Terrorists could easily sabotage large portions of the nation's critical infrastructure. Security is so weak in many industrial control systems that even an average hacker could shut down water and power plants, damage nuclear facilities and freeze automobile and aircraft assembly lines.
The threat is so real that right or wrong, some security experts are publicly disclosing the weakest links to force action.
The Security Renegades
Leading the renegades is Dale Peterson, founder of Sunrise, Fla.-based Digital Bond, which specializes in monitor, control and alarm systems for industrial plants. Peterson runs Project Basecamp, in which researchers demonstrate the fragility of critical control systems.
Basecamp's latest target was Germany-based Smart Software Solutions, better known as 3S. Peterson's commandos found major vulnerabilities in 3S' CoDeSys, a software tool for programmable logic controllers (PLCs), which are computers that automate industrial tasks, such as operating valves. More than 250 ICS makers use CoDeSys.
The vulnerabilities would give access to the PLC upload code without an ID or password. That means a hacker would have full control of a controller. In exposing the weakness, Basecamp researchers also released exploit tools so 3S customers could test the vulnerabilities themselves.
The Department of Homeland Security responded with an alert that recommended manufacturers "take defensive measures to minimize the risk of exploitation of these vulnerabilities."
Tuesday, 3S confirmed the problem, saying, "We take this issue very seriously and are currently working on a solution."
At the same time, the company acknowledged that securing its products against cyber attacks was not its focus. "In general, we do not offer any standard tools in CoDeSys which are to protect the controller from a serious cyber attack."
That attitude is exactly why Peterson launched Basecamp, which he insisted discloses vulnerabilities already known to hackers and the manufacturers. His goal is to get vendors to stop making industrial control products that are "insecure by design" and to fix what is already in use. So far, his strategy hasn't worked.
"They complain and everyone says that it shouldn't be made public, yet we still don't see it getting corrected," Peterson said.
Was Stuxnet Not Warning Enough?
What can happen when hackers gain access to an industrial control system was demonstrated in Iran in 2010. A virus dubbed Stuxnet was unleashed in an Iranian nuclear facility, damaging centrifuges used to enrich uranium. The New York Times reported that the U.S. and Israeli governments developed the malware together.
3S is not the first company targeted by Basecamp. The research group disclosed in January vulnerabilities in widely used PLCs made by General Electric, Rockwell Automation, Schneider Modicon, Koyo Electronics and Schweitzer Engineering Laboratories.
The researchers also have released exploit modules for some of the vulnerabilities in the popular Metasploit tool kit used by security experts and hackers.
Homeland Security does not support the work of groups like Basecamp. Marty Edwards, director of the department’s Control Systems Security Program, told Wired the agency "does not encourage the release of sensitive vulnerability information” until a solution is ready for distribution.
A 'Pre-9/11 Moment’
Partisan politics has prevented Congress from passing a cybersecurity bill to protect the nation from attacks on critical infrastructure. Lawmakers' inaction comes as the Obama administration warns that a strike can happen at anytime.
In a speech to a group of business leaders in New York this month, Defense Secretary Leon Panetta said the nation needed to heed the warning signs and bolster its cyber defenses to avoid another tragedy like the terrorist attack on Sept. 11, 2001. According to Panetta, the country is in a "pre-9/11 moment."
How far Congress will go to force manufacturers to secure industrial systems remains to be seen. Replacing or upgrading them would be expensive and companies would lobby hard against laws that would force them to make changes.
"We've been very disappointed in the Department of Homeland Security and the U.S. government," Peterson said. "They have not said out loud that these devices are vulnerable and need to be replaced." Peterson said he'll continue exposing security weaknesses.
His efforts are unlikely to produce much more than an occasional headline. Creating national cyber defenses requires forceful government action, private-public interaction and cooperation among companies and industries not seen since World War II. Let’s hope that happens before we're hit again.