New methods put industrial sabotage in hackers’ reach

By Jordan Robertson

Associated Press


SAN JOSE, Calif. — When a computer attack hobbled Iran’s nuclear power plant last year, it was assumed to be by elite hacking professionals with some nation’s backing.

Yet key elements have now been replicated in laboratory settings by security experts with little time, money or specialized skill. That alarming development shows how technical advances are eroding the barrier that has long prevented computer assaults from leaping to the physical world.

Techniques demonstrated in recent months highlight the danger to power plants, water systems and other critical infrastructure.

“Things that sounded extremely unlikely a few years ago are now coming along,” said Scott Borg, director of the U.S. Cyber Consequences Unit, a nonprofit group that helps the U.S. government prepare for future attacks.

Attacks are increasing. The Idaho National Laboratory, home to secretive labs intended to protect power grids, water systems and other critical infrastructure, has responded to three times more computer attacks this year than last year, the Department of Homeland Security has revealed.

For years, ill-intentioned hackers have mused about wreaking havoc in industrial settings by burning out power plants, bursting oil and gas pipelines, or stalling manufacturing plants.

But they’ve lacked a way to take remote control of the electronic “controller” boxes for heavy machinery.

The attack on Iran, by a computer worm called Stuxnet, changed all that. Now, security experts — and presumably, malicious hackers — are racing to find weaknesses. They’ve found plenty.

New hacking techniques make all kinds of infrastructure — even prisons — more vulnerable.

Electronic controllers take computer commands and send instructions to machinery, such as regulating a conveyor belt’s speed.

Stuxnet, for example, was designed to damage centrifuges in the nuclear plant being built in Iran by affecting how fast the controllers instructed the centrifuges to spin.

Security researcher Dillon Beresford said it took him just two months and $20,000 in equipment to find more than a dozen vulnerabilities in the same type of electronic controllers used in Iran. Those let him take remote control of the devices and reprogram them.

“What all this is saying is you don’t have to be a nation-state to do this stuff. That’s very scary,” said Joe Weiss, an industrial control system expert.

Even prisons are vulnerable. One research team was allowed to inspect a correctional facility — it won’t say which one — and found vulnerabilities that would allow it to open and close the doors, suppress alarms and tamper with video surveillance feeds.

The researchers noticed controllers like the ones in Iran.

They said it was crucial to isolate critical control systems from the Internet to prevent such attacks.