The researchers, Adam Crain and Chris Sistrunk, discovered that products from more than 20 vendors had significant security vulnerabilities that hackers could use to wreak such havoc as guiding a power station’s master server into an infinite loop or causing outages by injecting code into a server, thereby allowing the attackers to open and close substation breakers.
“Every substation is controlled by the master, which is controlled by the operator,” Sistrunk told Wired, which broke the story. “If you have control of the master, you have control of the whole system, and you can turn on and off power at will."
Crain and Sistrunk submitted their findings to the Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team, which worked with them to notify vendors of their vulnerabilities. While some of those vendors have issues patches, many vulnerabilities remain unpatched, and even affected utilities haven’t applied them.
Pete Lindstorm, VP of research at Spire Security, said during an email interview that, patches notwithstanding, pointing out all the vulnerabilities only makes it more likely that some of them will be exploited.
“If there is one thing our field has demonstrated, it is that cherry-picking vulnerabilities and fixing them in complex systems is not very effective,” said Lindstrom. “Vulnerabilities matter in the aggregate and when they are exploited. These folks are reducing the attacker cost and increasing likelihood, nothing more.”
Even if, in a best-case scenario, all the vendors in question issued patches, it’s highly unlikely that they’d be applied across the board, thus leaving some highlighted vulnerabilities exposed, added Lindstrom.
That said, affected utilities may want to get as many patches in place as they can before the end of the year, as Crain and Sistrunk told Wired that they plan to present their findings at the S4 industrial control systems security conference scheduled for January in Miami.
[Read how security standards from the National Institute of Standards and Technology can help build an information security program in "Do NIST Information Security Standards Matter?"]
The two aren’t the only researchers telling the world about potential weaknesses in critical infrastructure. Earlier this month, a team of three researchers from security vendor Trend Micro were at the Hack in the Box conference in Kuala Lumpur, Malaysia, to share with attendees how they were able to hijack automated identification systems on seagoing vessels, tampering with tracking efforts and even faking their own vessels.
The researchers--Marco Balduzzi and Kyle Wilhoit, both of whom are Trend Micro employees, and Alessandro Pasta, an independent researcher--have been looking for vulnerabilities that could give cyber attackers an in as the so-called Internet of Things continues to develop. They decided to conduct a thorough evaluation of the automated identification system (AIS) now used on an estimated 400,000 vessels worldwide, attacking it with software, hardware and radio frequency.
As Crain and Sistrunk did in working with DHS, the Trend Micro researchers took their findings to AIS oversight entities, and have been mostly dismissed despite their contention, in a blog post on their findings, that “users must not completely trust AIS, as attackers can actively use it for malicious deeds, such as piracy. In case of an attack, the final user (i.e. the captain) will not be able to distinguish between true and false information reported by the AIS transponder.”
Perhaps the Trend Micro team should heed the advice Lindstrom had for Crain and Sistrunk: “Any researcher who wants to truly make a difference should be looking for ways to reduce risk without the need to identify specific vulnerabilities,” he said. “There is a definite shift in looking for defensive technologies in security.”