Combined heat and power plants and district energy schemes are being left wide open to exploitation by hackers in Europe according to investigation being carried out by German police.

SC Magazine quoted a report by German IT news publication Golem about Berlin Police’s Internet Wache. The police agency noted that researchers were able to access the control systems of waterworks, cogeneration units, interfaces for building automation and other industrial control system (ICS).
Cyber security sign
The researchers started the investigation after they discovered certain patterns in HTTP headers in these control systems and then programmed a Python script and used ZMap to find public IP addresses.

“Most could be read access without special authentication. Some systems even allowed access to controls, among which were German waterworks,” said the report. “Attackers can not only capture important data critical systems, the systems are also vulnerable, and can be manipulated under certain circumstances, paralysed or even damaged. And not just the systems themselves are in danger, but also people or plants in their environment.”

The report added that most operators were oblivious to how exposed their operations are.

Among the vulnerable infrastructure were a district heating scheme in Rome, combined heat and power plants in Germany and Austria, and a smart building housing luxury apartments in Israel.

Since the investigation, the researchers said that Germany’s BSI informed operators of these systems and stopped public access to systems. However, not all operators took their systems off the public internet immediately.