The U.S. Department of Homeland Security has issued an alert warning that hackers could exploit code in Siemens-owned technology to attack power plants and other national critical infrastructure.
Learn Insider Threat Detection with Application Response Strategies
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.Join Now
Justin W. Clarke, an expert in securing industrial control systems, disclosed at a conference in Los Angeles on Friday that he had figured out a way to spy on traffic moving through networking equipment manufactured by Siemens' RuggedCom division.
RuggedCom, a Canadian subsidiary of Siemens that sells networking equipment for use in harsh environments such as areas with extreme weather, said it was investigating Clarke's findings, but declined to elaborate. Clarke said that the discovery of the flaw is disturbing because hackers who can spy on communications of infrastructure operators could gain credentials to access computer systems that control power plants and other critical systems.
According to security researcher Justin W. Clarke, Rugged OS contains the same private key used to decrypt secure-sockets-layer communications sent by administrators who log into the devices. This allows attackers who may have compromised a host on the network to eavesdrop on sessions and retrieve user login credentials and other sensitive details.
Plenty of small and home office routers also contain private SSL keys. What's different here is that RuggedCom devices, which are designed to withstand extreme dust, heat, and other harsh conditions, are connected to machinery that controls electrical substations, traffic control systems, and other critical infrastructure.
This is the second bug that Clarke, a high school graduate who never attended college, has discovered in products from RuggedCom, which are widely used by power companies that rely on its equipment to support communications to remote power stations.
Although there have been no publicly reported cases of damage caused by cyber-attacks on US critical infrastructure, the issue is a growing problem.
Countries around the world have been alerted to the threat after revelations that the Stuxnet virus had targeted a uranium enrichment facility in Iran.Earlier this month security firms reported another type of malware - dubbed Shamoon had struck "at least one organisation" in the energy sector.