http://www.wired.com/threatlevel/2013/10/ics/
By Kim Zetter
Threat Level
Wired.com
10.16.13
A pair of researchers have uncovered more than two dozen vulnerabilities
in products used in critical infrastructure systems that would allow
attackers to crash or hijack the servers controlling electric substations
and water systems.
The vulnerabilities include some that would allow an attacker to crash or
send a master server into an infinite loop, preventing operators from
monitoring or controlling operations. Others would allow remote
code-injection into a server, providing an opportunity for an attacker to
open and close breakers at substations and cause power outages.
“Every substation is controlled by the master, which is controlled by the
operator,” says researcher Chris Sistrunk who, along with Adam Crain,
found vulnerabilities in the products of more than 20 vendors. “If you
have control of the master, you have control of the whole system, and you
can turn on and off power at will.”
The vulnerabilities are found in devices that are used for serial and
network communications between servers and substations. These products
have been largely overlooked as hacking risks because the security of
power systems has focused only on IP communication, and hasn’t considered
serial communication an important or viable attack vector, Crain says. But
the researchers say that breaching a power system through serial
communication devices can actually be easier than attacking through the IP
network since it doesn’t require bypassing layers of firewalls.
[...]
--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
