Published time: October 17, 2013 20:55
The Vermont Yankee nuclear power plant in Vernon (Reuters/Brian Snyder)
New research revealed this week shows that many of the nation’s vital infrastructure systems are more vulnerable to cyberattacks than previously expected.
In fact, researchers Chris Sistrunk and Adam Crain have
discovered 25 different security system weaknesses that could
potentially permit hackers to sabotage or crash servers that
control water systems and electric substations.
Throughout the course of their research, Sistrunk and Crain
discovered that the products of more than 20 vendors had
significant security vulnerabilities. Hackers could, for example,
crash a power station’s master server by guiding it into an
infinite loop, or cause power outages by remotely injecting their
own make-shift code into a server.
“Every substation is controlled by the master, which is
controlled by the operator,” Sistrunk told Wired, which broke
the story. “If you have control of the master, you have
control of the whole system, and you can turn on and off power at
These security holes have generally been found in serial and
networking devices used to communicate between servers and
substations. Since most efforts have gone into preventing
cyberattacks via IP networks, the possibility of a security
breach through serial communication products has generally been
deemed as less of a risk. The truth of the matter, as Crain tells
it, is that hacking into a power system via serial communication
devices may be easier than going through the internet.
Part of the reason why is that substations generally have very
lax security; they are rarely manned and often surrounded only by
a fence and monitored by a security camera. If physical access
isn’t possible, hackers could crack into a utility’s wireless
radio network and use that as a means for delivery.
“If someone tries to breach the control center through the
Internet, they have to bypass layers of firewalls,” Crain
said. “But someone could go out to a remote substation that
has very little physical security and get on the network and take
out hundreds of substations potentially. And they don’t
necessarily have to get into the substation either.”
Of the more than two dozen vulnerabilities discovered, vendors
have released security patches for nine of them. Bafflingly,
however, many utilities have yet to install them because they
underestimate the potential risk of attack. The fact that the
security standards established by theNorth American Electric
Reliability Corporation focus solely on IP communication also
makes the problem worse.
In an attempt to raise awareness about the issue, the Industrial
Control Systems Cyber Emergency Response Team (ICS-CERT) has
issued multiple reports on the security weaknesses. Additionally,
Crain and Sistrunk will speak on their research during Florida’s
S4 security conference in January.