It's real. I saw it. Believe. Hackers can remotely enter facilities via laptop, run pumps, and actuate valves without the knowledge of owners/operators. It can be done, through multiple firewalls, with active security measures and technologies in place.

U.S. Department of Energy and Department of Homeland Security, working through Idaho National Labs (INL), demonstrated a gut-wrenching breach to prove the need to aggressively lessen chances of process facility intrusion.

There's no such thing as security, just layers of protection. In a morbid sense, that means running faster than your buddy, not faster than the bear looking for lunch. In this case, the bear, an INL cyber-security engineer, worked for three weeks to hack into a tasty demo of real equipment and software. If that wasn't unsettling enough, INL confirmed that real-world facilities have been breached already. Press releases generally aren't issued, nor is law enforcement telling, which doesn't help quantify risks of standard hackers, organized crime, and nation/states with terror in mind.

Firewalls aren't enough. Defending proprietary controls (PLC or DCS) isn't enough. Microsoft, Linux, Unix—it doesn't matter; all are vulnerable.

'Our goal isn't to get people to throw up their arms and say, 'There's nothing we can do,' but to encourage people to acknowledge there are problems and take some actions,' said a grim-faced John Hammer, INL cyber-security engineer/hacker.

This isn't the only way 'in,' but, briefly, here's what I saw. Invasive code embedded into clip art was innocently downloaded into a PowerPoint presentation. The code was disguised and programmed to dial out undetected, through commonly used enterprise firewall software. The hacker used available tools to get permissions to get through a second firewall. A list of devices was found, the controller was reverse engineered, and the hacker took control via laptop.

INL's hacker showed on-screen tags on the plant human-machine interface, and pushed a spoofed set of values onto the screen, while actuating devices underneath that deception to do what he wanted, without triggering alarms. Imagine explaining that to spouses of dead coworkers, bosses, shareholders, media, and settlement-hungry attorneys after a toxic breach.

The live hacking demonstration, at the 2005 Emerson Global Users Exchange, left many attendees with mouths agape, not knowing if they should applaud, call the police, or immediately dial back home to alert coworkers that the threat is more real than anticipated. This column under November 2005 at www.controleng.com/archives has links to help augment your layers of protection.

Mark T. Hoske, Editor-in-Chief

mhoske@reedbusiness.com