A private encryption key embedded into widely used mission-critical routers could be exploited by hackers to attack electric substations, railroad switches, and other critical infrastructure, security researchers have warned.

The flaw, uncovered in devices made by Siemens subsidiary RuggedCom of Ontario, Canada, is the second this year to affect its Rugged Operating System. The firmware runs mission-critical routers that have been used by the US Navy, petroleum giant Chevron, and the Wisconsin Department of Transportation to help administer industrial control systems and supervisory control and data acquisition systems, which flip switches, turn valves, and manipulate other machinery in industrial settings. Rugged OS is fluent in both the Modbus and DNP3 communications protocols used to natively administer such ICS and SCADA gear.

According to security researcher Justin W. Clarke, Rugged OS contains the same private key used to decrypt secure-sockets-layer communications sent by administrators who log into the devices. This allows attackers who may have compromised a host on the network to eavesdrop on sessions and retrieve user login credentials and other sensitive details. Plenty of small and home office routers also contain private SSL keys. What's different here is that RuggedCom devices, which are designed to withstand extreme dust, heat, and other harsh conditions, are connected to machinery that controls electrical substations, traffic control systems, and other critical infrastructure.

"This is fairly typical in cheap consumer-grade embedded products, and has the unfortunate effect that easy Man-In-The-Middle attacks can be performed against products," K. Reid Wightman, an industrial control systems security expert for Digital Bond, wrote in a blog post published Wednesday. "For example, any compromised host on the switch management network can be used to spoof affected RuggedCom switches, meaning that the bad guy or gal could capture legitimate usernames and passwords for the switch."

It's the second time this year that San Francisco-based Clarke has uncovered flaws in the widely used device. In April, he documented an undocumented backdoor hard-coded into Rugged OS. The secret account, which used an easily determined password and couldn't be disabled, opened the risk of remote tampering of the devices, many of which are easy to locate using the Shodan computer search engine. RuggedCom later pledged to remove the backdoor.

Some researchers say ICS and SCADA companies such as Siemens and RuggedCom aren't doing enough to make their products safe for the companies or governments that rely on them. The critics cite real-world attacks from malware such as Stuxnet and Flame, which burrowed into supposedly secured networks by exploiting a variety of vulnerabilities. While some flaws appeared relatively minor in isolation, they were enough to compromise the overall systems when targeted as a whole.

The US Industrial Control Systems Cyber Emergency Response Team has asked RuggedCom to confirm Clarke's findings and identify steps customers can take to reduce risks. The advisory also stated that "control system devices should not directly face the Internet," but that reminder is often ignored, as the image above suggests.