Hacker Hits Nuclear Plant
The first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant's owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM's Internet Security Systems, found otherwise.
"It turned out to be one of the easiest penetration tests I'd ever done," he says. "By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, 'Gosh. This is a big problem.'"
In retrospect, Lunsford says--and the Nuclear Regulatory Commission agrees--that government-mandated safeguards would have prevented him from triggering a nuclear meltdown. But he's fairly certain that by accessing controls through the company's network, he could have sabotaged the power supply to a large portion of the state. "It would have been as simple as closing a valve," he says.
The disturbingly vulnerable system that Lunsford hijacked is powered by Supervisory Control and Data Acquisition software, or SCADA, a type of software made by companies including Siemens, ABB, Rockwell Automation and Emerson.
SCADA systems are used around the country to control infrastructure like water filtration and distribution, trains and subways, natural gas and oil pipelines, and practically every kind of industrial manufacturing. And as some security professionals are pointing out, those weaknesses are increasingly connected to the Internet, leaving large parts of America's critical infrastructure exposed to anyone with moderate information technology training and a laptop.
Not every SCADA sabotage scenario is so hypothetical. In 2000, Vitek Boden, a 48-year-old man fired from his job at a sewage-treatment plant in Australia, remotely accessed his former workplace's computers and poured toxic sludge into parks and rivers; he hoped the plant would re-hire him to solve the leakage problem.
"The government mandates fire sprinklers. Those cost builders money, but they save property and lives," says Jim Christy, director of future exploration at the Department of Defense's Cyber Crime Center. "If critical infrastructure is important to our national security, shouldn't there be minimum standards it has to meet?"
7 votes
