Computer security company says vulnerabilities in Seimens’ PLCs could lead to environmental disaster, loss of life, if exploited by hackers
Computer security research company NSS Labs has revealed vulnerabilities exist in power plants which do not have fixes and which could lead to disastrous consequences, including loss of life, if exploited by hackers.
The US-based company told the AFP that it has discovered new loopholes which cyber-criminals and hackers could exploit to sabotage power plants, oil refineries or manufacturing operations, across the world.
NSS chief executive Rick Moy said, "This is a global problem."
Moy went on to warn that the problem does not have a fix now.
Moy said, "There are no fixes to this right now."
"Bad guys would be able to cause real environmental and physical problems and possibly loss of life."
NSS said that it shared its findings with the US Computer Emergency Readiness Team, industrial facilities that are at risk, the US Department of Homeland Security and Germany-based Siemens.
The basis of the findings by NSS Labs is the work done by its researcher Dillon Beresford.
Beresford has reportedly discovered "multiple vulnerabilities" in Siemens programmable logic controllers or PLCs.
The PLCs are used in computer systems in power plants across the world to regulate temperatures, pressures, turbine speeds, robot arms and other functions requiring automatic control.
The Stuxnet virus that hit nuclear reactors in Iran last July could have targeted the PLCs.
In April this year, reports in Iran quoted Iran civilian defence commander Gholam Reza Jalali as saying that investigations have proved that the US and Israel were behind Stuxnet attack. He added that timely action taken by Iranian experts had averted a nuclear disaster in Iran.
Jalali blamed Siemens, whose equipment and software is used in Iran’s nuclear power plants, for leaking information about a Siemens-designed control system, Supervisory Control and Data Acquisition (SCADA), to the US and Israel.
He said Siemens must explain how its control systems used to operate Iran’s nuclear plants had been attacked by the worm.
It is believed that the Stuxnet virus attacked PLCs through an operating system. However, Moy said that Beresford has discovered ways to reprogram the devices directly via a network.
"The security of these systems is not what it should be," Moy said.
The Stuxnet worm is believed to be created by the US and Israel because experts believed such a sophisticated worm needed a large team and lots of money.
Moy has countered such beliefs saying, "We don’t believe that to be true; it was not that hard to create these problems."
NSS said Beresford exploited the vulnerabilities in a few months with less than $3,000 dollars.