Evil hackers with state-of-the-art computers gain remote control of a power plant and blow it up, killing many people and threatening more mayhem if a huge ransom is not paid.

It's a storyline straight out of a Hollywood action movie but those attending two of the world's biggest hacking conferences this week learned that such a scenario is not as outlandish as one might think.

Some of the most alarming research released at the Black Hat and Defcon conferences in Las Vegas reveal vulnerabilities in aging computer systems that run power plants, chemical factories, water distribution systems and other industrial facilities around the globe.

Boutique research firm NSS Labs uncovered a back door in industrial control systems from Germany's Siemens AG that could allow hackers to wreak havoc on nuclear power plants, oil and gas pipelines, water treatment systems, pharmaceuticals factories and other critical infrastructure.

The back door is an undocumented access point that lets someone remotely break into the system using widely available telnet communications software and a six-character password that is the same on all Siemens systems and cannot be changed.

You get full control, said NSS Labs Chief Executive Rick Moy. Things could go boom. Pipelines could explode if the pressure isn't monitored properly. Hazardous chemicals and fluids could leak out.

Siemens spokesman Alexander Machowetz said the company was looking into the matter. We are not aware of any real case of a hacker taking influence on a controller in one of our customer's facilities, he said.

The new research from NSS comes after the firm disclosed another security flaw to Siemens in May, which the German company said it addressed with a software update.

Last summer, researchers discovered the Stuxnet virus, a computer worm designed to attack the Siemens' industrial control systems that operate complicated factory machinery, known as Supervisory Control and Data Acquisition.

Stuxnet was used to attack a nuclear enrichment facility in Iran in a blow to the country's nuclear program. Some experts have described Stuxnet as a guided cyber missile aimed at Iran's atomic program.


Many industrial plants were built decades ago and then later hooked up to the Internet to make them more efficient. In the rush to embrace the Web, engineers left holes in their systems that hackers have started to exploit.

They stayed away from the security community. They wanted to do it themselves. Now they are wide open, said Rick Howard, general manager of VeriSign Inc's iDefense division and one of the researchers speaking at Defcon on securing critical infrastructure.

Security experts from government agencies and big corporations attend the Black Hat and Defcon conferences every year, crowding into sessions alongside hackers, many of whom use their skills to promote security and fight cyber crime.

At meetings that run through Sunday, they talked about headline-grabbing attacks, such as the massive cyber espionage campaign disclosed by Intel's McAfee security software unit, in which 72 organizations around the world were infiltrated.

Howard gave a presentation on Saturday on Stuxnet, the first piece of malicious software to surface that was designed to attack an industrial control system.

The U.S. Department of Homeland Security warned Congress last month that hackers likely are adapting the code in Stuxnet to build new weapons that could launch attacks on industrial control systems anywhere in the world.

Jerome Radcliffe, an expert on Stuxnet, said many of the passwords in such systems are hard-coded into the devices, meaning they cannot be changed. That makes makes them easy prey.

A diabetic, Radcliffe relies on a computer to measure his blood-sugar levels and dose him with insulin as needed. He hacked into that system and figured out a way to send it erroneous dosing instructions or order it to shut down.

He said hackers could use a similar approach to attack machines used to distribute water to millions of home.

My insulin pump is a good human story, Radcliffe said. It's a one-person deal. But if I could shut off the water for an entire city, that's a disaster.


Three other hackers say they worked out how to remotely open and close prison-cell doors. These systems are controlled by the same type of computers as many industrial control systems, known as PLCs, or programmable logic controllers.

The independent hackers conducted their research after spending just $500 to buy a used PLC on eBay and $2,000 for software from its manufacturer, Siemens. They identified security holes and discovered how to take advantage of them to launch an attack.

So far the hackers -- a father-daughter pair and their friend -- have not tested their theories on a real prison but toured one facility, which they declined to identify.

They said they saw a prison guard using the computer that controls the PLC to check his Google email, which could potentially give hackers a path to launch an attack.

This is a real threat. It's not something theoretical, said one of the hackers, Tiffany Rad.

(Reporting by Jim Finkle; Editing by Tiffany Wu and Bill Trott)