LAS VEGAS--Not only are SCADA systems used to run power plants and other critical infrastructure lacking many security precautions to keep hackers out,
toshiba TOS S3440, operators sometimes practically advertise their wares on Google search, according to a demo today during a Black Hat conference workshop.
(Credit:
Seth Rosenblatt/CNET)
It's likely that a nation-state was behind the development of Stuxnet, and that it took several years to develop and a full-time team of operators to develop and control, according to Parker. Despite the fears sparked by Stuxnet--the first malware known to target SCADA systems--it could have done a lot more damage if it were executed better,
HP EliteBook 8740w XT909UT, he said.
Most SCADA protocols do not use encryption or authentication, and they don't have access control built into them or the device itself,
Apple Macbook Pro MC847LL/A, said Jonathan Pollet, fellow presenter and founder of Red Tiger Security. This means that when a PLC has a Web server and is connected to the Internet, anyone who can discover the Internet Protocol address can send commands to the device and the commands will be performed, he said.
That's like putting up a billboard saying SCADA (Supervisory Control and Data Acquisition) system here and, oh by the way, here are the keys to the front door.
Related links
• DefCon Kids joins adult hacker conferences
• Automated stock trading poses fraud risk,
ASUS G73JW-XT1, researcher says
• Expert hacks car system,
Apple MacBook Air Summer 2009, says problems reach to SCADA systems
(Credit:
Seth Rosenblatt/CNET)
Jonathan Pollet,
Canon HV20, founder and principal consultant at Red Tiger Security,
Sony HDR-FX1, and Daniel Michaud-Soucy, Red Tiger Security systems engineer.
"You can make it do anything you want it to do," Pollet said. "If that RTU or PLC has large motors connected to it, pumping out water or chemicals,
Thinkpad T420, the equipment could be turned off. If it was a substation and the power recloser switches were closed,
Sony PDW-F335L, we could break it open and create an (electricity) outage for an entire area or city...The bottom line is you could cause physical damage to whatever is connected to that PLC."
To know exactly what to search for on the Internet, the researchers bought a PLC with an embedded Web server that had an identifying string of characters associated with the hardware and then typed that information into Google, according to Pollet.
But Stuxnet has raised awareness in the general public and within companies running critical infrastructure systems and scared some of them enough to beef up their security. "Stuxnet created an interest in the community to learn more about vulnerabilities and SCADA systems," said Pollet. "We' ve seen direct impact in our customers being able to get funding to secure their SCADA systems."
"This shouldn't even be on the Internet. It's an active substation," he said. "This equipment should not be on the Internet."
"You can do a Google search with your Web browser and start operating [circuit] breakers, potentially,
Canon Wide Angle EF 35mm f/1.4L USM Autofocus Lens," Parker, chief technology officer at security consultancy FusionX, told CNET in a break during the workshop on "Building, Attacking And Defending SCADA Systems in the Age of Stuxnet."
(Credit:
Seth Rosenblatt/CNET)
While Stuxnet appears to have run its course and had minimal impact,
Sony HDR-CX12, SCADA systems are at risk from vulnerabilities and exploits in general, the U.S. ICS-CERT (Industrial Control System Computer Emergency Response Team) has warned.
Black Hat sessions begin tomorrow and run through Thursday. The event is followed by DefCon,
Panasonic HDC-SD100, which runs Friday through the weekend.
Tom Parker,
Thinkpad w520, chief technology officer at FusionX,
Lenovo ThinkPad X1, explaining in detail how SCADA systems are controlled.
While SCADA security has been an issue for decades, as legacy systems have been connected to the Internet and remote technologies have emerged, Pollet and Parker agreed that interest has peaked since last year with the emergence of Stuxnet,
THINKPAD X220, a worm that spreads via holes in Windows but specifically targets Siemens SCADA systems and uses other sophisticated methods. Experts theorize that Stuxnet was designed to sabotage Iran's nuclear development program.
"There was a lot in the press about the sky is falling,
Toshiba M11-S3440," he said. "The idea of this [workshop discussion] was to demonstrate the amount of effort that would have to go into that operation. There are so many moving parts...discrete separate systems [and other elements] to that type of attack,
Sony HDR-XR500V, that it would be extremely challenging to pull off."
Public Google search results showing SCADA systems and passwords.
Acknowledging that he wouldn't click on any link results to avoid breaking the law by accessing a network without authorization, researcher Tom Parker typed in some search terms associated with a Programmable Logic Controller (PLC), an embedded computer used for automating functions of electromechanical processes. Among the results was one referencing a "RTU pump status" for a Remote Terminal Unit, like those used in water treatment plants and pipelines,
JVC GZ-HD3, that appeared to be connected to the Internet. The result also included a password--"1234."
Pollet discovered on the Internet an ABB Transformer running an electricity substation in the United Kingdom earlier this year with no password required and notified the utility company. "You could see [circuit] breaker statuses,
Sony HVR-A1U, see the last time it was worked on, the status of the transformer,
Canon EF 24-70mm f/2.8L USM Standard Zoom Lens," he said,
Canon EOS 7D, doing a quick Google search for the device. "It's still on the Internet but now they prompt for a password," he said,
HP EliteBook 8440P XT918UT, finding the link.
相关的主题文章:
Canon EF 24-70mm f/2.8L USM Standard Zoom Lens- after weeks of intense debate.
SONY VAIO VPCF13CGX/B-
HP EliteBook 8540p XT923UT-149
THINKPAD T400- and other content their friends posted. However
Sony HVR-Z7E-Activists Say Syrian Troops Use of Deadly Force Continues
Panasonic AJ HDX900-Uh
ASUS G73- Parties
HP EliteBook 8540p XT923UT-Objections raised
ELITE 8540W- road
Sony HDR-SR7- Bluetooth
Syria's Assad Promises Reforms as Crackdown Continues News English
Sony HDR-FX1000-Industrial Control System Computer Emergency Response Team
THINKPAD X220-
Fan Fiction On the Eve of His 50th Birthday, the President Has a Midlife Crisis VF Daily Vanity Fair
hp ELITEBOOK 8460P-" Giddings told the hearing
Panasonic AG-DVC30- of course
THINKPAD X220- chief technology officer at FusionX
Linear Mode
