Just as the computers that ran Iran?s nuclear program were sabotaged and crippled by a cyber ?super worm? virus, the software used to run much of America?s industrial, transportation and power infrastructure — including nuclear power plants and major airports — is vulnerable to cyber attack, and two software companies have revealed dozens of successful hacks to prove it.
The issue lies in specialized software systems sold by Siemens, Iconics, 7-Technologies and others to power plants and other infrastructure. Called “supervisory control and data acquisition” systems, or SCADA, they run software solely for industrial use.
And it’s just as vulnerable as every other program on your PC, warned Eric Knapp, a director of critical infrastructure markets at NitroSecurity.
?These are specialized protocols used by the big industry giants,? Knapp told FoxNews.com. ?These protocols are very insecure.? More worrying are the kinds of systems that use this software. ?We?re talking nuclear facilities, large scale manufacturing, pharmaceuticals — essentially anything with automation anywhere runs these systems.?
Luckily, these systems are typically isolated and hard to get to, since many are not connected to the Internet for security purposes, Knapp explained. Still, the risk of infiltration remains, and active protection is a constant battle.
Such vulnerabilities have been in the spotlight since the discovery of Stuxnet last July, the computer worm that effectively took out Iran?s Bushehr nuclear reactor. Experts described Stuxnet as “the arrival of an F-35 into a World War I battlefield” — and the U.S. is equally at risk, they say.
?Are we vulnerable? If there is strong enough intent, then definitely,? Knapp warned. Indeed, the theory is all there; it?s simply down to a question of resources, he said.
Luigi Auriemma, one of the researchers who released the hacks that can be used to attack such specialized software packages, said he hoped his actions will attract proper attention to a growing problem. ?SCADA is a critical field but nobody really cares about it,? Auriemma told The Register. ?That?s also the reason why I have preferred to release these vulnerabilities.”
The release included proof-of-concept code that attacks 34 different SCADA vulnerabilities that span four industry vendors. Auriemma asserts that the attacks could allow cyber trespassers to execute code or access sensitive data.
Gleg, a Russian security firm, announced Agora SCADA+ just a week earlier — a product that attempts to organize all known SCADA vulnerabilities into a single bundle.
For Knapp, the challenge of keeping pace with such an evolving threat is the reality of life in a post-Stuxnet world.
?Stuxnet was pretty revolutionary in industrial-control-system security circles,? Knapp told FoxNews.com. ?It was the first cyber attack that actually took down an industrial process.?
The idea that a single computer worm could take out a nuclear facility can be hard to fathom, but the need to come to terms with this kind of power has never been more pressing, experts warned.
In the case of Stuxnet, the worm found its way into the secure area via portable USB drives. ?Post Stuxnet, people are obviously much more USB shy,? Knapp said. ?Attacks are getting more sophisticated. They?re finding new ways to get into networks — and some vendors are much better than others.?
Knapp recommends following cyber security best practices to ensure that systems are safe. But the most important advice of all?
“Assume the worst,” he said.