White hats 'easily' crack a program that controls the world's power grids

Cal Jeffrey

Posts: 3,494   +1,040
Staff member
What just happened? This week, two Dutch hackers won this year's Pwn2Own championship. It is their fourth win at the annual contest in Miami, Florida. This year was their biggest win, with the team pocketing $90,000 and the championship trophy. The pair also took home prizes in 2012, 2018, and 2021. However, in this case, it's not what they won. It's how they won that is news, and it's somewhat disturbing.

At this year's Pwn2Own, security researchers Daan Keuper and Thijs Alkemade decided to tackle an industrial control software called "OPC UA." This open-source communications protocol is used worldwide to connect industrial systems like power grids and other critical infrastructure.

It's disturbing enough to know that Keuper and Alkemade were able to break into OPC UA, but it's even more unsettling that they said it was surprisingly the "easiest" system they hacked at the conference.

"In industrial control systems, there is still so much low-hanging fruit," Keuper told MIT Technology Review. "The security is lagging behind badly."

"This is definitely an easier environment to operate in," Alkemade added.

The duo attacked several other infrastructure systems, but it took only two days to crack OPC UA.

"OPC UA is used everywhere in the industrial world as a connector between systems," said Keuper. "It's such a central component of typical industrial networks, and we can bypass authentication normally required to read or change anything. That's why people found it to be the most important and interesting. It took just a couple of days to find."

The fact that it only took two hackers a weekend to infiltrate a system responsible for controlling our electric, water, and nuclear systems is especially frightening considering the turmoil in Ukraine. Last month, the White House warned US corporations to harden their cyber defenses in case Russia tries to retaliate over US sanctions.

Technology Review did not mention whether developers have already patched the flaw. However, the host of the Pwn2Own competition, Zero Day Initiative, has a policy of "rewarding researchers for privately disclosing vulnerabilities." So presumably, the power grids are safe for now.

Permalink to story.

 

bviktor

Posts: 847   +1,264
Developers are doing a ridiculous job making their code proper. Things need to improve tenfold to be sustainable, otherwise the whole world is about to turn to absolute sh*t as these critical systems collapse on the slightest hacking efforts.
 

trparky

Posts: 1,087   +1,232
Please, just please. I don't need any more nightmare fuel. I've had my fill of it for the next decade.
 

Burty117

Posts: 4,488   +2,694
Developers are doing a ridiculous job making their code proper. Things need to improve tenfold to be sustainable, otherwise the whole world is about to turn to absolute sh*t as these critical systems collapse on the slightest hacking efforts.
I don't know this as a fact, I'm just presuming but the reason we probably haven't seen these systems hacked everyday is because the security around it is pretty strong.

Good firewalls, locked down networks that are monitored constantly etc...

The communication protocol might be weak but if the rest of the network is well guarded, it's probably why we don't hear a story every other day of powercuts due to hacking.
 

Hexic

Posts: 1,218   +1,898
TechSpot Elite
I don't know this as a fact, I'm just presuming but the reason we probably haven't seen these systems hacked everyday is because the security around it is pretty strong.

Good firewalls, locked down networks that are monitored constantly etc...

The communication protocol might be weak but if the rest of the network is well guarded, it's probably why we don't hear a story every other day of powercuts due to hacking.

I worked with the OPC standard for years - it's most definitely the security around the standard that is the most realistically important. Right now about every F500 company and gov. entity are still transitioning from simple serial connections (from 30-40+ years ago) to some form of modern data communications standard. Sometimes that requires a serial to Ethernet module which then you can integrate the OPC connection standard to integrate an MES/SCADA system for example, or simply replacing the entire PLC/interface controller is your last resort.

If your manufacturing infosec is up to snuff, you can run legacy hardware (which is the case for most every MFG facility) because paying $750K+ for each new CNC/thermal oven/etc. is just out of the question.

Robust network security systems and effective responses (PACL, etc.) when needed is about the best anyone can do right now without spending hundreds of billions upgrading their global production environment.
 

Burty117

Posts: 4,488   +2,694
I worked with the OPC standard for years - it's most definitely the security around the standard that is the most realistically important. Right now about every F500 company and gov. entity are still transitioning from simple serial connections (from 30-40+ years ago) to some form of modern data communications standard. Sometimes that requires a serial to Ethernet module which then you can integrate the OPC connection standard to integrate an MES/SCADA system for example, or simply replacing the entire PLC/interface controller is your last resort.

If your manufacturing infosec is up to snuff, you can run legacy hardware (which is the case for most every MFG facility) because paying $750K+ for each new CNC/thermal oven/etc. is just out of the question.

Robust network security systems and effective responses (PACL, etc.) when needed is about the best anyone can do right now without spending hundreds of billions upgrading their global production environment.
I thought that might be the case, thanks for sharing. Always interesting.