It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
The advisories concern vulnerabilities in the communication protocol used by power and water utilities to remotely monitor control stations around the country. Using those vulnerabilities, an attacker at a single, unmanned power substation could inflict a widespread power outage.
Still, the two engineers who discovered the vulnerability say little is being done.
Adam Crain and Chris Sistrunk do not specialize in security. The engineers say they hardly qualify as security researchers. But seven months ago, Mr. Crain wrote software to look for defects in an open-source software program. The program targeted a very specific communications protocol called DNP3, which is predominantly used by electric and water companies, and plays a crucial role in so-called S.C.A.D.A. (supervisory control and data acquisition) systems. Utility companies use S.C.A.D.A. systems to monitor far-flung power stations from a control center, in part because it allows them to remotely diagnose problems rather than wait for a technician to physically drive out to a station and fix it.
New research revealed this week shows that many of the nation’s vital infrastructure systems are more vulnerable to cyberattacks than previously expected.
In fact, researchers Chris Sistrunk and Adam Crain have discovered 25 different security system weaknesses that could potentially permit hackers to sabotage or crash servers that control water systems and electric substations.
Throughout the course of their research, Sistrunk and Crain discovered that the products of more than 20 vendors had significant security vulnerabilities. Hackers could, for example, crash a power station’s master server by guiding it into an infinite loop, or cause power outages by remotely injecting their own make-shift code into a server.
These security holes have generally been found in serial and networking devices used to communicate between servers and substations. Since most efforts have gone into preventing cyberattacks via IP networks, the possibility of a security breach through serial communication products has generally been deemed as less of a risk. The truth of the matter, as Crain tells it, is that hacking into a power system via serial communication devices may be easier than going through the internet.
What makes the vulnerabilities particularly troubling, experts say, is that traditional firewalls are ill-equipped to stop them. “When the master crashes it can no longer monitor or control any and all of the substations,” said Dale Peterson, a former N.S.A. employee who founded Digital Bond, a security firm that focuses on infrastructure. “There is no way to stop this with a firewall and other perimeter security device today. You have to let DNP3 responses through.”