According to security researcher and active-duty U.S. Air Force Cyber Warfare Operations Officer, Robert Lee, nuclear power plants aren't impenetrable to hackers. His research, which will be presented at the Black Hat conference, next week, shows how cyber attackers can take full control over the facility by exploiting a vulnerability in the Industrial Ethernet Switches (IES). In order to disclose and fix the vulnerability, Mr. Lee worked with risk researcher Eireann Leverett, security consultant Colin Cassidy and four of the biggest industrial switch vendors: Siemens, General Electric, Garrettcom and Opengear.
In case you're unfamiliar with the subject, here is the short version: while very rarely employed in home use, Industrial Ethernet Switches are responsible for maintaining network connections in factories, ports, refineries and basically all kind of industrial organizations. These devices seem to be actually quite unsecured, exhibiting a wide array of issues such as lack of proper authentication for firmware updates and hard coded encryption keys. Add to that the human mistakes such as default or weak passwords and you will understand how hackers could quite easily get in. Once inside the system, the attackers can take full control over the entire facility and even cause a critical failure.
In Mr. Lee's words, "Anything that the facility is capable of in its natural operating system, you’re (the attacker) capable of doing — and doing damage with if you control the network. With a power station, you can have major repercussions. With a hydroelectric dam, if you don’t monitor processes in a normal situation, it’ll spin out of control. Everything you have can be manipulated.” However, despite his warning and actual demonstration about how such an unfortunate event can happen, companies and researchers may or may not be working on a way to fix this problem. “What we don’t have is awareness,” said Lee. “There is a massive lack of security awareness in the industrial control systems community.” and since we're talking about actual nuclear plants, such a lackadaisical behavior can endanger us all.