| BOSTON
BOSTON Aug 21 The U.S. government is looking
into claims by a cyber security researcher that flaws in
software for specialized networking equipment from Siemens
could enable hackers to attack power plants and other
critical systems.
Justin W. Clarke, an expert in securing industrial control
systems, disclosed at a conference in Los Angeles on Friday that
he had figured out a way to spy on traffic moving through
networking equipment manufactured by Siemens' RuggedCom
division.
The Department of Homeland Security said in an alert
released on Tuesday that it had asked RuggedCom to confirm the
vulnerability that Clarke, a 30-year-old security expert who has
long worked in the electric utility field, had identified and
identify steps to mitigate its impact.
RuggedCom, a Canadian subsidiary of Siemens that sells
networking equipment for use in harsh environments such as areas
with extreme weather, said it was investigating Clarke's
findings, but declined to elaborate.
Clarke said that the discovery of the flaw is disturbing
because hackers who can spy on communications of infrastructure
operators could gain credentials to access computer systems that
control power plants and other critical systems.
"If you can get to the inside, there is almost no
authentication, there are almost no checks and balances to stop
you," Clarke said.
This is the second bug that Clarke, a high school graduate
who never attended college, has discovered in products from
RuggedCom, which are widely used by power companies that rely on
its equipment to support communications to remote power
stations.
In May, RuggedCom released an update to its Rugged Operating
System software after Clarke discovered that it had a previously
undisclosed "back door" account that could give hackers remote
access to the equipment with an easily obtained password.
The Department of Homeland Security's Industrial Control
Systems Cyber Emergency Response Team, which is known as
ICS-CERT, said in its advisory on Tuesday that government
analysts were working with RuggedCom and Clarke to figure out
how to best mitigate any risks from the newly identified
vulnerability.
EASILY AVAILABLE KEY
Clarke said that problem will be tough to fix because all
Rugged Operating System software uses a single software "key" to
decode traffic that is encrypted as it travels across the
network.
He told Reuters that it is possible to extract that "key"
from any piece of RuggedCom's Rugged Operating System software.
Clarke obtained RuggedCom's products by purchasing them
through eBay.
He conducted the original research in his spare time with
equipment spread out on the bed of his downtown San Francisco
apartment. Earlier this year, he was hired by Cylance, a firm
that specializes on securing critical infrastructure and was
founded by Stuart McClure, the former chief technology officer
of Intel Corp's McAfee security division.
Marcus Carey, a researcher with Boston-based security firm
Rapid7, said potential attackers might exploit the bug
discovered by Clarke to disable communications networks as one
element of a broader attack.
"It's a big deal," said Carey, who previously helped defend
military networks as a member of the U.S. Navy Cryptologic
Security Group. "Since communications between these devices is
critical, you can totally incapacitate an organization that
requires the network."
So far there have been no publicly reported cases of cyber
attacks that have caused damage on U.S. critical infrastructure.
The Stuxnet virus was used to cripple Iran's nuclear program
in 2010, causing physical damage to a uranium enrichment
facility in that nation. Researchers recently found pieces of
another virus known as Flame that they believe been used to
destroy data in facilities in Iran.
The report on the RuggedCom vulnerability is among 90
released so far this year by ICS-CERT about possible risks to
critical infrastructure operators. That is up from about 60 in
the same period a year earlier, according to data published on
the agency's website.
"DHS works closely with public and private sector partners
to develop trusted relationships and help asset owners and
operators establish policies and controls that prevent
incidents," said DHS spokesman Peter Boogaard. "The number of
incidents reported to DHS's ICS-CERT has increased, partly due
to this increased communication."