Live hacking into your process

It's real. I saw it. Believe. Hackers can remotely enter facilities via laptop, run pumps, and actuate valves without the knowledge of owners/operators. It can be done, through multiple firewalls, with active security measures and technologies in place. U.S. Department of Energy and Department of Homeland Security, working through Idaho National Labs (INL), demonstrated a gut-wrenching breach ...

11/01/2005


Related Reading

It's real. I saw it. Believe. Hackers can remotely enter facilities via laptop, run pumps, and actuate valves without the knowledge of owners/operators. It can be done, through multiple firewalls, with active security measures and technologies in place.

U.S. Department of Energy and Department of Homeland Security, working through Idaho National Labs (INL), demonstrated a gut-wrenching breach to prove the need to aggressively lessen chances of process facility intrusion.

There's no such thing as security, just layers of protection. In a morbid sense, that means running faster than your buddy, not faster than the bear looking for lunch. In this case, the bear, an INL cyber-security engineer, worked for three weeks to hack into a tasty demo of real equipment and software. If that wasn't unsettling enough, INL confirmed that real-world facilities have been breached already. Press releases generally aren't issued, nor is law enforcement telling, which doesn't help quantify risks of standard hackers, organized crime, and nation/states with terror in mind.

Firewalls aren't enough. Defending proprietary controls (PLC or DCS) isn't enough. Microsoft, Linux, Unix—it doesn't matter; all are vulnerable.

'Our goal isn't to get people to throw up their arms and say, 'There's nothing we can do,' but to encourage people to acknowledge there are problems and take some actions,' said a grim-faced John Hammer, INL cyber-security engineer/hacker.

This isn't the only way 'in,' but, briefly, here's what I saw. Invasive code embedded into clip art was innocently downloaded into a PowerPoint presentation. The code was disguised and programmed to dial out undetected, through commonly used enterprise firewall software. The hacker used available tools to get permissions to get through a second firewall. A list of devices was found, the controller was reverse engineered, and the hacker took control via laptop.

INL's hacker showed on-screen tags on the plant human-machine interface, and pushed a spoofed set of values onto the screen, while actuating devices underneath that deception to do what he wanted, without triggering alarms. Imagine explaining that to spouses of dead coworkers, bosses, shareholders, media, and settlement-hungry attorneys after a toxic breach.

The live hacking demonstration, at the 2005 Emerson Global Users Exchange, left many attendees with mouths agape, not knowing if they should applaud, call the police, or immediately dial back home to alert coworkers that the threat is more real than anticipated. This column under November 2005 at www.controleng.com/archives has links to help augment your layers of protection.

Mark T. Hoske , Editor-in-Chief

MHoske@cfemedia.com

ONLINE EXTRA

Hackers may visit soon

Hackers have conferences and Web sites to exchange best practices and best-in-class tools, explained INL, on Oct. 4, at the Emerson users conference in Orlando, FL. And hackers generally work longer hours than most control engineers. Don’t think you’re immune to intrusion. Ask any of 50,000 Daimler-Chrysler workers at 13 plants, idled for a time during 2005, while damage from Zotob worm was fixed, INL said.

For related information, click here.





No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Big Data and IIoT value; Monitoring Big Data; Robotics safety standards and programming; Learning about PID
Motor specification guidelines; Understanding multivariable control; Improving a safety instrumented system; 2017 Engineers' Choice Award Winners
Selecting the best controller from several viewpoints; System integrator advice for the IIoT; TSN and real-time Ethernet; Questions to ask when selecting a VFD; Action items for an aging PLC/DCS
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Big Data and bigger solutions; Tablet technologies; SCADA developments
SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
click me