German security journalists have discovered a vulnerability in industrial control systems that could have allowed them to be taken over by attackers.
Journalists for the German IT magazine Heise Security found the control systems of several hundred industrial plants directly connected to the internet. Without any significant security to speak of in place to prevent public access to the systems, the journalists would have been able to log into their command interface as technicians and make changes to the systems using a "trivial flaw", the publication said.
According to the article, among the industrial plants found to be vulnerable in this way was at least one power station, where an attacker could have completely disabled the system and caused serious damage. In addition, the writers found they could have accessed the industry control systems of a brewery (they didn't, so Germany's beer reserves thankfully remain safe) and a jail (where they could have also manipulated the heating system).
Heise Security decided not to exploit the vulnerabilities and instead contacted the manufacturer of the vulnerable control module as well as the country's government IT security body, the German Federal Office for Information Security (BSI). The BSI described the flaw as "critical", and found up to 500 vulnerable systems in Germany alone.
The bulk of Heise Security's research took place in February 2013. According to the magazine, a lot of the vulnerable industrial plants are still directly connected to the internet and accessible. While Heise Security, as well as the BSI, have alerted the control systems' maker of the vulnerability, it's not known if businesses using the vulnerable systems have been warned of the threat.
The journalists' research shines an interesting light on security within industry.
Although attacks on Scada systems have been in the news for a while now (going back well beyond Stuxnet), it doesn't seem that manufacturers and owners of these system have fully realised the security threats that face them, let alone reacted to them.
"Security flaws in German industrial plants show that IT security hasn't really reached the authorities and industry. We always talk about 'security by design', but incidents like these prove that 'insecurity by design' is still standard," Steve Durbin, global VP of the Information Security Forum, said.