The United States government are launching an investigation into claims that there are “flaws” in Siemens networking equipment that could enable hackers to attack power plants and other critical systems.
A security expert claims that he found a “back door” into Siemens hardware via a subsidiary RuggedCom. The equipment is widely used by power companies.
The Department of Homeland Security said it has made contact with the firm to assess the claim. The alleged flaw claim was made by a security researcher Justin W Clarke at a conference in LA, who said that the firm used a single software key to decode traffic that it encrypted across its network, and he had found a way to extract this key.
“If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you,” Mr Clarke said.
He said that if hackers could access the communications of infrastructure operators, there may be a possibility that they could obtain credentials to access systems used to operate power stations and other infrastructure.
Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said it was aware of it’s findings. “According to this report, the vulnerability can be used to decrypt SSL traffic between an end-user and a RuggedCom network device,” read the advisory.
It said that it had “notified the affected vendor of the report” and had asked it “to confirm the vulnerability and identify mitigations”.
Justin W Clarke had been researching the issues in it’s spare time and made purchases of RuggedCom equipment using eBay. This is not the first time that Mr Clarke has found and reported bugs in products from Siemens, and in May this year the company released a software update as a result of his earlier finding.
The issue of cyber-attacks on US critical infrastructure is a growing problem, although there has been no reported attacks of any damage caused.
Earlier this year the country’s National Security Agency reported that there had been a 17-fold rise in the number of attempted attacks between 2009 and 2011.
ICS-CERT has also reported that 90 vulnerabilities have been identified this year, up from 60 in 2011.
The Stuxnet virus had targeted a uranium enrichment facility in Iran and countries around the world have been alerted to the threat, furthermore earlier this month another type of malware – dubbed Shamoon- had struck at least one organisation in the energy sector.