• All Share : 51550.17
    DOWN -0.14%
    Top 40 : 4425.59
    UP 0.54%
    Financial 15 : 14633.29
    DOWN -0.39%
    Industrial 25 : 58750.01
    DOWN -0.57%

  • ZAR/USD : 10.5111
    DOWN -0.13%
    ZAR/GBP : 17.8409
    DOWN -0.17%
    ZAR/EUR : 14.1190
    DOWN -0.33%
    ZAR/JPY : 0.1032
    DOWN -0.14%
    ZAR/AUD : 9.8833
    DOWN -0.27%

  • Gold : 1298.3350
    UP 0.42%
    Platinum : 1473.7000
    UP 0.66%
    Silver : 20.4955
    UP 0.69%
    Palladium : 878.5000
    UP 1.44%
    Brent Crude Oil : 107.950
    UP 0.82%

  • All data is delayed by 15 min. Data supplied by INET BFA
    Hover cursor over this ticker to pause.

Fri Jul 25 17:58:57 SAST 2014

Widely used power control systems vulnerable to hackers

Reuters | 06 February, 2013 08:40
Eskom powerlines
Image by: KEVIN SUTHERLAND

A widely used system for controlling electricity, heating and other systems inside buildings remains vulnerable to attacks over the Internet, despite warnings from US officials, researchers say.

The Niagara control system from Honeywell International Inc’s Tridium division are configured to connect to the Internet by default, even though that is not necessary for them to function, two researchers from security firm CyLance said at a security conference in San Juan, Puerto Rico.

The pair, Billy Rios and Terry McCorkle, uncovered vulnerabilities last year that prompted the Department of Homeland Security to warn customers to change their settings and resulted in Honeywell releasing a software update that the two researchers previously said had successfully addressed the problems.

Yet they revealed on Tuesday they have since uncovered new flaws in Tridium’s technology that continue to make customers vulnerable to attack via the Internet.

They showed they could take control of a Niagara system using a new piece of software they had written to demonstrate the vulnerabilities in the system.

They declined to explain their techniques out of concern that malicious hackers might try to copy their methods. They said attackers could accomplish the same ends by taking advantage of weak encryption and passwords stored internally on the Tridium control devices.

Once inside, hackers could wreak havoc with the physical environment and in many cases could also jump to a building’s main office computers, McCorkle said.

“It’s a little worrisome,” McCorkle said. “Don’t put it on the net.”

A Honeywell spokesman said the company was working to address the new problems as quickly as possible and would alert customers of the risks.

“We appreciate the fact that Mr. Rios and Mr. McCorkle are continuously reminding the user community of these sorts of vulnerabilities and we share their interest in getting them fixed,” said Honeywell spokesman Mark Hamel.

Department of Homeland Security spokesman Peter Boogaard declined to comment on the security of the Niagara technology.

Poor security in industrial control systems, including those that run manufacturing facilities and power plants, has become an intense focus for security researchers and hackers alike since 2010 when the Stuxnet virus surfaced.

Stuxnet attacked Iran’s nuclear program, targeting centrifuges at a uranium enrichment facility running on widely used control systems from German conglomerate Siemens AG

It exploited previously unknown security flaws in Siemens technology.

Scores of security experts have since rushed to identify similar bugs in an effort to prevent malicious hackers from launching potentially devastating attacks on power systems, chemical plants, water utilities and other facilities that run on industrial control systems technology.

Internet access 

In their presentation, the two researchers showed that some 21000 Niagara systems used at hospitals and other facilities can currently be accessed via the public Internet, using a specialized search engine known as Shodan.

Many Niagara customers do not realize their systems are attached to the internet because they were originally installed by outside contractors, the two said.

Building operators typically control Niagara systems directly from inside the facilities they control, with Internet access surviving as a back-up, they said.

Experts in industrial control systems security compare the problems to those in the early days of Microsoft Corp’s Windows software for PCs. But they warn it will be harder to fix the bugs because equipment often remains in place for decades and some manufacturers have no easy way to get security improvements to their customers.

Rios said they notified Tridium of their most recent findings and that the division hoped to have a fix available to customers of the current version of Niagara within a week, with fixes for older versions coming later.

A spokeswoman for Tridium said she could not immediately comment on the findings from Rios and McCorkle.

SHARE YOUR OPINION

If you have an opinion you would like to share on this article, please send us an e-mail to the Times LIVE iLIVE team. In the mean time, click here to view the Times LIVE iLIVE section.
Fri Jul 25 17:58:57 SAST 2014 ::