It looks like you're using an Ad Blocker.

Please white-list or disable in your ad-blocking tool.

Thank you.


Some features of ATS will be disabled while you continue to use an ad-blocker.


Two engineers discover massive vulnerabilities in US Power and Water Grid.

page: 1

log in


posted on Oct, 22 2013 @ 02:53 AM
Seems like an ATS-style topic. These particular newspieces came out couple of days ago, so I wonder why this has not reached here yet. The actual discovery happened 7 months ago, but research came this week. Could not find threads on the matter, so I hope I am not making a second thread on this.

The advisories concern vulnerabilities in the communication protocol used by power and water utilities to remotely monitor control stations around the country. Using those vulnerabilities, an attacker at a single, unmanned power substation could inflict a widespread power outage.

Still, the two engineers who discovered the vulnerability say little is being done.

Adam Crain and Chris Sistrunk do not specialize in security. The engineers say they hardly qualify as security researchers. But seven months ago, Mr. Crain wrote software to look for defects in an open-source software program. The program targeted a very specific communications protocol called DNP3, which is predominantly used by electric and water companies, and plays a crucial role in so-called S.C.A.D.A. (supervisory control and data acquisition) systems. Utility companies use S.C.A.D.A. systems to monitor far-flung power stations from a control center, in part because it allows them to remotely diagnose problems rather than wait for a technician to physically drive out to a station and fix it.

New research revealed this week shows that many of the nation’s vital infrastructure systems are more vulnerable to cyberattacks than previously expected.

In fact, researchers Chris Sistrunk and Adam Crain have discovered 25 different security system weaknesses that could potentially permit hackers to sabotage or crash servers that control water systems and electric substations.

Throughout the course of their research, Sistrunk and Crain discovered that the products of more than 20 vendors had significant security vulnerabilities. Hackers could, for example, crash a power station’s master server by guiding it into an infinite loop, or cause power outages by remotely injecting their own make-shift code into a server.

These security holes have generally been found in serial and networking devices used to communicate between servers and substations. Since most efforts have gone into preventing cyberattacks via IP networks, the possibility of a security breach through serial communication products has generally been deemed as less of a risk. The truth of the matter, as Crain tells it, is that hacking into a power system via serial communication devices may be easier than going through the internet.

What makes the vulnerabilities particularly troubling, experts say, is that traditional firewalls are ill-equipped to stop them. “When the master crashes it can no longer monitor or control any and all of the substations,” said Dale Peterson, a former N.S.A. employee who founded Digital Bond, a security firm that focuses on infrastructure. “There is no way to stop this with a firewall and other perimeter security device today. You have to let DNP3 responses through.”

This seems as an very important issue to deal with. Electricity and water are both vital utilities nowadays. Recently there have been several threads on possible power grid failure and concerns about the upcoming national drill. This might add even more fuel to the conspiracies.

Hopefully these problems would be fixed soon, although what is troubling in my eyes is the leak in media. I wonder how many people might actually be trying to find the weaknesses currently as they know these are at serial communications, some of them definitely not on good intentions, although I seriously hope these vulnerabilities would be fixed before some manages to exploit them.
edit on 22-10-2013 by Cabin because: (no reason given)

posted on Oct, 22 2013 @ 03:01 AM
reply to post by Cabin

Hope the terrorists dont get that newspaper delivered.

posted on Oct, 22 2013 @ 03:13 AM
reply to post by Cabin

Probably meant to be that way. It's not for the random hacker in russian living in his moms basement. it's simply so that when the time is right they can shut it all down and then scramble the whole system so it would be very difficult if not impossible to turn everything back on. that's my best guess

posted on Oct, 22 2013 @ 04:36 AM
Great move, going public would be a whole lot easier than spray painting "ATTACK HERE" in big letters all over the infrastructure, which is pretty much what they've done.

Who publicly broadcasts sensitive info like this? it goes to show that intelligence and common sense are not mutually exclusive.

new topics

top topics

log in