CybersecurityCritical flaws in SCADA give hackers edge

In an effort to improve critical cybersecurity flaws in industrial control systems, last week researchers releasedexploit modules that take advantage of security gaps in six major control systems, but in doing so, have made it easy for hackers to infiltrate these systems as none of them have been patched or taken offline.

Working in conjunction with Rapid7, researchers from DigitalBond found key vulnerabilities in programmable logic controllers (PLCS)from General Electric, Rockwell Automation, Schneider Modicon, Koyo Electronics, and Schweitzer Engineering Laboratories.

“We felt it was important to provide tools that showed critical infrastructure owners how easy it is for an attacker to take control of their system with potentially catastrophic results,” said Dale Peterson, the founder of DigitalBond.

These PLCs are widely used in nearly every major manufacturing process as well as major critical infrastructure facilities like water utilities, power plants, and oil refineries. The vulnerabilities vary across each manufacturer but include weak password storage, a lack of authentication and encryption, and backdoors that hackers can easily exploit to crash, disrupt, or destroy industrial control systems.

In addition to exposing the vulnerabilities, DigitalBond released Metasploit, an exploit module that specifically attacks some of these vulnerabilities

Speaking at the annual S4 Conference, Peterson explained that he hoped by releasing Metasploit industrial control system manufacturers would be shocked into taking cybersecurity more seriously.

“We kind of view this as just a first step maybe to help prod the industry to move forward to do something about it,” he said.