NPR logo How Hackers Could Target Power Plants

Privacy & Security

How Hackers Could Target Power Plants

Gen. Keith Alexander, the director of the National Security Agency, has warned administration officials that Anonymous — the loosely organized, computer-hacking collective — could have the ability to knock out power stations within the next few years. That's according to The Wall Street Journal.

Independent hackers and cyber security researchers have demonstrated the ability to take control of the basic machinery that is built into many power plants and water treatment facilities.

This summer at Black Hat, an annual cyber security and hacking convention, Dillon Beresford, a researcher at NSS Labs, revealed a backdoor into programmable logic controllers, or PLCs, made by Siemens. These controllers, known as SCADA devices, are used as switches that control industrial equipment all over the world — including at power plants and some nuclear facilities.

Beresford was inspired by the coverage of the Stuxnet virus — which reportedly disabled parts of Iran's nuclear program. At the time of that attack — many commentators said it so sophisticated that it had to be the work of a government organization. Beresford disagreed — so he set out to replicate that kind of attack by himself.

He did.

Beresford found a backdoor built into Siemens devices likely intended for diagnostic purposes. He said it took him only two and a half hours to write exploit code that allowed him to take control of the programmable logic controllers.

"An attack on PLCs for 24 hours could cause it to blow up a plant," he said. "It's not just the spooks who have these capabilities. Average guys sitting in their basements can pull this off."

Beresford shared his findings with both Siemens and the Department of Homeland Security before publishing them. Siemens worked with him to better understand the threat and resolve it.

Industrial experts say taking control of a single switch in a plant — or even a family of switches — may not be enough to create a disruption, a power outage or an explosion. To ensure that an attack did real-world damage — a hacker, terrorist or state actor would need detailed engineering knowledge about the target plant.