Cybersecurity researchers next week will demonstrate how hackers can potentially wreak havoc on critical US infrastructure, even causing explosions by altering the readings on wireless sensors used by the oil and gas industry.
The presentations at the Black Hat conference beginning in Las Vegas on Wednesday will show how key industries remain vulnerable to cyber attacks, in part because companies are reluctant to replace expensive equipment or install new safeguards unless ordered to do so by regulators or offered economic incentives, experts say.
Just 18 hours after security researcher Kyle Wilhoit connected two dummy industrial control systems and one real one to the Internet, someone began attacking one of them, and things soon got worse. Over the course of the experiment, conducted during December 2012, a series of sophisticated attacks were mounted on the “honeypots,” which Wilhoit set up to find out how often malicious hackers target industrial infrastructure.
A critical vulnerability discovered in an industrial control system used widely by the military, hospitals and others would allow attackers to remotely control electronic door locks, lighting systems, elevators, electricity and boiler systems, video surveillance cameras, alarms and other critical building facilities, say two security researchers.
A security researcher claims that he found 23 vulnerabilities in industrial control software from several vendors after a different security company last week showcased vulnerabilities in applications from some of the same manufacturers, but chose not to report them.
Security researcher Reid Wightman from the firm ioActive has found an undocumented back door in CoDeSys, the management software used by 261 different manufacturers of ICS devices. The back door gives full access without requiring authentication and has prompted the US Department of Homeland Security's ICS-CERT to issue an alert (PDF).