Worry: Hackers can take over power plants

The threat began to escalate last year, with cyber criminals exploiting weaknesses in systems that control what the industries do (“Cybersecurity incidents in industrial control systems on the rise,” 16 April 2010 HSNW).

The latest computer worm, dubbed Stuxnet, was an even more alarming progression. Now hackers are creating codes to actually take over the critical systems.

Yahoo! News notes that in many cases, operating systems at power plants and other critical infrastructure are decades old. Sometimes they are not completely separated from other computer networks used by companies to run administrative systems or even access the Internet.

Those links between the administrative networks and the control systems provide gateways for hackers to insert malicious codes, viruses, or worms into the programs that operate the plants (“Experts: securing U.S. critical infrastructure against cyberattack not feasible,” 12 July 2010 HSNW; and “Smart Grid offers target-rich opportunities for hackers,” 3 August 2010 HSNW).

Experts in Germany discovered the Stuxnet worm, which has since shown up in a number of attacks — primarily in Iran, Indonesia, India, and the United Stqates, according to Microsoft. Stuxnet had tried to infect as many as 6,000 computers, as of 15 July, according to Microsoft data.

German officials transmitted the malware to the United States through a secure network, and experts at the Energy Department’s Idaho National Laboratory began to analyze it.

In plain terms, the worm was able to burrow into some operating systems that included software designed by Siemens AG, by exploiting a vulnerability in several versions of Microsoft Windows.

On Monday, Microsoft released another update to address the problem, and Siemens has taken similar steps.

Annual reports issued by DHS and the Department of Energy have detailed weaknesses in the industrial computer systems, and have repeatedly pressed companies to improve security practices. Reports as recently as this May urged companies routinely to download patches to update software, change and improve passwords, carefully restrict access to critical systems, and use firewalls to separate commonly used networks from those that control key systems.

A successful attack against a critical control systems, the Energy Department warned in its July report, “may result in catastrophic physical or property damage and loss.”

Over the past year, DHS has quietly been deploying teams of experts around the country to assess weaknesses in industrial control systems. The agency has created four teams and —with a budget scheduled to increase from $10 million this year to $15 million