Critical Infrastructure hacking.

Crackers have manipulated SCADA(supervisory control and data acquisition)  infrastructure which is used to monitor and control power plants, and can now remotely gain administrative privileges to solar power plants. The U.S Department of Homeland Security released an advisory stating this exploit specifically affects the company eSolar’s monitoring system. According to the statement there are numerous critical firmware vulnerabilities that are “easily” exploitable. The exploits included several SQL injections that compromised usernames and passwords that were stored in PLAIN TEXT. Although the exploits only affect this specific SCADA program, there could be vulnerabilities in several other SCADA programs as well. Similar to how wireless routers have a few universal usernames and passwords by default, SCADA systems do too. With inexperienced users installing the SCADA infrastructure, they’re bound to leave default passwords alone. Another huge security flaw with SCADA systems is that generally there is no encryption or authentication built in by default, or used along side the systems. What this means to an attacker, if they find the IP address that is connected to the SCADA web server they can do whatever they’d like to the system. It’s extremely feasible for an attacker to shut off electricity to an entire city. The most notable SCADA attack would be the Stuxnet malware on Iran’s centrifuges. If an water treatment plant was shutdown or a electric grid powering critical medical equipment was tampered with there would be an nation wide outcry of “why wasn’t this though of beforehand?”. Security is no longer an option is a necessity.

Sources: http://news.cnet.com/8301-27080_3-20087201-245/researchers-warn-of-scada-equipment-discoverable-via-google/

http://nakedsecurity.sophos.com/2012/10/12/hackers-exploit-code-photovoltaic-solar/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29

Advertisements

5 thoughts on “Critical Infrastructure hacking.

  1. Alright, hands up- who is really waiting for robotics to get going, and then see what happens?
    For me, the cool thing about a robot is it’s code that does something in the real world. Cracking in the real world is equally interesting for me. (Of course, I just got done reading Permutation City, so my head is a bit out there at the moment.) I have to wonder how many setups like this will try going offline (can’t crack it if it isn’t plugged in) or on an independent network. (something like the formal milnet.)

  2. On another note, I just found out Kaspersky is currently developing SCADA security systems due to this large threat that everyone has known about for a while, but only recently decided to do anything for.

  3. It is a very scary thought knowing that there are people out there who could potentially control power plants, and even scarier that people would actually want to do this. It also doesn’t help that passwords for these systems are simply being stored in plain text. Default passwords are a bad thing to leave as well, especially on power plant systems.

  4. I’m not sure if I included this in class but the default passwords are similar to those used to wireless routers. So there’s a good chance user: admin, pass: admin would grant you access to some city’s electrial grid.

  5. It seems like a solution to this would be either risky or expensive or both. Maybe if they need easy access they could have a keycard system or some kind of physical accessor to be able to quickly gain control, but have it be physical so control can’t be accessed digitally… Whatever, the point is, systems like this should not be allowed to be sitting unprotected, not when there is such a huge impact on the public. This is what engineers are for!

Comments are closed.