Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Publishes Industrial Complex Hack

Posted by samzenpus on from the who-runs-the-power-plant dept.

snydeq writes "Security researcher Kevin Finisterre has published code that could be used to take control of computers used to manage industrial machinery, potentially giving hackers a back door into utility companies, water plants, and even oil and gas refineries. The code exploits a flaw in supervisory control and data acquisition software from Citect. The vendor has released a patch and risk arises only for systems connected directly to the Internet without firewall protection. Finisterre, however, sees the issue as indicative of a 'culture clash' between IT and process control engineers, who are reluctant to bring computers off-line for patching due to the potential havoc wreaked by downtime. 'A lot of the people who run these systems feel that they're not bound by the same rules as traditional IT,' Finisterre said. 'Their industry is not very familiar with hacking and hackers in general.'"

1 of 190 comments (clear)

  1. Re:Why ... by dave562 · · Score: 5, Insightful

    You download the data to a historian server and reference that. There is no reason to ever remotely connect to the actual hardware that is controlling the valves and actually running the plant. I'm not sure what kind of sites you'd need to fly an admin out to, but odds are that there are already people there. I don't know too many power plants, electrical generation facilities, or oil/gas operations that are 100% automated and don't have any people around.