White hats 'easily' crack a program that controls the world's power grids

Cal Jeffrey

Cal Jeffrey

Posts: 4,166   +1,420
Staff member
What just happened? This week, two Dutch hackers won this year's Pwn2Own championship. It is their fourth win at the annual contest in Miami, Florida. This year was their biggest win, with the team pocketing $90,000 and the championship trophy. The pair also took home prizes in 2012, 2018, and 2021. However, in this case, it's not what they won. It's how they won that is news, and it's somewhat disturbing.

At this year's Pwn2Own, security researchers Daan Keuper and Thijs Alkemade decided to tackle an industrial control software called "OPC UA." This open-source communications protocol is used worldwide to connect industrial systems like power grids and other critical infrastructure.

It's disturbing enough to know that Keuper and Alkemade were able to break into OPC UA, but it's even more unsettling that they said it was surprisingly the "easiest" system they hacked at the conference.

"In industrial control systems, there is still so much low-hanging fruit," Keuper told MIT Technology Review. "The security is lagging behind badly."

"This is definitely an easier environment to operate in," Alkemade added.


Daan Keuper and Thijs Alkemade receiving their Master of Pwn trophy and jackets.

The duo attacked several other infrastructure systems, but it took only two days to crack OPC UA.

"OPC UA is used everywhere in the industrial world as a connector between systems," said Keuper. "It's such a central component of typical industrial networks, and we can bypass authentication normally required to read or change anything. That's why people found it to be the most important and interesting. It took just a couple of days to find."

The fact that it only took two hackers a weekend to infiltrate a system responsible for controlling our electric, water, and nuclear systems is especially frightening considering the turmoil in Ukraine. Last month, the White House warned US corporations to harden their cyber defenses in case Russia tries to retaliate over US sanctions.

Technology Review did not mention whether developers have already patched the flaw. However, the host of the Pwn2Own competition, Zero Day Initiative, has a policy of "rewarding researchers for privately disclosing vulnerabilities." So presumably, the power grids are safe for now.

Permalink to story.

https://www.techspot.com/news/94321-white-hats-easily-crack-program-controls-world-power.html

 
Developers are doing a ridiculous job making their code proper. Things need to improve tenfold to be sustainable, otherwise the whole world is about to turn to absolute sh*t as these critical systems collapse on the slightest hacking efforts.
 
  • Like
Reactions: sdms96825
Please, just please. I don't need any more nightmare fuel. I've had my fill of it for the next decade.
 
  • Like
Reactions: trgz
bviktor said:
Developers are doing a ridiculous job making their code proper. Things need to improve tenfold to be sustainable, otherwise the whole world is about to turn to absolute sh*t as these critical systems collapse on the slightest hacking efforts.
Click to expand...
I don't know this as a fact, I'm just presuming but the reason we probably haven't seen these systems hacked everyday is because the security around it is pretty strong.

Good firewalls, locked down networks that are monitored constantly etc...

The communication protocol might be weak but if the rest of the network is well guarded, it's probably why we don't hear a story every other day of powercuts due to hacking.
 
  • Like
Reactions: BadThad and Dd663
Burty117 said:
I don't know this as a fact, I'm just presuming but the reason we probably haven't seen these systems hacked everyday is because the security around it is pretty strong.

Good firewalls, locked down networks that are monitored constantly etc...

The communication protocol might be weak but if the rest of the network is well guarded, it's probably why we don't hear a story every other day of powercuts due to hacking.
Click to expand...

I worked with the OPC standard for years - it's most definitely the security around the standard that is the most realistically important. Right now about every F500 company and gov. entity are still transitioning from simple serial connections (from 30-40+ years ago) to some form of modern data communications standard. Sometimes that requires a serial to Ethernet module which then you can integrate the OPC connection standard to integrate an MES/SCADA system for example, or simply replacing the entire PLC/interface controller is your last resort.

If your manufacturing infosec is up to snuff, you can run legacy hardware (which is the case for most every MFG facility) because paying $750K+ for each new CNC/thermal oven/etc. is just out of the question.

Robust network security systems and effective responses (PACL, etc.) when needed is about the best anyone can do right now without spending hundreds of billions upgrading their global production environment.
 
  • Like
Reactions: ron baer, BadThad and Burty117
Hexic said:
I worked with the OPC standard for years - it's most definitely the security around the standard that is the most realistically important. Right now about every F500 company and gov. entity are still transitioning from simple serial connections (from 30-40+ years ago) to some form of modern data communications standard. Sometimes that requires a serial to Ethernet module which then you can integrate the OPC connection standard to integrate an MES/SCADA system for example, or simply replacing the entire PLC/interface controller is your last resort.

If your manufacturing infosec is up to snuff, you can run legacy hardware (which is the case for most every MFG facility) because paying $750K+ for each new CNC/thermal oven/etc. is just out of the question.

Robust network security systems and effective responses (PACL, etc.) when needed is about the best anyone can do right now without spending hundreds of billions upgrading their global production environment.
Click to expand...
I thought that might be the case, thanks for sharing. Always interesting.
 
  • Like
Reactions: Hexic
You must log in or register to reply here.

Similar threads

Daniel Sims
Most gaming time is spent on older titles like Fortnite and Minecraft, report says
Replies
20
Views
183
Durch
D
Julio Franco
Are return-to-office mandates actually masquerading as "quiet firing"?
Replies
0
Views
58
Julio Franco
Julio Franco
midian182
The cost of staying remote at Dell: No promotions or job changes
2
Replies
26
Views
420
Endymio
Endymio

Latest posts

Back