Thursday, April 10, 2008

The power to take over power?

He did not disclose who the power company was, but Ira Winkler, a penetration-testing consultant, told an RSA audience that he and his team were hired by a power company to test their security, and within a day, using social engineering and a few browser exploits, they had total control of the network.
The penetration team started by tapping into distribution lists for SCADA user groups, where they harvested the e-mail addresses of people who worked for the target power company. They sent the workers an e-mail about a plan to cut their benefits and included a link to a Web site where they could find out more.

When employees clicked on the link, they were directed to a Web server set up by Winkler and his team. The employees' machines displayed an error message, but the server downloaded malware that enabled the team to take command of the machines. "Then we had full system control," Winkler says. "It was effective within minutes."
It's always the user that is the weakest link in the chain. Scary stuff really, and it makes you wonder how exposed the National Grid are to such things, or for that matters the GSI network. Of course, the "unhackable" ID register is a different matter right?

Read the full article here.

5 comments:

Anonymous said...

Wonder if this: http://blog.washingtonpost.com/securityfix/2008/04/reach_out_and_hack_someone.html triggered the penetration test

Pete Chown said...

One thing I'd add to this: the existence of vulnerable browsers on the network probably wasn't all that important. An email from the "IT department" telling users to visit a website and download an "important security patch" would probably have caught a few people too. Even if 99% of users realised it was bogus, the remaining 1% would give you a way in.

Anonymous said...

Probably the only answer to this is to have an air gap between strategic control systems and the public internet.

You'd have to apply patches and things using removable media, which could be compromised, but at least the bad guys would not be able to take actual control.

Of course a bit of decent user-education would help too, but as you point out, it's the weakest link that breaks, and there's always an idiot somewhere.

Anonymous said...

I appreciate it's a serious business but "penetration-testing consultant" sounds like something to impress the ladies with.

Anonymous said...

Anonymous said...
"Probably the only answer to this is to have an air gap between strategic control systems and the public internet."


Using the public internet for such control systems is (amongst other things) just trying to do it on the cheap. If it is as important as this, it should on be a private network. Essential national infrastructure and cheapskate cost savings should never be uttered in the same breath. But ... ...