The following article appeared in the Wall Street Journal at:
On a sweltering summer day in San Jose, Calif., Scott Noteboom launched a cyberattack by exploiting a networking system vulnerability: the cooling system.
An assistant, standing before a collection of networked computer gear plus a cooling fan, plugged a cable into a laptop. Soon a light on one of the boxes started flashing: The fan was in trouble. It clicked, then stuttered, then moaned to a halt. The equipment soon would have melted down—literally—had the attack occurred in a real data center.
Mr. Noteboom isn’t a hacker. He is the founder of Litbit, a startup launched two years ago to address a widespread security threat that generally has gone unrecognized: The underlying equipment that typically supports data-center networks—backup generators, thermostats, air conditioners, and the like—are vulnerable to a cyberattack that would have the potential to take down the entire operation.
These “industrial control systems” are fixtures not only in data centers but in commercial buildings and factories. While networked computers are upgraded frequently, the equipment in this underlying layer may be on a refresh schedule measured in decades. They use hoary communication standards that lack basic security features such as password protection.
Information-security personnel don’t expect those industrial systems to be wired to the computer networks they power or cool, yet they are often connected.
“If you talk to these companies, they’ll swear up and down that their [industrial controller] networks are isolated” from their computer networks, including the Internet, said Seth Bromberger, owner of NCI Security LLC, which advises clients on network issues. “But many, many times, there’s a connection that the engineers are not aware of.”
Indeed, companies often configure the systems deliberately for remote access over the Internet. This lets workers retrieve data or adjust settings from a distance, but it also opens potential security holes in both the industrial controllers and the computer networks they support.
A recent survey by the security consultancy WhiteScope found nearly 20,000 such systems—including some for schools, hospitals, retailers and others—accessible through the Internet, no username or password required.
Although few attacks on such equipment have been reported publicly, the problem isn’t just theoretical. In late 2014, the U.S. Department of Homeland Security reported an “ongoing sophisticated malware campaign” that had “compromised numerous industrial control systems" from several manufacturers. Also last year, the German government said hackers had severly damaged a steel plant in that country by causing furnaces to malfunction. Similar methods were implemented in the 2010 Stuxnet attack, which The Wall Street Journal and others have attributed to U.S. and Israeli spy agencies, that destroyed approximately 1,000 uranium-enrichment centrifuges at Iran's Bushehr nuclear power plant.
“Is [the concern] overblown? I don’t think so,” said Jason Brvenik, a principal engineer at networking hardware maker Cisco Systems Inc. “I think there is a little bit of alarmism, but we just saw a Jeep get disabled [by hackers] on a highway. That is not trivial.”
Some equipment makers have beefed up security. Rockwell Automation Inc. offers products that can log network activity and block instructions from unauthorized computers. General Electric Co. and Siemens AG have added similar capabilities to their industrial control products.