Researchers warned that energy facilities and industrial plants of all kinds are vulnerable to destructive cyber attacks, in some cases with something as simple as a text message.
Frightening presentations at a prestigious Black Hat computer security conference were preceded by official alerts to energy producers detailing the weaknesses and urging steps be taken to beef up defenses.
“This is not just the United States, it is around the globe,” said Tim Roxey, director of risk assessment at the North American Electric Reliability Corporation (NERC) responsible for enforcement of industry standards.
“If somebody really has you in their sites, they’ve got you,” he said of the situation.
Black Hat presentations that triggered the NERC alerts revealed that “PLC” units that control basic factory functions ranging from turbines to valves or even sorting could be commandeered by hackers.
The point was to debunk myths of how it took a nation state with millions of dollars and teams of researchers to penetrate nuclear power plants in attacks by an infamous “Stuxnet” virus, according to NSS Labs security researcher Dillon Beresford.
Beresford described finding a way into PLCs made by Germany-based Siemens AG in a matter of weeks working in his bedroom.
A Siemens representative that took part in the presentation said the company has been working with researchers on the situation.
“It is not only nation states that have this capability, it is now in the hands of researchers and will inevitably get into malicious hands,” Beresford said.
“It could be some lone hacker,” he continued. “Most people with the time and resources could pull this off.”
Cyber attackers would need to get access to machines, which was said to be less daunting than it sounded, according to Beresford.
Research presented by iSEC Partners security consultant Don Bailey showed that mobile Internet connection cards used in some PLCs in remote locations could be given commands by text messages, provided the senders knew the numbers assigned to cards.
“We can talk about vulnerabilities in PLCs, GSM (mobile networks), or my socks,” Bailey said.
“But the talk has to be about the cost, and machine-to-machine communications exploding in the GSM world,” he continued.
Computers insulated from the internet by “air gaps” could find defenses breached by mobile connection cards used for long-distance monitoring or links to sensors that feed information to the Internet, according to Bailey’s research.