Nuclear nightmare: Industrial control switches need fixing, now

LAS VEGAS - At Black Hat USA 2015, researchers have disclosed critical vulnerabilities in control switches that are actively used in industrial control management systems, such as substations, factories, refineries, ports, and other areas of industrial automation.

The flaws currently reside in system switches that could facilitate shutdown of a plant or process (such as nuclear-reactor "SCRAM") or forcing an industrial control system into a unknown and hazardous state (like causing damage to a blast furnace at a steel mill).

Researcher Robert M. Lee,, a co-founder of Dragos Security and active-duty U.S. Air Force Cyber Warfare Operations Officer, said that said that he believed with "great confidence" that these attacks are happening in the wild, but that they were most likely going overlooked because simply, "folks aren't noticing."

The researchers described that these industrial management systems can be compromised by a man-in-the-middle (MITM) attack to cause a range of havoc on live processes -- sending wrong, spoofed, fake, or incorrect data.

This can cause control systems to send incorrect commands, creating a situation in which the systems don't know its infrastructure is in dire straits and potentially about to overheat, perform the wrong process, implode, explode, or similarly disastrous outcomes.

The problems rely in the fact that industrial system protocols generally lack authentication or cryptographic integrity; the researchers listed a smorgasbord of attack vectors, including unauthenticated updates, CSS attacks, cleartext passwords, and much more.

Their presentation, "Switches Get Stitches" will focus on the DCS, PCS, ICS & SCADA switches of four vendors: Siemens, GE, Garrettcom, and Opengear.

For their presentation, they'll be going over eleven vulnerabilities, across five different products families, belonging the four vendors -- though the researchers stressed that the problems they're finding are not limited to these vendors.

The researchers said that they are only showing eleven vulnerabilities because they didn't have enough time to present more.

These vulnerabilities are being disclosed for the first time today, exclusively at Black Hat.

While the researchers have vulnerabilities have responsibly disclosed to the vendors, SCADA/ICS patching in live environments tends to take 1-3 years -- and these fixes need to happen ASAP.

Because of this patching lag, the researchers are providing live mitigations that owners and operators can use immediately to protect themselves.

Researcher Eireann Leverett said they want to dispel the perception that people are helpless in light vulnerabilities, and the notion that we must wait for vendors to save us. "Defense is doable," he said.

"We shouldn't have to rely on vendors to patch."