You can touch — and hack — this water or power plant
- November 22, 2019
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Cyberattack, Cyberattack, Hacking, Industrial Control System Security, Posts with image, Power Grid, Power Grid
It’s National Critical Infrastructure Security and Resilience Month, a time to focus on the crucial systems that run your world and how to keep them secure.
We talk to a founder of the Industrial Control Systems Village about why he feels so passionate about protecting these industrial computers and machines.
A tank of water fills and empties, directed by industrial computers.
If this were your drinking water, you’d be in trouble.
Cyber attackers are about to shut down this industrial plant, crawling their way in through Internet connections and malware.
Luckily, it’s not your water. But it’s close.
“Everything here is real,” said Tom VanNorman, director of engineering services at Dragos and one of the founders of the Industrial Control Systems — or ICS — Village, a model plant that can pack up and travel around the world.
VanNorman helps run this portable chunk of factory, water plant, or power plant at conferences and gatherings, showing how industrial systems work.
“It’s miniaturized, it’s much smaller, it’s limited, but,” he told Archer News, “when we built this, we wanted to make it actual industrial hardware.”
Why do you care if it’s real?
These devices, cables and computers run everything you depend on, from your water to your electric power.
Let cyber invaders in — and your world can shut down.
“We don’t want that to happen. That’s a bad day,” VanNorman said.
(See also: “What is a PLC?” and “This critical industrial device is a target for hacking”)
VanNorman not only shows the ICS Village, he encourages people to touch it and hack it, so they can learn what attackers may already know.
“We put together an attack that shows somebody remoting into the network,” he said. “We execute the file and it turns off our pumps.”
“We want people to do stuff on here, not on a real system,” he added.
Office vs. Industry
Hack an office computer and you may get passwords and bank account numbers.
Hack an industrial computer?
“When we attack these, we’re dealing with health, life and safety,” Van Norman explained. “You will make people sick, you will kill people, you will make things go ‘boom.’ So, it’s important to know the difference in what happens with these networks.”
At the 2019 RSA cybersecurity conference in San Francisco in March, one of the rooms buzzed with chatter and music.
The ICS Village was on display for college students studying cybersecurity.
They gathered around the wall of devices to see and hear how it works.
“It is a very scary thought because everything nowadays is controlled by computers,” said Michaela Adams from Embry-Riddle Aeronautical University in Prescott, Arizona.
“Knowing that they can possibly change what goes into the water, when to cut the power, it’s definitely a very critical sector within our government and within the public right now,” she told Archer News.
But she is not deterred.
“I would like to protect the public in some way through cybersecurity. That’s always been a dream of mine.”
“We need to be bringing new people into this field,” Van Norman said. “Let’s educate everybody here and keep people interested.”
“It’s a Passion”
The ICS Village is heavy and expensive to ship from place to place.
It has traveled to Las Vegas, Houston, Boston, New York and more.
It’s a massive investment of time and energy for VanNorman and his colleagues, including fellow founding members Larry Vandenaweele, Bryson Bort and Beau Woods.
“This is a lot of work,” VanNorman said. “We’re volunteers and none of us make any money off of this. And it’s a passion.”