Lights security doesn’t have to be light security

Megacities around the world no longer consider operational technology (OT) as a standalone system when it comes to city operations. As metropolises change over to a “smart cities” model by connecting most of their critical infrastructure into one major operational network, they also face greater exposure to certain cyber threats.

SCADA and ICS infrastructure are considered dinosaurs as far as their technology goes. They use old operating systems, old-fashioned authentication techniques, non-security-oriented networks, and many other outdated systems expose them to modern threats. Up until a few years ago, OT assets were relatively protected from cybersecurity threats since OT infrastructure wasn’t integrated with any of the city’s IT systems. But, due to the smart cities revolution, which has led to the interconnectivity of OT and IT, they are now exposed to the same risks that the IT world has been facing for years.

During a recent successful POC, BugSec exposed the vulnerabilities within the lighting system of a major European city. Our team was able to use remote code execution on a specific server, and after a few lateral moves, could eventually control the city’s entire lighting system.

This is how it’s done:

During a standard penetration test on a web application used for soccer ticket sales, BugSec gained access to a vulnerable server through remote code execution (RCE). In a short time, we had full control. We then performed a quick lateral move within the system and gained access to an operator workstation, which controls the lighting system of the whole soccer stadium. From there, we could easily connect to the city’s major lighting system network. This led us to understand the immense vulnerabilities of this system and just how easy it would be for a malicious hacker to take over the city’s lighting network, leading to a game-over situation.

This demonstrates how cybersecurity is extremely non-mature when it comes to SCADA and ICS systems, and proves that for many reasons SCADA and ICS manufacturers aren’t paying attention to security issues as they seem to be following an ancient perspective where security equals non-operation. This notion, of course, doesn’t jive with modern technology or with the integration of OT and IT systems. BugSec’s POC, along with other similar ones and real breaches within the SCADA and ICS industry, are a strong proof point that the time for change has arrived.