America's Stuxnet? Weakness found in systems used by Pentagon, power grid.
An amateur enthusiast has found evidence that hackers could exploit a security vulnerability in the systems of a company that serves power plants and military installations.
An amateur cybersecurity researcher who bought industrial computer networking equipment on e-Bay for fun has discovered a critical weakness in equipment that helps run railroads, power grids, and even military installations nationwide.Skip to next paragraph
Subscribe Today to the Monitor
The vulnerability means that hackers or other nations could potentially take control of elements within crucial American infrastructure – from refineries to power plants to missile systems – sabotaging their ability to operate from within.
Analysts say the problem is likely fixable, but the enthusiast says he has gone public only because the company that manufactures the equipment, RuggedCom of Concord, Ontario, has declined to address the issue since he made it known to them a year ago.
"It's clearly a huge risk," says Dale Peterson, CEO of Digital Bond, a control systems security firm in Sunrise, Fla. "Anytime someone can take down your network infrastructure, essentially cause a loss of control of the process – or your ability to monitor it, very dangerous things can happen."
The vulnerability has to do with what is known as a digital “back door.” The back door is a secret login that allows the manufacturer to get into the equipment’s control systems without anyone knowing about it – even the purchaser. In theory, manufacturers could use their back doors to send updates to the equipment, but since they are secret, their use is not well known.
The discovery of back doors built into digital industrial control systems is not unprecedented. In fact, RuggedCom was recently acquired by a subsidiary of Siemens AG, the giant German industrial engineering company that has been criticized for using hidden, yet vulnerable, back doors in its control systems.
What is unusual is that RuggedCom’s equipment is often used as a digital fortress, protecting from hackers far more vulnerable systems that throw mechanical switches or close and open valves. Also surprising, experts say, is that the password needed to enter through this back door appears to be relatively easy to hack.
If hackers can get through the back door of RuggedCom’s routers and digital switches, the entire system that they are a part of becomes vulnerable. For example, Stuxnet, the world's first publicly identified cyber super weapon, in 2009 wreaked havoc on Iran's nuclear centrifuge refining system by exploiting a password hidden inside a Siemen's operating system.
"It is a very serious threat," says Robert Radvanovsky, a cybersecurity researcher and cofounder of Infracritical, a think tank focused on shoring up cyber weaknesses in critical infrastructure. "The big concern is that these devices are what connect to the control systems that run the substations where power gets routed."
RuggedCom sells “hardened” equipment designed to run around the clock in any temperature or weather condition. So it has a variety of clients seeking such robust machinery. Defense-industry customers mentioned on the RuggedCom website include big names like Boeing and Lockheed Martin, while power-industry customers include several of the nation's largest utilities – American Electric Power, National Grid, Pepco, and others. The systems are also used by transportation authorities in the cities of Houston, Lakeland, Fla., and in Washington State and Wisconsin.