Slashdot Mirror
Hackers Could Blow Up Factories Using Smartphone Apps (technologyreview.com)
An anonymous reader quotes a report from MIT Technology Review: Two security researchers, Alexander Bolshev of IOActive and Ivan Yushkevich of Embedi, spent last year examining 34 apps from companies including Siemens and Schneider Electric. They found a total of 147 security holes in the apps, which were chosen at random from the Google Play Store. Bolshev declined to say which companies were the worst offenders or reveal the flaws in specific apps, but he said only two of the 34 had none at all. Some of the vulnerabilities the researchers discovered would allow hackers to interfere with data flowing between an app and the machine or process it's linked to. So an engineer could be tricked into thinking that, say, a machine is running at a safe temperature when in fact it's overheating. Another flaw would let attackers insert malicious code on a mobile device so that it issues rogue commands to servers controlling many machines. It's not hard to imagine this causing mayhem on an assembly line or explosions in an oil refinery. The researchers say they haven't looked at whether any of the flaws has actually been exploited. Before publishing their findings, they contacted the companies whose apps had flaws in them. Some have already fixed the holes; many have yet to respond.
OK let's say you have enough knowledge to do this remotely. Even if you can manipulate process automation through a smartphone app, it's a sure bet you can't change most of the limits or permissives. There are specific reasons why process and power are designed to prevent this and covered by ASME or API codes. It's not random or arbitrary design. And while there are industrial accidents they are usually a chain of multiple failures or unforeseen problems in the design no one anticipated.
This article is FUD. You may be able to trip the plant or shut down production, but unlikely to cause a malfunction that results in a catastrophe.
A few people shot out some PG&E transformer oil reservoirs in California a while back. It tripped the substation, and PG&E routed around it. That is more likely than a hacker gaining enough knowledge to cause damage remotely.
1st rule of internet security: Only hook something to the net if it must be hooked to the net to do its job.
2nd rule of internet security: If a system is hooked to the net to allow monitoring, make it only capable of transmitting onto the net, and not recieving from the net.
3rd rule of internet security: Do not hire morons who will plug a memory stick into a unit that's not on the net, after that stick has been in a unit that is on the net.
4th rule of internet security: Disable any wireless connectivity on systems you are not intentionally hooking to the net.
5th rule of internet security: Do not hire anybody who would violate the preceeding four rules.
If your CEO is a moron he/she will make it less than a fireable offense to violate any of the above, and then your company deserves to have its factories explode.
Actually... I know of several energy companies whose generators and intake valves are controlled by PLCS. Those PLCs are on the same network as PCs (bad practice I know). Technically it would be possible for a hacker to use an infected computer as a stepping stone to controlling the valves and generators. This would let a hacker completely destroy the generator and a lot of equipment the generator is hooked up to.
SCADA (process control) networks have long been known to have vulnerabilities that can be exploited in the real world. Further, project Aurora proved you could cause a generator to explode with the proper SCADA inputs. Just because they are front ending the mess with apps doesn't change anything.
rule. When I was working with high voltage semiconductor equipment, the rule was that there
had to be 2 electromechanical (i.e. not computer controlled) backup systems to 'safe' things
before they could be accessed. Seemed sensible to me. Is this not followed anymore?