Hackers say cracking power grid tech was easiest challenge yet 

"The security is lagging behind badly."

White hat hackers won $40,000 for cracking a system used by most major industrial companies, including the ones that manage our power grids — and they told MIT Technology Review it was ridiculously easy.

The challenge: Industrial control systems — the hardware and software used to control power grids, water treatment facilities,  and other critical infrastructure — are an alluring target for cybercriminals.

Because so many people rely on this infrastructure, hackers can ask for and receive large ransoms in exchange for ending an attack. Those motivated by politics, meanwhile, can weaken an enemy by disrupting its citizens’ access to electricity or water.

“The destruction or corruption of these control systems could cause grave harm.”

Jen Easterly

That’s made preventing attacks on industrial control systems a top concern for cybersecurity experts.

“As the destruction or corruption of these control systems could cause grave harm, ensuring their security and resilience must be a collective effort that taps into the innovation, expertise, and ingenuity of the [industrial control systems] community,” said Jen Easterly, director of the US’s Cybersecurity and Infrastructure Security Agency.

White hats: One way to protect industrial control systems (and other tech) from hackers is by holding contests in which “white hat” hackers try to break into the systems in exchange for prizes. 

Any vulnerabilities that are exposed during the contests can then be fixed before cybercriminals exploit them.

One of these contests — Pwn2Own Miami 2022 — just took place April 19-21, and the results aren’t exactly encouraging for those of us who like reliable electricity and water: nearly every industrial control system targeted during the contest was hacked.

“In industrial control systems, there is still so much low-hanging fruit.”

Daan Keuper

Low-hanging fruit: Dutch researchers Daan Keuper and Thijs Alkemade took home the biggest prize of the event — $40,000 — for hacking OPC UA, a communications protocol commonly used by industrial companies.

“OPC UA is used everywhere in the industrial world as a connector between systems,” Keuper told MIT Tech Review. “It’s such a central component of typical industrial networks, and we can bypass authentication normally required to read or change anything.”

Keuper said he and Alkemade needed “just a couple of days” to figure out their hack of the industrial control system — for comparison, Keuper spent three weeks working with a partner to hack an iPhone 4S in 2012.

“In industrial control systems, there is still so much low-hanging fruit,” Keuper said. “The security is lagging behind badly.”

Looking ahead: Now that the latest Pwn2Own contest is over, the makers of the industrial control systems targeted during it can work to fix any vulnerabilities detected by the hackers.

“We saw some amazing exploits, and I know vendors are already hard at work developing patches for the bugs we disclosed to them,” Dustin Childs, who hosted the event, told the Daily Swig. “We are pleased with the growth we saw this year, and we’d love to see that continue.”

“Ideally, we can partner with more vendors within the ICS/SCADA community to ensure we have the right targets and get them the best bugs possible to fix before they are exploited by threat actors,” he added.

We’d love to hear from you! If you have a comment about this article or if you have a tip for a future Freethink story, please email us at [email protected].

Related
New experiment brings us closer to unbreakable quantum encryption
Researchers at Linkӧping University have built a quantum random number generator to be easier to integrate into consumer electronics.
Hackers get AI to share credit card info and endorse hate speech
At DEFCON 2023, ethical hackers targeted generative AIs by OpenAI, Google, and other tech leaders to aid responsible AI development.
New voice cloning AI lets “you” speak multiple languages
Voice cloning AIs are gaining more abilities, while the amount of audio needed to replicate a person’s voice is shrinking.
Deepfake audio has a tell – researchers use fluid dynamics to spot artificial imposter voices
Audio deepfakes potentially pose a huge threat, as people often communicate via phone calls, radio, and voice recordings.
Starlink satellites can be reverse-engineered to create new GPS
SpaceX’s Starlink satellite mega-constellation could be used to create a new, more secure global positioning system for the US Army.
Up Next
Subscribe to Freethink for more great stories