Reid Wightman, a security researcher, has discovered that internet-connected operational technology can ‘easily’ be attacked and damaged.
Operational technology that is connected to the internet can be attacked and damaged with relative ease, according to new research.
Reid Wightman, a security researcher at Digital Bond Labs, found that variable-frequency drives (VFDs) can be compromised remotely by a cybercriminal. Worryingly, this can be achieved with little effort.
Mr. Wightman noted that VFDs, which are used to control the speed of motors in mining machinery, as well as in fan and pump applications, lack basic security features.
In an interview with Wired he reported one major flaw in this technology: the drives have read and write capabilities that can easily be modified. Fundamentally, no authentication is required to change these settings.
Moreover, the developers that were analyzed as part of this study were noted for exposing too much information when it came to some of the operational functionality of the drives.
For example, while the top speed of a motor is made visible to ensure that operators stay within a safe boundary, it is also, within the context of this investigation, possible for remote attackers to get hold of this data.
“I would ask why they need to make this setting writeable over a network protocol,” Mr. Wightman queried in his discussion with the publication. “Why would an operator ever need to change this setting?
“That’s not something you would be changing while the device is running … it’s something you might change when you swap out the motor but not when it’s operating. Somebody thought it was a good idea.”
Recently discussing the re-emergence of the BlackEnergy trojan, Robert Lipovsky, a senior malware researcher at ESET, commented that connecting an industrial system to the internet can introduce certain risks.
He said: “Without getting into the details, this interconnection exposes the industrial control system to the very same threats that common PCs face – but with much fewer options for defense.
“Take patching as an example: proper software patching is much more problematic with industrial systems. They tend to be heavily customized and they are often always on.”