LAS VEGAS — Imagine a botched nuclear power plant evacuation that endangers personnel, or a 250-megawatt wind farm ground to a halt and held for ransom.
Or consider portions of the U.S. power grid flicked on and off by a custom-built digital weapon.
Such potential hacking catastrophes are under the spotlight at the annual Black Hat cybersecurity conference this week, fueled by a string of recent real-world incidents from Ukraine to U.S. nuclear power plants.
The connected world has reached a "tipping point," according to Bryan Singer, director of security services and sales at IOActive, a Seattle-based cybersecurity firm known for carrying out cheeky hacking demonstrations of critical devices.
While it’s now accepted that hacking can cause physical damage to everything from power grids to manufacturing plants, Singer said that the potential for a wide-scale disaster is still not understood.
"For every attacker I’ve seen, you get kind of a ‘D’ in my book. You didn’t really cause major impact" such as a prolonged power outage or chemical plant explosion, he said. "The skills and knowledge needed to go to that next level — they’re not unattainable."
Organizers say this year’s Black Hat conference is on track to be the largest ever, exceeding last year’s 15,000 attendees from all corners of the cybersecurity industry, government and academia. There is plenty of hacker bravado on display, but much of the latest research is grounded in real-world threats.
Robert M. Lee, CEO of Dragos Inc., shared analysis from the CrashOverride malware widely believed to have briefly knocked part of Ukraine’s power grid offline late last year.
CrashOverride, also called Industroyer by Slovakia-based ESET, is the first known hacking tool aimed squarely at electric grids. The samples reviewed by Dragos and ESET were tailor-made to exploit grid communication protocols widely used in Europe but could be tweaked to disrupt substations in North America with a bit of work.
"We’re not to a point of cascading grid failure … it’s actually much harder than people realize," he said.
Still, Lee told reporters after his talk that trends toward more connectivity in industrial environments may be making it "easier to impact infrastructure, while the adversary’s getting more aggressive."
Going nuclear
Ruben Santamarta, principal security consultant at IOActive, demonstrated vulnerabilities in radiation monitoring devices commonly used in hospitals and nuclear power plants.
"What I found was these devices were using a proprietary radio protocol that’s not secure at all," Santamarta said in a recent interview. "By exploiting these vulnerabilities, an attacker would be able to send malicious information to the operators."
Hackers could broadcast radio signals from nearly 30 miles away, he explained, perhaps "send[ing] data in order to simulate a radiation leak that is not happening" or, more dangerously, masking a real radiation leak to harm workers.
Santamarta’s research came out weeks after a cyberattack affected the Chernobyl nuclear site’s ability to access its own usual radiation control network. (In that incident, computers at the Ukrainian agency responsible for cleaning up Chernobyl, the site of a 1986 nuclear disaster, were hit by "ransomware," forcing workers to gauge radiation levels by hand.)
"The research is not intended to harm any sector. It’s research that tries to improve the security of devices that are important for the safety of critical infrastructure," said Santamarta, noting that he had reached out to the affected vendors and relevant government response teams in the United States and Spain. (The chief information security officer of one of the radiation monitoring equipment companies affected by the findings confirmed this.)
Santamarta added in a research paper published yesterday that "certain mitigations" already exist for the radio-based attack outlined in his work. That’s particularly true for closely guarded, walled-off nuclear reactors in power plants.
"Specific facilities within the plant are so protected that [radio frequencies] will be unable to penetrate them," he concluded.
Poisoned wind
Another "proof of concept" hack on display yesterday depended on physical access to the target: wind turbines.
Jason Staggs, a security researcher at the University of Tulsa in Oklahoma, said he became interested in exploring the cybersecurity of wind farms as the renewable electricity source has started to play a bigger role in the U.S. grid. Just yesterday, utility giant American Electric Power Co. Inc. announced a $4.5 billion investment in new wind farm generation (see related story).
Staggs developed and demonstrated a range of exploitations for wind turbines, with nicknames like "Windpoison" and "Windshark." The attack tools rely in large part on sloppy security measures in place in at least a few U.S. wind farms, he said. These oversights include using default usernames and passwords provided by wind equipment vendors, relying on insecure communication protocols to send commands along the control system and failing to segment individual turbines from one another on the network, according to Staggs.
Staggs outlined how an attacker could break a padlock at the base of a turbine, plug into the wind farm’s control network and send malicious commands to trigger a "hard stop" for the hulking machines, bringing "wear and tear on critical mechanical components."
A particularly devious hacker could install ransomware on the wind farm’s control network, he suggested, halting electricity generation until the utility paid thousands of dollars in the digital currency bitcoin.
"This is just the tip of the iceberg, based on some of the research that we’ve done," he said.
On the sidelines of the conference yesterday, Staggs warned utilities not to put too much trust in their equipment vendors, instead asking them hard questions about any security claims. "[If] vendors continue to roll [turbines] out in the way that they are, based on what we’ve seen, you’re going to have an industrywide problem," he said.
Other speakers at Black Hat searched for diplomatic ways to head off the most disastrous hacking scenarios.
Marina Kaljurand, chairwoman of the Global Commission on the Stability of Cyberspace and former foreign affairs minister of Estonia, said there are growing opportunities "for misunderstanding each other, for provocations."
A decade ago, Estonia faced a series of crippling cyberattacks on key websites and services. The NATO member has since worked to bolster its own defenses and lobby for international cybersecurity norms.
The 2007 attack on Estonia was widely attributed to Russia-based groups. Recent cyberattacks on Ukraine’s power grid, in December 2015 and again last year with CrashOverride, have also been linked to hacking groups in Russia, according to multiple cybersecurity firms and authorities in Kiev.
Kaljurand warned that boundaries are being crossed with greater frequency, "like we’re seeing with interference with international elections, or cutting off power grids — events that are happening around us on a daily basis."
Experts largely agree that the cyberattacks with physical impacts, like those that damaged nuclear centrifuges in Iran in the late 2000s or temporarily shut off the grid in Ukraine, still demand the kind of expertise and resources only available to a nation-state.
"I very much hope that we’ll be able to develop, introduce and convince states to adopt some norms of responsible behavior," Kaljurand said.
