“A Hacker’s Back Door to Sabotage Networks”
The Wall Street Journal, September 25, 2015, p.B1
“On a sweltering summer day in San Jose, Calif., Scott Noteboom launched a cyberattack by exploiting a networking system vulnerability: the cooling system. An assistant, standing before a collection of networked computer gear plus a cooling fan, plugged a cable into a laptop. Soon a light on one of the boxes started flashing: The fan was in trouble. It clicked, then stuttered, then moaned to a halt. The equipment soon would have melted down—literally—had the attack occurred in a real data center. Mr. Noteboom isn’t a hacker. He is the founder of Litbit, a startup launched two years ago to address a widespread security threat that generally has gone unrecognized: The underlying equipment that typically supports data-center networks—backup generators, thermostats, air conditioners, and the like—are vulnerable to a cyberattack that would have the potential to take down the entire operation. These ‘industrial control systems’ are fixtures not only in data centers but in commercial buildings and factories. While networked computers are upgraded frequently, the equipment in this underlying layer may be on a refresh schedule measured in decades. They use hoary communication standards that lack basic security features such as password protection. Information-security personnel don’t expect those industrial systems to be wired to the computer networks they power or cool, yet they are often connected. … A recent survey by the security consultancy WhiteScope found nearly 20,000 such systems—including some for schools, hospitals, retailers and others—accessible through the Internet, no username or password required. … Although few attacks on such equipment have been reported publicly, the problem isn’t just theoretical. In late 2014, the U.S. Department of Homeland Security reported an ‘ongoing sophisticated malware campaign’ that had ‘compromised numerous industrial control systems’ from several manufacturers. Also last year, the German government said hackers had severely damaged a steel plant in that country by causing furnaces to malfunction. Similar methods were implicated in the 2010 Stuxnet attack, which The Wall Street Journal and others have attributed to U.S. and Israeli spy agencies, that destroyed approximately 1,000 uranium-enrichment centrifuges at Iran’s Bushehr nuclear power plant.”
Quickie analysis: Unfortunately, the entire computing infrastructure was not designed with cyberattacks in mind. This likely won’t be the last glaring security breach to be discovered.