Infrastructure protectionSiemens software which controls power plants vulnerable to hackers

Published 27 August 2012

RuggedCom is a Canadian subsidiary of Siemenswhich sells networking equipment for use in harsh environments with extreme and inclement weather; many critical infrastructure operators of power plants, water systems, dams, and more; a security specialist discovered a flaw in the software, a flaw which allows hackers to spy on communication of infrastructure operators and gain credentials to access computer systems which control power plants as well as other critical systems

Against the backdrop of the acrimonious debate over the cybersecurity bill, and with the White House exploring the possibility of using executive orders to mandate cybersecurity standards which operators of critical infrastructure facilities would have to meet, DHS will now look into claims of flaws in software for specialized networking equipment from Siemens.

Justin Clarke, an expert in securing industrial control systems, two weeks ago disclosed that he had found a flaw in software from Siemens’ RuggedCom division, a flaw which allows hackers to spy on traffic moving through networking equipment manufactured by.Siemens.

The Chicago Tribune reports that DHS asked RuggedCom on Tuesday to confirm Clarke’s claims that the flaws could enable hackers to attack power plants and other critical systems. RuggedCom is a Canadian subsidiary of Siemens which sells networking equipment for use in harsh environments. The company has said that it was investigating Clarke’s claims but declined to elaborate.

Clarke said hackers who can spy on communication of infrastructure operators could gain credentials to access computer systems which control power plants as well as other critical systems.

If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you,” Clarke toldthe Chicago Tribune.

This is the second time that Clarke has found a bug in RuggedCom’s products, which are used by power companies for communication to remote power stations.

RuggedCom released an update to its Rugged Operating System (ROS) software in May after Clarke discovered that it had a “back door” account that could give hackers access to the equipment with a password.

DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), said on Tuesday that it is working with RuggedCom and Clarke to fix the problem and to keep this from happening in the future.

This will not be easy, however; as Clarke said that all ROS software uses a single software “key” to decode traffic that is encrypted as it moves across the network. Clarke told Reuters that it is possible to extract that key from any piece of RuggedCom’s ROS software.

Clarke, who never attended college, did his original research at his apartment, but was hired a few months ago by Cylance, a company specializing in securing infrastructure. The company was founded by Stuart McClure,  the former chief technology officer of Intel Corp’s McAfee security division.

Marcus Carey, a security researcher with Boston-based Rapid7, said hackers could exploit the bug discovered by Clarke to disable communications networks as one element of much bigger attack.

It’s a big deal,” Carey told the Tribune. “Since communications between these devices is critical, you can totally incapacitate an organization that requires the network.”

As of now there are no reported cases of cyber attacks on the U.S. infrastructure.

The Tribune notes that the report on the RuggedCom vulnerability is among ninety released so far this year by ICS-CERT about possible risks to critical infrastructure operators. That is up from about sixty in the same period a year earlier.