-system vendors”, Mr Pollet said. “We as an industry did it to ourselves by begging for open systems and protocols. Now the pendulum has started swinging back – we need to ask for secure systems.”