CybersecurityBlack Hat event highlights vulnerability of U.S. critical infrastructure
Cybersecurity researchers at the Black Hat conference now going on in Las Vegas, will demonstrate how hackers can gain access to U.S. critical infrastructure, and even cause explosions in oil and gas facilities, by altering the readings on wireless sensors used by the oil and gas industry. The faulty sensors typically cost between $1,000 and $2,000 each, and hundreds or even thousands of them are used at a single oil, gas, or water facility.
Recently-deceased hacker Barnaby Jack demonstrates hacking ATM machines // Source: thongtincongnghe.com
Cybersecurity researchers at the Black Hat conference now going on in Las Vegas, will demonstrate how hackers can gain access to U.S. critical infrastructure, and even cause explosions in oil and gas facilities, by altering the readings on wireless sensors used by the oil and gas industry.
WAToday reports that, among other things, presenters at the event show companies the cost of refusing to replace expensive equipment and install new standards. “We’ve got this cancer that is growing inside our critical infrastructure. When are we going to go under the knife instead of letting this fester?” Patrick Miller, founder of the non-profit Energy Sector Security Consortium said. “We need to restructure some relations and incentives.”
The faulty sensors typically cost between $1,000 and $2,000 each, and hundreds or even thousands of them are used at a single oil, gas, or water facility.
Lucas Apa and Carlos Mario Penagos of security consulting firm IOActive say the wireless sensors have flaws in the way they handle encryption.
Apa and Penagos were able to contact the sensors with radio transmissions from as far as thirty-nine miles away, and change the pressure and volume readings the sensor displayed. If the facility’s control system would change in accordance with the inaccurate readings, a pipeline, pump, or even an entire plant would be disabled.
Eric Forner and Brian Meixell of the consulting firm Cimation will simulate an attack and force a tank to be overfilled, causing a spill or blowout. The two said that even a modest effort by hackers with malicious intent could cause random problems for a facility, but that a focused attack would take more of an effort.
Apa and Penagos added that it would take a fair amount of specialized experience for a hacker to conduct a destructive attack, but that it would also take a long time for patches to be applied.
The researchers have found the encryption flaws in the devices supplied by three of the largest vendors in the field, but they did not identify the companies involved.
Currently, DHS issues warnings on attacks and advisories on how to fix flaws. Apa and Penagos are working with the agency and equipment makers to correct the problem. A DHS spokesperson declined to comment on the issue.
