Here’s some worrisome internet video for the smart grid industry. Maltese cybersecurity outfit ReVuln has released video of what it says are a series of simple, online hacks of SCADA control platforms from giants like GE, Schneider Electric, Eaton, Siemens, Rockwell and Kaskad. Mark it as another clear sign that securing the smart grid starts with securing the previous generations of technology it rests upon.
ReVuln, which bills itself as a specialist in both “offensive and defensive security,” says its video demonstrates its ability to access and in some cases gain control of SCADA systems. These “zero-day” exploits, so called because they represent previously unknown vulnerabilities, are “server-side and remotely exploitable,” ReVuln claims, some via the internet, others from a computer within the internal network.
It’s the latest bit of unwelcome news for SCADA control vendors. Over the past few years, they’ve seen their software come under attack from various security and hacking groups claiming to be able to access and alter the operations of power plants, refineries, grid substations and other forms of industrial controls. Regulators and lawmakers have been taking notice, and the Obama administration has said securing the nation’s critical infrastructure from cyber-threats is a top priority.
We’ve covered the specific issues surrounding smart grid security, as well as reports of hacks -- some of them false alarms, others potential real-world intrusions by foreign actors. The Department of Homeland Security, which monitors the grid, has reported a massive increase in cyber-intrusions from foreign governments, private parties and “hacktivist” groups across the nation’s cyber infrastructure.
According to news reports, ReVuln hasn’t released details of how it has allegedly hacked the multiple SCADA systems named in its video. Instead, it plans to sell them to third parties, according to a report from TechWorld. Indeed, the company’s video is accompanied by a statement saying that “other 0-day vulnerabilities owned by ReVuln affecting other well known SCADA/HMI vendors have been not included in this video,” with emphasis on the word "owned."
The practice of selling the knowledge of cybersecurity vulnerabilities to governments or moneyed interests, seemingly out of the pages of spy fiction, is actually going on today, Phil Lin, product marketing director for cybersecurity company FireEye, said in a September webinar. ReVuln and French firm VUPEN, which both sell vulnerabilities openly to third parties, have come under strong criticism from the cybersecurity industry for the practice. Even so, industry experts say that this kind of trading of vulnerabilities, both to use now or to save for later, is likely far more common than openly reported.