Hackers say cracking power grid tech was easiest challenge yet

By Kristin Houser, Free Think

White hat hackers won $40,000 for cracking a system used by most major industrial companies, including the ones that manage our power grids — and they told MIT Technology Review it was ridiculously easy.

Credit: Zero Day Initiative / Pwn2Own

The challenge: Industrial control systems — the hardware and software used to control power grids, water treatment facilities,  and other critical infrastructure — are an alluring target for cybercriminals.

Because so many people rely on this infrastructure, hackers can ask for and receive large ransoms in exchange for ending an attack. Those motivated by politics, meanwhile, can weaken an enemy by disrupting its citizens’ access to electricity or water.

That’s made preventing attacks on industrial control systems a top concern for cybersecurity experts.

“As the destruction or corruption of these control systems could cause grave harm, ensuring their security and resilience must be a collective effort that taps into the innovation, expertise, and ingenuity of the [industrial control systems] community,” said Jen Easterly, director of the US’s Cybersecurity and Infrastructure Security Agency.

White hats: One way to protect industrial control systems (and other tech) from hackers is by holding contests in which “white hat” hackers try to break into the systems in exchange for prizes. 

Any vulnerabilities that are exposed during the contests can then be fixed before cybercriminals exploit them.

One of these contests — Pwn2Own Miami 2022 — just took place April 19-21, and the results aren’t exactly encouraging for those of us who like reliable electricity and water: nearly every industrial control system targeted during the contest was hacked.

Low-hanging fruit: Dutch researchers Daan Keuper and Thijs Alkemade took home the biggest prize of the event — $40,000 — for hacking OPC UA, a communications protocol commonly used by industrial companies.

“OPC UA is used everywhere in the industrial world as a connector between systems,” Keuper told MIT Tech Review. “It’s such a central component of typical industrial networks, and we can bypass authentication normally required to read or change anything.”


Keuper said he and Alkemade needed “just a couple of days” to figure out their hack of the industrial control system — for comparison, Keuper spent three weeks working with a partner to hack an iPhone 4S in 2012.

“In industrial control systems, there is still so much low-hanging fruit,” Keuper said. “The security is lagging behind badly.”


Looking ahead: Now that the latest Pwn2Own contest is over, the makers of the industrial control systems targeted during it can work to fix any vulnerabilities detected by the hackers.

“We saw some amazing exploits, and I know vendors are already hard at work developing patches for the bugs we disclosed to them,” Dustin Childs, who hosted the event, told the Daily Swig. “We are pleased with the growth we saw this year, and we’d love to see that continue.”

“Ideally, we can partner with more vendors within the ICS/SCADA community to ensure we have the right targets and get them the best bugs possible to fix before they are exploited by threat actors,” he added.

Comments

Post a Comment

Popular posts from this blog

FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks

Image
By Sergiu Gatlan,  Bleeping Computer Today, the FBI, CISA, and the Department of Health and Human Services (HHS) warned U.S. healthcare organizations of targeted ALPHV/Blackcat ransomware attacks. "ALPHV Blackcat affiliates have been observed primarily targeting the healthcare sector," the joint advisory cautions. Today's warning follows an April 2022 FBI flash alert and another advisory issued in December 2023 detailing the BlackCat cybercrime gang's activity since it surfaced in November 2021 as a suspected rebrand of the DarkSide and BlackMatter ransomware groups. The FBI linked BlackCat to over 60 breaches during its first four months of activity (between November 2021 and March 2022) and said the gang has raked in at least $300 million in ransoms from over 1,000 victims until September 2023. "Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized," the three federal agencies warned in today...
Read more

Nissan North America data breach impacts over 53,000 employees

Image
By Bill Toulas,  Bleeping Computer Nissan North America (Nissan) suffered a data breach last year when a threat actor targeted the company's external VPN and shut down systems to receive a ransom. The car maker discovered the breach in early November 2023 and discovered recently that the incident exposed personal data belonging to more than 53,000 current and former employees. “As shared during the Nissan Town Hall meeting on December 5, 2023, Nissan learned on November 7, 2023, that it was the victim of a targeted cyberattack. Upon learning of the attack, Nissan promptly notified law enforcement and began taking immediate actions to investigate, contain, and successfully terminate the threat,” the company said in a notification to impacted individuals. Nissan disclosed that the threat actor targeted its external VPN and then shut down certain company systems before asking for a ransom. The company notes that none of its systems were encrypted during the attack. Working with extern...
Read more

Why Your VPN May Not Be As Secure As It Claims

Image
By Krebs On Security Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user. When a device initially tries to connect to a network, it broadcasts a message to the entire local network stating that it is requesting an Internet address. Normally, the only system on the network that notices this request and replies is the router responsible for managing the network to which the user is trying to connect. The machine on a network responsible for fielding these requests is called a Dynamic Host Configuration Protocol (DHCP) server, which will issue time-based leases for IP addresses. The DHCP server also takes care of setting a specific local address — known ...
Read more