Glaring holes in industrial software could allow hackers to gain partial control or even cause physical destruction at power plants, refineries and more -- further exposing the recently discovered weak underbelly of the nation’s infrastructure, a security analyst said.
Dillon Beresford, a researcher who works for NSS Labs in Texas, identified the latest holes last Wednesday in the specialized Siemens software -- called "supervisory control and data acquisition" systems, or SCADA -- that runs industrial power plants, factories and other infrastructure.
Siemens announced plans to patch the holes last Thursday.
Not good enough, Beresford said Monday.
“The proposed 'security feature' that Siemens recommended was bypassed within 45 minutes,” Beresford wrote in an open letter on a chat board about security software. “I knew the feature was flawed from the moment they proposed the solution and explained it to me.”
Just as the computers that ran Iran’s nuclear program were sabotaged and crippled by a cyber “super worm” virus -- called Stuxnet and loudly denounced by the Iranian government as a Western assault -- the software used to run much of America’s (and the world’s) industrial, transportation and power infrastructure including nuclear plants and even some airports -- is vulnerable to cyberattack.
The software systems are seemingly esoteric, hardly off the shelf products one would find at the local computer store. But the issue is a serious one -- real enough that Homeland Security’s U.S. Cyber Emergency Response Team is attempting to help.
“DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) frequently engages with industry partners and members of the cybersecurity community to share actionable vulnerability information and mitigation measures in an effort to better secure our nation’s critical infrastructure,” a DHS official told FoxNews.com.
Following the discovery of the Stuxnet virus, security researchers have turned their probes on SCADA software from companies like Siemens, Iconics, 7-Technologies and others. In March, a slew of holes were uncovered in this type of software.
On the plus side, these systems are often isolated and hard to get to, rarely connected to the Internet for security purposes.
Still, the risk of infiltration remains, and active protection is a constant battle.
Beresford said he was aware of the danger of making such security flaws public. Last week, he backed off from a planned presentation at a security conference (“Chain Reactions -- Hacking SCADA”) at the last minute, citing the risks of revealing too much information.
“I am fully aware of the potential risk to ICS and the individuals operating these devices,” he wrote Monday. “The vulnerabilities are far reaching and affect every industrialized nation across the globe.”
Still, Beresford felt he needed to come forward to force the manufacturer to address the problem more quickly. Siemens told FoxNews.com that the flaws the researcher has uncovered lie only in certain modules, which are themselves protected by uncompromised security systems.
“Individual control modules do not represent IT security concepts of a plant or production lines,” said Wieland Siemens, a spokesman for Siemens. He noted that the flaws were found “under laboratory conditions and without an IT security measure in place,” and that in all cases, the system “ended up in a secure stop mode and stopped the manufacturing process.”
“There is no danger for the plant, for the workers and for the environment,” he added.
Beresford begs to differ.
“My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory,” he argued.
“The clock is ticking and time is of the essence. I expect more from a company worth $80 billion -- and so do your customers,” he said.