By Joseph Menn
SAN FRANCISCO (Reuters) - Until a few days ago, anyone who had done a bit of digging into the security of industrial control systems could have reached into the website of a Kansas agricultural concern and turned off all its windmills.
The owner had left the system connected to the open Internet without any password protections, despite warnings from Canadian manufacturer Endurance Wind Power. A cyber researcher found the vulnerability along with thousands of other exposed industrial controls, many of them in critical facilities.
"I advise people that it's the digital equivalent of sending your 12-year-old daughter to school without pants, but farmers aren't big on our required security," said Mike Meehan, an engineer at Endurance contacted by Reuters. He said he would contact the customer and use the discovery to urge other Endurance clients to limit connections to secure networks.
The research that found the lapse came from one of two new studies on the security of industrial controls that were provided to Reuters in advance of their public release at the Black Hat security conference being held this week in Las Vegas.
The research buttress concerns that critical national infrastructure in the West is more vulnerable to hacking attacks now than two years ago -- despite its status as a top cybersecurity priority for the White House and other parts of the federal government.
Eireann Leverett, the researcher who found the Endurance customer, wrote in a master's thesis last year that he had found 7,500 control devices connected to the Net, more than 80 percent of which did not require a password or other authentication before allowing a visitor to interact with the machines.
In his more recent work to be presented at Black Hat, Leverett said he found 36,000 such connected devices, including some in power plants. He said he wanted to "demolish the myth" that control systems are generally safe because of an "air gap" between them and the Net.
Ruben Santamarta, who is also presenting a paper at Black Hat, focused on smart meters, which measure and control electricity use. Smart meters are supported by utilities and governments worldwide because they can improve efficiency in consumption and report patterns back to energy providers.
Working from instruction manuals in a lab, Santamarta found a "back door" in one of the most popular types of smart meter, the ION product line made by Schneider Electric <SCHN.PA> of France. It was a reserved factory login account that enabled the company to change billing records and update the software.
After some more digging, Santamarta discovered that the passwords are computed from the serial number of the devices, which can be discovered by attempting to connect to them.
"Once you have access to the smart meter you can do anything," Santamarta said. "You could sabotage it to disrupt the power in the facility" or install a spying program.
Santamarta contacted Department of Homeland Security (DHS) officials and Schneider, which has already made some patches available. Schneider did not respond to a request for comment.
FRONT AND CENTER
The annual Black Hat conference, which runs through Thursday, comes as U.S. President Obama renews his push for a comprehensive cybersecurity bill with infrastructure protection as its centerpiece.
Reports of cyber-intrusions into water, energy and other infrastructure facilities leaped to 198 in 2011 from 41 the previous year, according to the DHS. Those incidents include common criminal infections and email-based attacks aimed at stealing corporate information through malicious attachments.
Though deliberate manipulation of industry controls by outsiders remain rare, experts and officials are concerned that it is only a matter of time before other countries, criminal gangs, terrorists or pranksters wreak havoc on dams, power plants or water treatment facilities.
The vulnerabilities are much harder to correct than those in standard software used by consumers and ordinary businesses, they say. Software for controlling industrial activity including generators, pumps and valves can remain in place for a decade or longer, making the improvement cycle slow.
In addition, many control devices and software were designed without a thought that they would ever be connected to the Internet, so they were built with minimal security.
A number of researchers have known for more than a decade about the pervasive problems. Black Hat founder Jeff Moss said that as a teenager, he discovered a dam that had never changed the default username and password on its control software, so that anyone who connected and ran a password-cracking program could have opened the gates.
Moss said he and others warned some facilities and manufacturers, and kept quiet to the public. But after the Stuxnet worm used industrial control vulnerabilities to disable Iranian centrifuges two years ago, there has been a rush to publish such findings.
"That's going to be the pain that forces the sector to reform," Moss said.
A convoluted regulatory structure makes it difficult for authorities to insist that owners of critical infrastructure meet basic standards.
On Friday, for example, the Department of Energy released a security "self-evaluation tool" for utilities, in hopes that private companies will want to investigate their own defenses and anonymously let regulators know how well they are doing. Officials said the voluntary tool was part of a "roadmap" for getting to energy sector cybersecurity that was published in September by a joint industry-government group.
That roadmap calls for solid defenses to be in place against critical attacks by 2020, nine years after publication.
Department of Energy spokeswoman Keri Fulton said the new tool was a sign that the government is not content to wait until 2020. "This is something that we are taking very seriously. We are trying to take concrete steps right now."
The DHS, the lead U.S. authority for cybersecurity in the country, declined interview requests.
Though many owners of control devices do not realize that their systems are hooked up to the Net -- and their regulators can be likewise oblivious -- a new generation of tools is making it easy for researchers and adversaries to find them.
Chief among them is Shodan, a specialized search engine that checks for connections and can be asked to look for just one brand of software at a time, such as one known to operate dams.
A majority of the devices Leverett found, like the Kansas windmills, would not be considered "critical" to national safety or the economy -- some 26,000 were heating, cooling and ventilation controls, which would only be vital if they were needed to do such things as prevent a key mine from overheating or keep a nuclear plant cooled. But these network weaknesses could give an attacker a foothold to reach more core processes.
Leverett, who now works for security firm IOActive, said that internationally he identified four devices inside power plants, two in hydropower plants, and one in a geothermal plant.
Both Santamarta and Leverett said that the core problem isn't any one company but the prevailing architecture in the control-software industry, which will take a long time to change without concerted demands by governments or private customers.
"It's not the only back door I've found," Santamarta said. "The attack surface is massive."
(Reporting by Joseph Menn, editing by Tiffany Wu, Gary Hill)