Live hacking into your process

It's real. I saw it. Believe. Hackers can remotely enter facilities via laptop, run pumps, and actuate valves without the knowledge of owners/operators. It can be done, through multiple firewalls, with active security measures and technologies in place. U.S. Department of Energy and Department of Homeland Security, working through Idaho National Labs (INL), demonstrated a gut-wrenching breach ...

11/01/2005


Related Reading

It's real. I saw it. Believe. Hackers can remotely enter facilities via laptop, run pumps, and actuate valves without the knowledge of owners/operators. It can be done, through multiple firewalls, with active security measures and technologies in place.

U.S. Department of Energy and Department of Homeland Security, working through Idaho National Labs (INL), demonstrated a gut-wrenching breach to prove the need to aggressively lessen chances of process facility intrusion.

There's no such thing as security, just layers of protection. In a morbid sense, that means running faster than your buddy, not faster than the bear looking for lunch. In this case, the bear, an INL cyber-security engineer, worked for three weeks to hack into a tasty demo of real equipment and software. If that wasn't unsettling enough, INL confirmed that real-world facilities have been breached already. Press releases generally aren't issued, nor is law enforcement telling, which doesn't help quantify risks of standard hackers, organized crime, and nation/states with terror in mind.

Firewalls aren't enough. Defending proprietary controls (PLC or DCS) isn't enough. Microsoft, Linux, Unix—it doesn't matter; all are vulnerable.

'Our goal isn't to get people to throw up their arms and say, 'There's nothing we can do,' but to encourage people to acknowledge there are problems and take some actions,' said a grim-faced John Hammer, INL cyber-security engineer/hacker.

This isn't the only way 'in,' but, briefly, here's what I saw. Invasive code embedded into clip art was innocently downloaded into a PowerPoint presentation. The code was disguised and programmed to dial out undetected, through commonly used enterprise firewall software. The hacker used available tools to get permissions to get through a second firewall. A list of devices was found, the controller was reverse engineered, and the hacker took control via laptop.

INL's hacker showed on-screen tags on the plant human-machine interface, and pushed a spoofed set of values onto the screen, while actuating devices underneath that deception to do what he wanted, without triggering alarms. Imagine explaining that to spouses of dead coworkers, bosses, shareholders, media, and settlement-hungry attorneys after a toxic breach.

The live hacking demonstration, at the 2005 Emerson Global Users Exchange, left many attendees with mouths agape, not knowing if they should applaud, call the police, or immediately dial back home to alert coworkers that the threat is more real than anticipated. This column under November 2005 at www.controleng.com/archives has links to help augment your layers of protection.

Mark T. Hoske , Editor-in-Chief

MHoske@cfemedia.com

ONLINE EXTRA

Hackers may visit soon

Hackers have conferences and Web sites to exchange best practices and best-in-class tools, explained INL, on Oct. 4, at the Emerson users conference in Orlando, FL. And hackers generally work longer hours than most control engineers. Don’t think you’re immune to intrusion. Ask any of 50,000 Daimler-Chrysler workers at 13 plants, idled for a time during 2005, while damage from Zotob worm was fixed, INL said.

For related information, click here.





The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me