And this is exactly this kind of thing the NSA is supposedly “protecting us from”.
Today, the CTO of Positive Research Sergey Gordeychik told IT News that he and his team of security scientists were able to successfully penetrate and manipulate the internal motherboards of SCADA systems at dozens of critical sites that span the globe.
For anyone out of the loop, SCADA systems are the computers and digital networks that control everything from solar panels, to hydraulic dams, and even the programs that monitor steam turbines at nuclear facilities. They are absolutely critical to infrastructure, and if they were somehow compromised it would have the potential to affect millions of people worldwide.
By cracking the encryption which handled the way passwords and access codes were stored, researchers at the firm were able to dig straight into the vulnerable networks of power plants and water treatment facilities in multiple countries. More than 150 vulnerabilities were discovered in all, each containing a specific attack vector that was customized to every different model of PLC or SCADA logic board you can think of.
Another 60,000 ICS devices were also exposed in the breach, and although the risk for these machines is much lower (they primarily control computers used by personal home alarms), the danger of these loopholes falling into the wrong hands is still as real as ever.
Sergey elaborates further:
“We don’t have much experience in nuclear industry, but for energy, oil and gas, chemical and transportation sectors during our assessments project we demonstrated to owners how to get full control [of] industrial infrastructure with all the attendant risks.”
Out of all the major manufacturers of the controllers, so far Siemens is the only one to step forward to offer a patch for the affected systems that bear their name. Their security team was quick to respond, and released fixes that seal up any problem users might encounter with the SCALENCE X-200 series of switches.