A study conducted by researchers at New York University, and presented at the Black Hat security conference, has emphasised the vulnerability of the world’s power systems, highlighting the surprisingly meagre cybersecurity of their operating systems.
The researchers underscored the extent to which power systems are vulnerable by providing a “structured methodology towards attacking a power system on a limited budget”. The goal of the report was to challenge the prevailing assumption that only sophisticated attackers would have the know-how to hack into a power system.
In a briefing, the authors of the report said: “It is electrifying what you can find on the internet if you know what to look for. We will demonstrate information obtained from the web that can be leveraged to model and analyse a target power system, and how we can use this information to model power systems throughout the globe.”
In order to illustrate this claim, the researchers uncovered a crucial weakness in several of General Electric’s devices called ‘multilin’ products, which are used to monitor, protect and control power grids. Such devices are widely used in power systems around the world and play a central role in the safety of a grid, as well as providing a reliable provision of power to everyday customers.
“The goal of the report was to challenge the prevailing assumption that only sophisticated attackers would have the know-how to hack into a power system.”
The researchers explained: “Essentially, we completely broke the home brew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations.”
In the wrong hands, this information could empower an attacker to command a power grid in several crucial ways, enabling them to disconnect entire sections of the grid or damage the system itself.
Critically, remote control devices are playing an increasingly central role in power systems due to their ability to modernise energy distribution. They hold the potential to generate huge efficiency gains by improving visibility of operations, as well as enabling monitoring on a wider scale.
And yet, these ‘smart’ devices are also opening the door to new vulnerabilities; a state of affairs being further exacerbated by the fact passwords tend to be weakly encrypted.
The researchers identified six specific products that were affected by this particular vulnerability, and General Electric has since issued firmware updates to avoid any related issues upon the publication of the research.
The paper also put forward several mitigation strategies to avoid similar issues, including advocating that control devices should be shielded by firewalls, and recommending control system networks remain independent from the public internet.