Security Flaws Could Give Hackers Control Of Power Plants And Oil Rigs

Apr 04, 2014

Power plants, oil rigs and refineries could be at risk from hackers, new research shows, as there are vital bugs in their software that could allow an outsider to gain remote access.

Around the world about 7,600 plants are using the vulnerable software that could allow an attacker with the "lowest skill in hacking" to exploit them.

See: State-sponsored hacks targeting journalists

The software, named Centum CS 3000, was first released to run on Windows 98 and is used to monitor and control the heavy machinery in many of the globe's large industrial installations.

"We went from zero to total compromise," Juan Vasquez, from security firm Rapid7, told the BBC.

"If you have control of that station as an attacker you have the same level of control as someone standing on the plant floor wearing a security badge," added his colleague Julian Diaz who aided in the discovery.

Rapid7's discovery has caused the Computer Emergency Response Team (CERT) of the US Homeland Security Department to issue an alert about the vulnerabilities.

Yokogawa, the designer of the software, has said that not all users of Centum CS 3000 need to apply patches immediately, and that it depends on how their systems are connected externally.

CERT teams in a number of countries have been spreading the alerts, though the UK's new team refused to comment on the issue.

Though the threat the bugs posed had been proven in laboratory conditions, Vasquez impressed, there was no evidence that online attackers are actively seeking to abuse them.

Related: The cyber-crime industry could be bigger than Google, Apple and Facebook

If anyone did gain access to a large piece of machinery, he added, they would probably be thwarted by a lack of knowledge on how to operate the complex systems.

Mark O'Neill, also speaking to the BBC, disagreed: "Security through obscurity is really no security at all," he said, before adding that it might be some time before the software can be patched or replaced, due to the ancient code that industrial equipment runs..

 




Author: Alex Hamilton
View the original article here.
Published under license from ITProPortal.com
Business / CERT / hacking / Industry / ITProPortal / Partners / Technology

Comment

 

Understanding the risks and rewards of public sector cloud 

Download the Whitepaper now

Partner

24Newswire
Sign up to receive latest news

Twitter Feed

Why does pubsec ICT PR firm @MantisPR want to be at the upcoming #eventcentreUK THINK Digital Vendors 2016 event? https://t.co/3tE5o7aMmO
@24nbiz
Apr 01, 2016
@thinkdigicon supporter @Adv365 sets out its stall for tomorrow's landmark #gcloud event https://t.co/FQraJP2yyg
@24nbiz
Mar 21, 2016
@thinkdigicon supporter @Adv365 explains why it's supporting tomorrow's show https://t.co/2Wj3UECo9s
@24nbiz
Mar 21, 2016
@24n.biz: what's the final agenda for tomorrow's @thinkdigicon #gcloud @GOVUKdigimkt show? https://t.co/6CASi8lrnU
@24nbiz
Mar 21, 2016