Hackers Identify Weak Link in Thousands of Industrial Control Systems

When we think about cyberattacks against infrastructure, thanks to hyperbolic and unrealistic Hollywood flicks, we think of exploding nuclear plants or blacked out cities. But in reality, hackers could cause much more damage with subtler attacks, even without targeting critical infrastructure.

For example, a hacker might change the chemical composition of a popular medication drug during its preparation stage at a pharmaceutical plant—without anyone noticing—and kill thousands of people, according to Robert Lee, a security researcher and a PhD candidate researching cyber security at King's College in London.

While that's an unlikely, worst case kind of scenario, it's theoretically possible because the backbone networks supporting thousands of industrial control systems around the world, think of water and electricity distribution facilities, automated bridges, oil rigs, and different types of factories, all have a common weak link: their network switches.

These switches, which tunnel data around in several industrial processes, are often overlooked when thinking about potential cyberattacks against infrastructure. But they are a critical point of failure.

"If you own the network switch you don't have to even go after other devices," Lee told Motherboard in a phone interview. "An adversary that can get on the switch and own the switch, can own everything on that network and do anything they'd like with it."

As it turns out, popular network switches made by Siemens, GE, Garrettcom and Opengear, have flaws that make them easy to hack, according to new research by Colin Cassidy, Eireann Leverett, and Lee himself. The three plan to show their findings at the security and hacking conferences Black Hat and Def Con in Las Vegas next week.

If malicious hackers can break into a switch, for example by phishing someone who's on the same network, then the hackers can steal data, manipulate it, or just study the industrial process to learn how to sabotage it at a later stage, Cassidy, a security consultant for IOActive, told Motherboard.

At that point, pretty much everything is possible, depending on what's the system these switches help control, Cassidy said.

In an electrical substation, for example, a hacker could alter the flow of current and potentially damage a transformer or small piece of equipment. In a chemical plant, a hacker might block alarms from going off when things go wrong, or make controllers believe things are going wrong and prompt them to shut down the facility when everything is actually fine.

Some of the effects of such hacks might just amount to annoying disruptions, but the possibility to do real damage is there.

"If you can change what's actually going on in the facility," Lee said, "As a byproduct you can achieve physical destruction, you can achieve loss of life."

That, for the researchers, is the worst case scenario. That's when malicious hackers have a chance to study the flow of data through an industrial system and learn how that system works before altering and manipulating the data and the process.

The good news is that the researchers have been alerting vendors about these issues, and some of them have issued patches more or less swiftly (though those need to be actually deployed, which might be a challenge).

But the researchers plan to teach Black Hat attendees how to detect and mitigate these attacks, even if the switches are vulnerable. One of the possible techniques, Lee explained, is create patterns to identify when an attack is ongoing, allowing network defenders to kick out the intruders.

All in all, despite the doomy and gloomy scenarios, the researchers are optimistic. Some of the vendors have been very responsive, and the researchers hope that by highlighting these issues, the switches of the future will be designed with security in mind.

Leverett, a researcher at the University of Cambridge Centre for Risk Studies who

found

10,000 control systems connected to the internet in 2012, told Motherboard that because of the work him and his colleagues are doing, "I have a lot of hope for the future that the networks that we deploy will be longer lasting and more robust—and safer."