DHS warns Siemens 'flaw' could allow power plant hack
The U.S. Department of Homeland Security is probing Siemens' technology that may allow hackers to attack critical infrastructure, such as power plants.
The U.S. Department of Homeland Security has issued an alert warning that hackers could exploit code in Siemens-owned technology to attack power plants and other national critical infrastructure.
Security researcher Justin Clarke exposed the flaw at a Los Angeles conference last week, claiming he discovered a way of spying on encrypted traffic in hardware owned by a Siemens subsidiary, RuggedCom.
The DHS advisory noted: "An attacker may use the key to create malicious communication to a RuggedCom network device."
DHS added that the government department was in contact with RuggedCom and the researcher in order to identify the flaw and find a resolution to the vulnerability.
Clarke said that the Siemens-owned technology maker used a single software key to decode encrypted traffic that flows across its network, and has discovered a way to extract the key, which could then be used to send malware or credentials to the critical systems.
"If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you," Clarke said, reports Reuters.
According to the BBC, this is the second time Clarke has reported a flaw in RuggedCom's technology after purchasing the firm's second-hand equipment from eBay. RuggedCom updated its software after Clarke found the first 'backdoor' that would have allowed hackers to access equipment remotely with an easily extracted password.
Though the risk of cyberattacks continue to plague the governments around the world, there have been no such reports of successful attacks on U.S. critical systems yet.
Iran is known to have suffered from the Stuxnet malware that caused physical damage to its nuclear facilities, in response to global concerns that Tehran was building a nuclear bomb. Similar malware, dubbed Flame, was described as the "most complex" cyberweapon ever discovered by Kaspersky Lab.