US standards body issues warning to energy suppliers over cyber attacks
A US energy industry standards body has warned suppliers to improve their defences against cyber attacks.
A US energy industry standards body has warned suppliers to improve their defences against cyber attacks.
The warning by the North American Electric Reliability Corporation (NERC) coincides with reports by IT security researchers of several vulnerabilities that could be used by hackers to sabotage power plants, oil refineries or manufacturing operations.
Dillon Beresford of US computer security research firm NSS Labs told attendees of last week's Black Hat security conference in Las Vegas that he could break into programmable logic controllers (PLCs) used by many utility companies.
Beresford, who was among several researchers at the conference presenting findings on PLCs, revealed in May that he had found multiple vulnerabilities in Siemens PLCs that were targeted by the Stuxnet worm.
He told attendees of the Black Hat conference that he had found ways to break in to the Siemens PLCs even if they were protected by passwords.
Other researchers at the conference said criminals and intelligence agencies would also be able to use the internet to hack into controllers made by other companies such as General Electric and Honeywell, according to the Financial Times.
The industry standards do not call for data transmissions between PLCs to be encrypted, which researchers say makes them easier targets for hackers.
While Stuxnet targeted PLCs through operating systems software, Beresford said he found ways to reprogram the devices directly if they could be reached on a network.
NSS Labs has also challenged the widely held belief that Stuxnet was created at huge cost by a nation state. Beresford claimed NSS researchers took less than three months to come up with attacks on the controllers, on a budget of less than $3,000.
Siemens has played down concerns that an attack could be pulled off outside a lab and said it was working to address the vulnerabilities.
NERC is taking the warnings seriously and hopes to reduce the risk by issuing security recommendations to utilities in the US and Canada.
Read more on IT risk management
-
What the world can learn from Saudi Arabia’s fight against industrial control system attacks
-
US government, security vendors warn of new ICS malware
-
Incontroller ICS malware has ‘rare, dangerous’ capabilities, says Mandiant
-
North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)