Research set to be presented at the Blackhat conference in Las Vegas this week will reveal vulnerabilities in Industrial Ethernet Switches that could allow Nuclear Power Plants, Hydroelectric Dams and other critical infrastructure to be hacked.
Ken Westin, Security Analyst for Tripwire says “These systems should be closed off via air gapped networks but the good news is that the problem can be fixed without updating the firmware.” Tim Erlin, Director of IT security and Risk Strategy at Tripwire explains tha, “ A lot of progress has been made in recent years, but industrial networking systems have an exceptionally long lifespan compared to corporate IT. In some cases, vendors and utilities are trying to address security issues on more than 15 year old devices that are difficult to replace.”
Comments from Tripwire on Vulnerabilities in Industrial Ethernet Switches for Critical Infrastructure
“Many of these devices were never meant to be connected to corporate networks or the Internet, instead these systems should be closed off via air gapped networks. These devices were developed with a focus on reliability and efficiency; security was not a priority. However, the real risk is when these segmented networks are connected to traditional corporate networks that are then connected to the Internet.
Many of the vulnerabilities the researchers will reveal are related to misconfigurations or default settings, and when these are paired with network access available through traditional IT networks, can leave critical infrastructure at risk. The good news is that this is something that can easily be fixed without updating firmware. The silver lining of this research, as well as work being done by industry groups, the government and others is the a stronger emphasis on security controls and practices for industrial networks and systems. Tremendous strides are already being taken to improve the security of critical infrastructure, but these changes will take time.” ---Ken Westin, Security Analyst for Tripwire
“Information security is an important issue when it comes to critical infrastructure, and the electric grid. A lot of progress has been made in recent years, but industrial networking systems have an exceptionally long lifespan compared to corporate IT. In some cases, vendors and utilities are trying to address security issues on more than 15 year old devices that are difficult to replace.
When the network is part of the overall system keeping the lights on, an extra dose of caution is warranted, even for what might seem like a simple update. The cultural change required in Industrial IT involves incorporating security into the requirements for reliability. Securing these systems is about keeping the lights on, not in conflict with it.” ---Tim Erlin, Director of IT security and Risk Strategy at Tripwire