We'd like to think the automated computer networks controlling our most sensitive infrastructure — our power plants and oil refineries and wastewater facilities — are impervious to attack.
It took about 45 minutes for a security researcher to dispel that myth.
At the Black Hat Security Conference here, Dillon Beresford, an analyst at NSS Labs, demonstrated how PLCs — programmable logic controllers, small computers used for machine automation at industrial-control facilities as well as prisons — can be remotely manipulated to crash.
Such an attack would have horrific consequences. Beresford showed the audience how "repeatedly attacking a PLC could cause an entire plant to shut down." (Earlier this week, a security consultant showed how manipulating a PLC could spring someone from a prison cell.)
In his presentation, "Exploiting Siemens Simatic S7 PLCs," Beresford focused on two PLCs made by Siemens, the S7-300 and the S7-1200.
From the get-go, he found a glaring security error in the way they were built: Both the user name and the password were "Basisk" (Swedish for "basic").
In his proof-of-concept hacks, Beresford wrote data to the PLCs to bypass their password protections, retrieve data from them and make them shut down. He showed how to rig the PLC to report false data to make the operator "think that everything's functioning normal, when in fact it's not."
His hack also changed the PLC's media access control (MAC) address, device name and time of day, and it locked out the PLC's operator.
"We can pretty much own everything on the automation network," Beresford said.
But Beresford is a professional: He has developed exploits for some of the most high-tech supervisory control and data acquisition (SCADA) software and worked with the United States Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Could someone with less practice than Beresford take over a PLC and wreak havoc on a global scale? Beresford thinks so.
"It's not just nation states that have this power," he said. "The average guys sitting in their basements can pull this off, and you should be scared."
Of course, any talk of attacking industrial control systems has to include Stuxnet, the notorious worm that targeted nuclear facilities in Iran.
Beresford called Stuxnet "the 800-pound gorilla in the room" and assured the audience that he had no part in creating it.
Though there would obviously be disastrous ramifications if a criminal launched an attack like Beresford's, he said it's crucial that such malicious hacking techniques be made public.
"There are a lot of adversaries out there trying to attack us, and we are trying to attack our adversaries," he said. "It's important to have this information out there so we can make things safer for everyone."