Homeland Security warns hacktivists may point, click, destroy industrial control systems

While hacking into chemical facility computer systems in order to turn valves or start pumps might not be the typical low hanging fruit that hackers go after, Homeland Security warned that Anonymous hacktivists may cyberattack industrial control systems. In fact, the Department of Homeland Security and Idaho National Laboratory have engaged in mock hack-offs to wreak havoc and to highlight the vulnerabilities at factories, electrical plants and chemical facilities. The bad guys on the Red Team used virtual tools to crack into and cause chaos in the real world of the good guys on the Blue Team. These hackers showed that a malicious attack that caused mayhem and a toxic spill at ACME Chemical company was as easy as point, click and destroy.

V-vendetta-Anonymous.jpg

According to a bulletin put out by Homeland Security and posted on Public Intelligence, "experienced and skilled members of Anonymous in hacking could be able to develop capabilities to gain access and trespass on control system networks very quickly."

Last year Stuxnet proved the reality of how very vulnerable Supervisory Control And Data Acquisition (SCADA) systems and industrial control software (ICS) systems could be. That was followed by Black Hat / DefCon security conference presentations of hacking SCADA to unlock and throw open prison doors, whacking wireless water meter networks, and penetrating internet-connected power lines to cut the power or seize control of security cameras, jam security alarms, or otherwise hack into home automation systems. Homeland Security referenced the "presentations at hacker conferences" and other "free educational opportunities (conferences, classes)" that have "raised awareness to ICS vulnerabilities, and likely shortened the time needed to develop sufficient tactics, techniques, and procedures (TTPs) to disrupt ICS."

Also according to the DHS bulletin warning about possible attacks by Anonymous hacktivists:

Control system exploits are released in common penetration testing software such as Metasploit release 4.0 that can be directly used with novice level skills in hacking and little to no background in control systems. Common packet inspection tools such as WireShark and Netmon have improved to the point where industrial protocols are supported minimizing the effectiveness of security-by-obscurity. In addition, there are control systems that are currently accessible directly from the Internet and easy to locate through internet search engine tools and applications. These systems could be easily located and accessed with minimal skills in order to trespass, carry out nefarious activities, or conduct reconnaissance activities to be used in future operations.

Then Homeland Security and Idaho National Laboratory started training people to securely run industrial control systems and to fend off real attacks. In one such scenario, social engineering was the lethal key that opened to the door to toxic chaos at ACME Chemical company. The DHS bulletin warned, skilled hackers might "exploit elevated privileges by hijacking credentials of valid users of the ICS software product posted based on traditional exploitation methods." Indeed, that is precisely how the Red Team snuck into ACME Chemical, by exploiting trust to trick the CEO of ACME Chemical company with a phishing attack.

Within 30 minutes of the CEO of opening a malicious phishing email, Red Team hackers had pillaged company documents, snuck in to IP-based surveillance cameras and were spying on admins, had taken control and maliciously overrode safety features on a chemical plant computer system in order to turn valves, start pumps and cause a toxic chemical spill. In fact, the government cyberattack drill showed that in the hands of skilled hackers, industrial destruction really is as easy as point, click, destroy.

This is not some sci-fi movie plot; Homeland Security has said that actual attacks on industrial systems are happening. Greg Schaffer, acting deputy of the National Protection and Programs Directorate, added that "attackers are 'kicking on the doors' of industrial systems." About 400 industrial,  power plant or chemical facility employees go through Idaho National Laboratory Red Team - Blue Team training per year in order to tighten computer security, to avoid cyber emergenices, close vulnerabilities, and learn to fend off cyberattacks in real life.

Here's a video about the government computer attack drill:

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies