How one man may have foiled a devastating cyberattack against America

Researcher Justin W. Clarke discovered a vulnerability in an industrial networking system used by American power grids and the Pentagon. Now, after public pressure, the manufacturer is promising a fix.

A cybersecurity researcher who discovered a critical security gap that could leave railroads, power grids, even military systems vulnerable has won a rare public "thank you" from the manufacturer of the vulnerable equipment.

Last April, Justin W. Clarke of San Francisco privately told RuggedCom, a Concord, Ontario, manufacturer of “hardened” industrial networking equipment designed to run in any temperature or weather condition, about a crucial vulnerability. If exploited, it could allow hackers or other nations could to take control of elements within crucial American infrastructure that used the equipment.  

RuggedCom customers include defense contractors such as Boeing and Lockheed Martin, as well as several of the nation's largest utilities. The systems are also used by transportation authorities in Houston and Lakeland, Fla., as well as in Washington State and Wisconsin.

Now, a week after Mr. Clarke brought public pressure to bear after deciding that RuggedCom was dragging its feet, it seems the important fix is going to happen.

"In the next few weeks, RuggedCom will be releasing new versions [of the company's] firmware that removes the undocumented factory account," Jim Slinowsky, vice president of marketing for RuggedCom, said in a press release late Friday.

"We thank the researcher, Justin W. Clarke, for reporting this vulnerability," the company said in a separate release a day earlier.

The vulnerability involved a "back door" in RuggedCom products – a secret factory login that could allow the manufacturer to enter the equipment’s control systems without anyone knowing. Clarke found out about the back door by buying RuggedCom equipment on eBay and testing it. He also discovered that the password protecting this back door was weak, meaning it could be easily hacked. 

In mid-April, about a year after Clarke told RuggedCom about the problem, the company told Clarke it would need three more weeks to notify customers, but it did not say whether it planned to fix the back door access with a firmware upgrade, Clarke says. Feeling the company might never fix the problem, Clarke decided to reveal the threat publicly. 

He reported the vulnerability to the US-Computer Emergency Readiness Team, a federal cyberwatchdog, which issued a vulnerability warning April 24. Its sister agency, which is focused on computerized industrial-control systems, also put out its own warning.

Soon after, industrial control-system security experts began blogging about the threat. 

"I didn't do this for money – I didn't get paid for this," Clarke told the Monitor in an interview last week. "I just wanted the problem fixed, and nothing I heard from the company ever indicated that would happen."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to