German industrial systems flaw opens up brewery, jail to attackers

German industrial systems flaw opens up brewery, jail to attackers

Summary: German journalists discovered that a minor security flaw could have given them control over several hundred industrial systems connected directly to the internet.

TOPICS: Security, EU

German security journalists have discovered a vulnerability in industrial control systems that could have allowed them to be taken over by attackers.

Journalists for the German IT magazine Heise Security found the control systems of several hundred industrial plants directly connected to the internet. Without any significant security to speak of in place to prevent public access to the systems, the journalists would have been able to log into their command interface as technicians and make changes to the systems using a "trivial flaw", the publication said.

According to the article, among the industrial plants found to be vulnerable in this way was at least one power station, where an attacker could have completely disabled the system and caused serious damage. In addition, the writers found they could have accessed the industry control systems of a brewery (they didn't, so Germany's beer reserves thankfully remain safe) and a jail (where they could have also manipulated the heating system).

Heise Security decided not to exploit the vulnerabilities and instead contacted the manufacturer of the vulnerable control module as well as the country's government IT security body, the German Federal Office for Information Security (BSI). The BSI described the flaw as "critical", and found up to 500 vulnerable systems in Germany alone.

The bulk of Heise Security's research took place in February 2013. According to the magazine, a lot of the vulnerable industrial plants are still directly connected to the internet and accessible. While Heise Security, as well as the BSI, have alerted the control systems' maker of the vulnerability, it's not known if businesses using the vulnerable systems have been warned of the threat.

The journalists' research shines an interesting light on security within industry.

Although attacks on Scada systems have been in the news for a while now (going back well beyond Stuxnet), it doesn't seem that manufacturers and owners of these system have fully realised the security threats that face them, let alone reacted to them.

"Security flaws in German industrial plants show that IT security hasn't really reached the authorities and industry. We always talk about 'security by design', but incidents like these prove that 'insecurity by design' is still standard," Steve Durbin, global VP of the Information Security Forum, said. 

Topics: Security, EU

Moritz Jaeger

About Moritz Jaeger

Moritz is a Munich-based IT-journalist with more than eight years of experience as an author under his belt.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Who was Manufacturer?

    We have a lot of control systems in the US that come from German manufactures. Stuxnet was targeted Siemens controllers which we have a lot of. Since they are one of the world’s major manufacturers of control systems I assume this article was about them also. Still there are other possibilities.