A surprisingly large number of critical infrastructure participants—including chemical manufacturers, nuclear and electric plants, defense contractors, building operators and chip makers—rely on unsecured wireless pagers to automate their industrial control systems. According to a new report, this practice opens them to malicious hacks and espionage.
Earlier this year, researchers from security firm Trend Micro collected more than 54 million pages over a four-month span using low-cost hardware. In some cases, the messages alerted recipients to unsafe conditions affecting mission-critical infrastructure as they were detected. A heating, venting, and air-conditioning system, for instance, used an e-mail-to-pager gateway to alert a hospital to a potentially dangerous level of sewage water. Meanwhile, a supervisory control and data acquisition system belonging to one of the world’s biggest chemical companies sent a page containing a complete “stack dump” of one of its devices.
Other unencrypted alerts sent by or to “several nuclear plants scattered among different states” included:
- Reduced pumping flow rate
- Water leak, steam leak, radiant coolant service leak, electrohydraulic control oil leak
- Fire accidents in an unrestricted area and in an administration building
- Loss of redundancy
- People requiring off-site medical attention
- A control rod losing its position indication due to a data fault
- Nuclear contamination without personal damage
In their Tuesday report titled Leaking Beeps: Unencrypted Pager Messages in Industrial Environments, Trend Micro researchers wrote the following:
We were surprised to see unencrypted pages coming from industrial sectors like nuclear power plants, substations, power generation plants, chemical plants, defense contractors, semiconductor and commercial manufacturers, and HVAC. These unencrypted pager messages are a valuable source of passive intelligence, the gathering of information that is unintentionally leaked by networked or connected organizations.
The report continued:
Taken together, threat actors can do heavy reconnaissance on targets by making sense of the acquired information through paging messages. Though we are not well-versed with the terms and information used in some of the sectors in our research, we were able to determine what the pages mean, including how attackers would make use of them in an elaborate targeted attack or how industry competitors would take advantage of such information.
The power generation sector is overseen by regulating bodies like the North American Electric Reliability Corporation (NERC). The NERC can impose significant fines on companies that violate critical infrastructure protection requirements, such as ensuring that communications are encrypted. Other similar regulations also exist for the chemical manufacturing sector.
Despite the sensitivity of the data and the confidentiality requirements state and federal governments impose on many of the companies, the pages were easy to intercept. Using a technology known as software defined radio and a $20 dongle, the researchers were able to monitor pages in real time. Besides safety alerts, other examples of sensitive information transmitted included the names and e-mail addresses of employees (including high-ranking executives), delivery tracking numbers, and project names.
Loading comments...
