News

US security firm uncovers SCADA threats to power plants and oil refineries

A US security research organisation says it has discovered methods hackers could use to sabotage power plants, oil refineries or manufacturing operations.

"This is a global problem. There are no fixes to this right now and bad guys would be able to cause real environmental and physical problems and possibly loss of life," said Rick Moy, chief executive at US computer security research firm NSS Labs, according to AFP reports.

NSS Labs says it shared its findings on supervisory control and data acquisition (SCADA) system vulnerabilities with the US Computer Emergency Readiness Team (CERT). NSS added that it was briefing industrial facilities, but was revealing little publicly out of concerns for safety.

NSS researcher Dillon Beresford reported finding "multiple vulnerabilities" in Siemens programmable logic controllers (PLCs) targeted by the Stuxnet worm.

The controllers are used in plants worldwide to regulate things like temperatures, pressures and centrifuge speeds, as they were in the Iranian nuclear facilities targeted by Stuxnet.

While Stuxnet targeted PLCs through operating system software, NSS researchers found ways to reprogram the devices directly if they can be reached on a network.

NSS Labs has also challenged the widely held belief that Stuxnet was created at huge cost by a nation state.

According to NSS Labs, it took researchers less than three months to come up with attacks on the controllers, on a budget of less than $3,000.

Siemens has played down concerns that an attack could be pulled off outside a lab and said it was working to address the vulnerabilities.

White paper: How to Protect Industrial Infrastructure Against Malware >>


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy