Control systems vulnerabilities revealed at Black Hat 2015


Monday, 10 August, 2015

Researchers have disclosed critical vulnerabilities in technologies that are actively used in industrial control systems, such as in substations, factories, refineries, ports and other areas of industrial automation.

Announced at the Black Hat USA 2015 conference, the flaws currently reside in systems that could facilitate shutdown of a plant or process, or force an industrial control system into an unknown and hazardous state.

Researcher Robert M Lee, a co-founder of Dragos Security and active-duty US Air Force Cyber Warfare Operations Officer, said that he believed with "great confidence" that these attacks are happening in the wild, but that they were most likely going overlooked because simply, "folks aren't noticing".

The researchers described that these industrial systems can be compromised by a man-in-the-middle (MITM) attack to cause havoc on live processes — sending wrong, spoofed, fake or incorrect data.

The problems rely in the fact that industrial system protocols generally lack authentication or cryptographic integrity; the researchers listed a smorgasbord of attack vectors, including unauthenticated updates, CSS attacks, clear text passwords and much more.

Their presentation, Switches Get Stitches, focuses on the DCS, PCS, ICS and SCADA switches of four vendors: Siemens, GE, Garrettcom and Opengear.

In their presentation, they go over 11 vulnerabilities, across five different products families, belonging to the four vendors — though the researchers stressed that the problems they're finding are not limited to these vendors.

The researchers said that they are only showing 11 vulnerabilities because they didn't have enough time to present more.

While the researchers said the vulnerabilities have been responsibly disclosed to the vendors, SCADA/ICS patching in live environments tends to take 1–3 years — and these fixes need to happen ASAP.

Because of this patching lag, the researchers are providing live mitigations that owners and operators can use immediately to protect themselves.

Researcher Eireann Leverett said they want to dispel the perception that people are helpless in light vulnerabilities, and the notion that we must wait for vendors to save us. "Defence is doable," he said.

"We shouldn't have to rely on vendors to patch."

For those interested, the presentation slides can be accessed at the Black Hat 2015 briefings page.

Source: ZDNet.

Related News

Rockwell Automation adds GenAI to Fiix Asset Predictor

Rockwell's Fiix Asset Predictor now offers a generative AI prescriptive work orders capability.

Aspen Technology introduces CCUS planning solution

AspenTech Strategic Planning for Sustainability Pathways is designed to enable users to optimise...

AVEVA collaborates with Microsoft on industrial AI assistant

AVEVA's industrial AI assistant, running on Microsoft Azure OpenAI Service, is designed to be...

Content from other channels on our network

Whey protein designed for 'holistic hydration'

Kelp could be the next big in-SEA-dient

Material testing provides insights for conveyor selection

Baby food pouch feeding method examined in first foods study in NZ

NZ nut butter brand launches into space with specialty packaging

PakTech moves into the Australian market

Low-carbon aviation? Try methane

Healthcare waste recycling initiative to repurpose IV bags

Govt sustainability initiatives welcomed by Engineers Australia

A touch of sugar could help upcycle carbon dioxide into fuels

Ultra-pure silicon chip brings quantum computing a step closer

Low-energy process developed for high-performance solar cells

Wearable health sensor charges without wires or batteries

Enhancing the cyclability of lithium-ion battery cathodes

Experiment could enable millions of qubits on a single chip

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd