If you thought hacking of vulnerabilities was limited only to computers and cell phones, the latest advisory issued by the Indian Computer Emergency Response Team (CERT-In) will give you some food for thought.
The advisory warns of two serious vulnerabilities that have been detected in Programmable Logic Controllers (PLCs), high-tech devices used in industrial machines for automatic performance.
The most serious example of PLCs being hacked was observed in 2010, when Israel exploited vulnerabilities in PLCs to hack and disable Iran's nuclear enrichment facility.
Almost every automatic machine in this day and age runs on a PLC, and successful exploitation of these PLCs could lead to the crash of entire industries, cyber expert say.
CERT-In’s advisory, which was issued on June 29 this year, states that two vulnerabilities, both classified as ‘High’ in terms of severity, have been detected in PLCs manufactured and sold by JTEKT, a Japan-based company that also has a branch in India. According to CERT-In, the vulnerabilities affect 17 different types of PLCs made by JTEKT.
“These vulnerabilities exist due to missing authentication for critical functions and insufficient verification of data authenticity. A remote attacker could exploit these vulnerabilities by sending specially crafted messages. Successful exploitation of these vulnerabilities could allow a remote hacker to execute arbitrary code, change control logic, disable communication links or perform denial-of-service condition on the targeted systems,” the advisory states.
PLCs are so named because they work on a pre-set ‘logic’, a reasoning that allows them to function the way they are supposed to. This logic can be programmed by an external party, which is ideally supposed to be the entity operating the concerned machines. The risk factor begins when an external attacker -- a hacker -- gains access to the PLCs and is in a position to change this logic. Once a hacker is able to do this, they can manipulate the machine run by the PLC for any purpose. PLCs, commonly known as industrial controllers, are used in every industry in this day and age, be it logistics, healthcare, aviation or defence.
Additional Director General of Police Brijesh Singh, who is among the country’s leading cyber experts, said, “Industrial controllers are legacy systems with hardly any security. These systems used to be analog, but once they were accessible over the internet, they got an IP address and hackers were able to discover them. Imagine an elevator programmed to take people up and down a building, and imagine what could happen if its PLC were to fall into the wrong hands.”
He added that there are entire repositories of vulnerable industrial controllers, along with custom made exploits for targeting each vulnerability, on the dark web.
“Not just this, there are specialised search engines which literally give you a list of open-to-hack devices on a map!” Singh said.
JTEKT, too, has confirmed both the vulnerabilities on its official website, stating that both these vulnerabilities exist due to lack of authentication capabilities in its products. JTEKT has also released detailed mitigation methods on its website that can be downloaded and followed.
What is even more serious, however, is that these two vulnerabilities are just the tip of the iceberg. They feature in a report released two weeks ago by private cybersecurity research group Forescout, which discovered 56 serious vulnerabilities, many of them classified as ‘critical’ in severity, in industrial controllers manufactured and sold by ten leading names in the field.
