DHS investigating Siemens 'flaw' in power plant security

DHS investigating Siemens 'flaw' in power plant security

Summary: The U.S. government is probing Siemens' technology that may allow hackers to attack critical infrastructure, such as power plants.


The U.S. Department of Homeland Security has issued an alert warning that hackers could exploit code in Siemens-owned technology to attack power plants and other national critical infrastructure.

Security researcher Justin Clarke exposed the flaw at a Los Angeles conference last week, claiming he discovered a way of spying on encrypted traffic in hardware owned by a Siemens subsidiary, RuggedCom.

The DHS advisory noted: "An attacker may use the key to create malicious communication to a RuggedCom network device."

It added that the government department was in contact with RuggedCom and the researcher in order to identify the flaw and find a resolution to the vulnerability.

Clarke said that the Siemens-owned technology maker used a single software key to decode encrypted traffic that flows across its network, and has discovered a way to extract the key which could then be used to send malware or credentials to the critical systems.

"If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you," Clarke said, reports Reuters.

According to the BBC, this is the second time Clarke has reported a flaw in RuggedCom's technology after purchasing the firm's second-hand equipment from eBay. RuggedCom updated its software after Clarke found the first 'backdoor' that would have allowed hackers to access equipment remotely with an easily extracted password.

Though the risk of cyberattacks continue to plague the governments around the world, there have been no such reports of successful attacks on U.S. critical systems yet. 

Iran is known to have suffered from the Stuxnet malware that caused physical damage to its nuclear facilities, in response to global concerns that Tehran was building a nuclear bomb. Similar malware, dubbed Flame, was described as the "most complex" cyber-weapon ever discovered by Kaspersky Lab.

Topics: Security, Government, Government US, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Surprise, surprise

    Fixing communications and control security in power plants and such has been dragging on for at last a decade with at best mixed results. They need to just bite the bullet and remove all remote access to power plant controls and leave only monitoring in place. Remote access was only added in the first place for convenience's sake and serves no vital purpose since power plants at least have to be manned full time anyway. So the tech has to make a house call -- big whoop.
    • for likely that

      more likely that some bean-counter demanded that he/she be able to include it dynamically in some excel spreadsheetto produce some irrelevant report that nobody will read or understand anyway.
  • DHS investigating Siemens 'flaw' in power plant security

    no amount of hardening can mitigate an attack on a system that is physically accessible.