Slashdot Mirror
Experts Hack Power Grid in Less Than a Day
bednarz writes "Cracking a power company network and gaining access that could shut down the grid is simple, a security expert told an RSA audience, and he has done so in less than a day. Ira Winkler, a penetration-testing consultant, says he and a team of other experts took a day to set up attack tools they needed then launched their attack, which paired social engineering with corrupting browsers on a power company's desktops. By the end of a full day of the attack, they had taken over several machines at the unnamed power company, giving the team the ability to hack into the control network overseeing power production and distribution."
What's wrong with the good old fashioned "lying" or "scamming"? Fucking con-artists trying to sound legit.
bzzt.
Not really though. A good team of social engineers (con men) and CS people can accomplish many many things...How can you prevent such things? Ridiculously strong security? Require the security guard at my place of employment to scan my ID each and every time I walk in the building? Is he supposed to also stop law enforcement from going in without clearance from HQ? I'm quite serious, what would be an effective way to stop these tactics? Everything I think of is either too impractical for most situations or prone to the same failures, but at different points.
If you are about to mod me down, keep in mind that this post was most likely sarcastic.
Hope it wasn't some hacker who really caused the 2003 blackout.... http://en.wikipedia.org/wiki/2003_North_America_blackout
Why wouldn't the power company use a private network? Why is there EVER a need to have access to those systems over the internet?
Realistically, no part of a nations critical infrastructure should be networked (other than the internet itself). That seems pretty obvious.
Google can help you pick your target.
http://www.google.com/search?q=%40ercot.com&btnG=Search&hl=en&safe=off&rlz=1B3GGGL_enUS264US264
That's a search for "@ercot.com", and if you don't know, ERCOT runs the Texas power grid market. There's another one for the East grid, and another for the West. You can find them yourself.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
An attack on a control point of the power grid could cause millions in damage if properly executed, and possibly lives from extended loss of power. I'd like to think the power grid has built-in protections to keep a 'bad node' from ruining several others, but it just might not..seeing as how companies build for economy before they build for safety.
Even something as simple as opening a few junctions could cause fireworks..take a look at some online videos about 'opening hot' for example..now imagine if that arc caught other pieces of equipment because the line was still energized.
Simply put, the power industry needs to step up to the plate and harden both their network infrastructure and their meatspace infrastructure against malicious attack.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Why shut down the grid? Get free electricity! Joking aside, this reminds me of a true story I once heard. It took place sometime in the late 1940's and involved the British energy company providing free electricity to a factory, due to someone's connections with employees of the energy company. This continued for many months, maybe even a few years. They were never caught, as far as I know, and the story was kept secret by all those involved for at least two decades.
McCain/Palin '08. Now THAT's hope and change!
How do i get a job as a penetration tester? I wonder what that interview would be like?
Trinity did it in 3 minutes.
In Leather
I love humanity, it is people I hate
Social engineering, eh? Kevin Mitnick would be proud...
but this is why we have one of our operator's desktops totally disconnected from regular TCP/IP networks. It communicates to the rest of the system through PROFIBUS, which would be difficult to hack. If we need to run and all hell is breaking loose (virii, hackers, etc.) we just disconnect from the rest of the world and run. We will lose historical data and remote access, but if we're running the rest is just gravy.
Look where all this talking got us, baby.
it would have taken a an hour and had a helluva goatsee up for all to see. It only took a day 'cuz they were union and had a power lunch and a massage appt. at 3pm.
amateurs
If you are reporting on security topics you should really make sure your web app is secure.
http://www.networkworld.com/news/2008/040908-rsa-hack-power-grid.html?page=2-XSSHERE-
-EvilPacket
Time to Live Free or Die Hard.
He better of said "I have the power!" when he finally had access to everything.
:(){
"Trust me baby, I'm a professional. See? It says so right here on my card -- Penetration-Testing Consultant."
There's a nice feature on Ira Winkler in attrition.org's charlatan file:
http://attrition.org/errata/charlatan.html#winkler
I think the same problems exist that were around in the 1980's and nothing has been done about it, you could read all about them in text files on old school BBS systems.
I could do it in less than 1 minute with only a steel ladder. There is definitely a lot of room for security improvement in this industry...
(although thank you PG&E for the quick response times when people kept rupturing the gas lines near my house)
I should hope that critical things like "TURN THE WHOLE POWER GRID OFF" are not even on a secure server. They should be on terminals that are not even connected to the Internet, much less networked to anywhere else in the building.
It's awfully difficult to hack something when it isn't connected to the Net. Even simple security like multiple checkpoints, a keycard, and several biometric scans (as well as regular, and often, virus and spyware scans) to get to a secure terminal would go well towards protecting the security of our power networks. Hell, post a guard nearby who isn't incompetent.
The one thing Social Engineers/Con Men fear most is challenges - and by challenges, I mean challenges of authority. PROVE you are who you say you are. Check their records against a secure terminal or a hard copy of an employee roster. If anything is remotely fishy, no matter how "important" they say the work is, don't let them past you.
Vigilance is the key, and far too many critical parts of our infrastructure still fail at it to this day.
Random Thoughts From A Diseased Mind (Not For Dummies)
The subject says it all. Just don't network systems that are so damn important to the fucking Internet or networks you don't trust. Why is that so complicated for people to understand? Sure you lose the Internet's utility and access to some of your internal resources, but on the plus side, the power grid to thousands/millions of customers is secure. The only desktop that should have access to this kind of network should be the desktop of the engineer maintaining the system.
They'd post armed patrols out in the mountains..even then good luck.
Why the hell would someone go to all the effort mucking around with computers and hacking and leaving evidence everywhere when they could just go buy a gas axe from the local hardware store and knockdown a few of the big towers and cause havoc for days...and have about 0% of getting caught to top it off.
I was 4wding up in the highcountry near my city the other weekend, driving along the maintenance tracks for the big lines that run from the hydro electricty plant to the city. A gas axe to a few of the supports and you could cut power to the city in an hour. Choose the right towers, remote and hard to get to and it could be out for days. The big lines run through the rugged and isolated mountains for about 100kms (60miles)...good luck stopping someone motivated doing that.
And yet, no one ever has..perhaps, just perhaps there isn't bogey men trying to get us hiding around ever corner?
These 'security experts' that seem to be cropping up left, right and centre these days crying about how unsafe and insecure everything is seem to be little more than a new incarnation of snake oil salesmen.
Rediculous.
I hacked a kebab in less then 30 seconds.
If you mod me down, I will become more powerful than you can imagine....
That would be the interesting info here. I don't really know why this gets published (on Slashdot!) when there is know specifics available.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
Disconnect the damn control network already. It will be much harder to break into when it is not physically connected to the internet.
No name mentioned, but I think I have a good idea
Not that other operating systems are perfect, but from what I understand, some power grids are mandated to run Windows on as many of their systems as possible - ie. the technician/engineers are not allowed to evaluate what OS best meets their needs.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
I'm actually doing an undergraduate thesis on computer security and critical infrastructure. It really is shocking what kinds of things you can do on these "critical" systems. It's a big combination of things causing such a headache. The big problem is that these computer systems were not designed with the internet in mind. SCADA systems that control physical systems over a wide geographic area were built before the internet even existed. That means there's poor authentication, and little security at all (and no encryption to boot). This is all very bad, HOWEVER I have been quite pleased that everywhere I have been so far, apparently I'm on the heels of the DHS who are actively investigating these weaknesses, and lots of federal resources are being used to bring these standards up. Yes its bad. Yes its getting better. No its not ever going to be good enough.
In 2000/2001 I took a look around the LAN of GE. General Electric had power substations(as well as several pieces of medical equipment, including an X-ray machine that could be calibrated remotely) with admin pages available over HTTP and vulnerable to null password authentication(and a few other misc things that didn't require any auth at all.). Here's the kicker: GE owns 3.0.0.0/8, and it was all visible to the world.
I don't know if this is the case now, or remember specific hosts that were vulnerable, but I can tell you that if you go looking on 3./8, you'll find interesting shit, and if you lift a laptop from a GE work vehicle(atleast a GEMS(General electric medical systems) laptop), VPN information is cached on an unnencrypted windows partition, and if you're on the VPN you can hit nearly every machine. I can also tell you GE laid off hundreds of techs responsible for managing GEMS, and they were already hurting... I can just imagine what it looks like now.
-AC to save myself from the lawyers.
Why do we keep critical networks connected to the rest of the net? Why don't resources like these, and the governments, set up proprietary networks that are inaccessible from the global internet base to prevent these sort of things? I never really understood that.
if you didn't actually take down the grid, how do you know with absolute certainty that you could have finished the job?
From TFA, this is what we have: the server downloaded malware that enabled the team to take command of the machines. "Then we had full system control," Winkler says sure, buddy. Right. How did you know? What did you try to do? What was the last step where you decided NOT to press "Enter"?
I'll wait until someone actually has the gonads to bring down the system, and then use the "I told you so" argument to prevent being totally raped by the authorities. In other words, we need a sacrificial lamb.
Any takers?
6th Street Radio @ddombrowsky
Nobody would ever, ever, ever take down the power grid. Do you realize the implications of such an act? Screw 9/11 .... We are talking about PORN here. Hundreds of thousands of men that get off work everyday, all at different shifts, and have their pants around their ankles within 10 minutes of being home.
You turn the power off, you take away the porn, the air conditioning for the cold beer, the TV to distract you from your bullshit. You force men to deal with that and I predict a couple hundred thousand men rabidly searching for whoever was responsible for THAT.
Bin Laden has not been found yet, the idiot that takes out the power grid will be found in 30 minutes.....
Depending on the level of security required: a combination of all post, contextual transmissions, one time keypads, PGP encryption, ROT 13, plain text.
Yes, compputers and people are different. These are the best encryption techniques, in order of security, to date.
Security is not just computers, it is a constant in all possible 'power based' scenarios.
and thats my $0.02
sig sig sig siggy sig
I don't doubt it at all. Many, many businesses running important systems and infrastructure are no more secure than anywhere else. And that security "everywhere else" is basically a lack thereof.
When you think about it for a moment, these kind of key things could be successfully attacked and shut down no problem. It's never been otherwise. There are people that just love to break into systems, and it's obvious that some of those people inevitably have far more destructive intentions than simply "penetration testing". I mean, I guess it doesn't get a lot of attention because no one's really done a major attack that has had drastic immediate effects (like shutting down the power grid). Frankly I'm amazed something of a comparable scale hasn't happened - but I guess people with those intentions are probably pacified by the fear of being thrown in jail forever...
Dunno, just growing up in quite a high-tech age, I'm amazed electronic break-ins and destructive vandalism aren't happening notably regularly...
The kind of orchestrated attack mentioned in TFA is definitely not "rocket science". A few talented people could pull off major hacks with a pretty trivial level of effort, especially considering all of these networks that run just plain old Windows XP or 2000. Get some clueless data-entry person to "open the important security update i'm emailing you", whee, you're in, have fun. Even in places with pretty strong security policies, you can never really secure your network from weaknesses and variability of the human mind.
It's not even some action-thriller-cyberpunk movie, I'm sure it could happen at pretty much any time - and it doesn't have to be some foreign intelligence agency - it could just be a couple of teenagers who are super pissed about [whatever] and have the know-how and drive to do it.
From the article: "In addition to consulting, Winkler is author of the books Spies Among Us and Zen and the Art of Information Security."
(italics in the original)
Spies Among Us and Zen? Can't wait to read that. And: "Hi, I'm Art. Art of Information Security." Or maybe that is a coffee-table book of famous paintings reimagined through security logs, Matrix-style.
$nice = $webHosting + $domainNames + $sslCerts
I'm not impressed, the bad guy in the last Die Hard took down the grid in a couple of minutes..
aboard this ship!"
Secretary Rosalyn: "I heard you're one of those people... you're actually
afraid of computers."
Commander Adama: "No... there are many computers on this ship. But they're
not networked!"
Secretary Rosalyn: "A computerized network would simply make it faster and
easier for the teacher's to be able to teach..."
Commander Adama: "Let me explain something to you...
Commander Adama: "... many good men and women lost their lives aboard this
ship, because someone wanted a faster computer to make life easier. I'm
sorry that I'm inconveniencing you or the teachers, but I will not allow...
a network computerized system to be placed on this ship while I'm in
command. Is that clear?"
....but seriously, folks, what kind of a utility company would have NMS access and internet access on the same machine? Social engineering my ass, proper utilities wouldn't have internet access on a machine that controls anything that matters.
It's too easy to blame it on lack of oversight from regulators. The prime people that are responsible for this are the people that run the company, and to a lesser degree, the people that work there.
If they have access to the desktops, whats to stop them from installing a keylogger or screen monitoring application or network packet capture utility to grab passwords and all matter of other data.
Because running Windows there is bad enough, it's willful negligence. So to cover their asses, they want to must be sure to really foul things up by connecting the whole compost pile to the public Internet so that when it goes down they can claim plausible deniability and blame 'evil hackers'. Everyone will then accept that it is an 'IT' problem not a power grid problem, the Microsoft Effect kicks in, and everyone agrees that nothing could or should be done and people get used to brown outs and blackouts.
i don't work in the power industry but if i put myself into the very greedy, naive, stupid shoes of a corporate C.E.O., I would guess that most of the big wigs would be demanding network connectivity so that they could sell performance and distribution metrics to data collection agencies, or for statistics collection purposes. i'm thinking they retain this data for their own logistical accounting and tech support ... probably looking for power spikes, brownouts, etc ... i'm not sure of the types of agencies that would pay power companies for this information after the fact, but the general rule is if you can write it to disk, then it's probably worth something to someone somewhere. obviously, having said infrastructure available on a wide network is valuable to these people if for no other reason than the sheer convenience of ready access.
... = \
i do agree with the proposals to take power infrastructures off the net but you have to remember that all of their IT guys are sucking for some promotion telling their bosses how their cisco firewalls provide perfect security and that there's no way an intruder could possibly get through
...then you'll have our attention.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Something is easily borken
destiny, chance, fate, fortune; they're all ways of claiming your fortunes, without claiming your failures. -gerrard
This is the way it is in most power stations. In the two that I worked for, one was out in the sticks and didn't have DSL. The chief engineer had a shotgun in his office for copper theives and other troubles.
The other one I worked for had a wal-mart non-wireless router for the internet. All the control equipment was hooked up to redundant dedicated switches. The control computers were not connected to the internet router in any way.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
Posting as an AC (can't login while I'm at work) this will probably never make the +mod list, but I couldn't let this comment pass...
I used to work for a utility / distribution company as a business analyst. With a background in network and software security, I habitually notice security holes...with a background in being a "good guy" I habitually report them. while working at said utility company, I pointed out vulnerabilities in their tracking system, internal reporting system, and their internal problem resolution system.
I brought up the issues to my manager as well as the IT director. Both of them basically said (and in one case literally said) "Have you told anyone else about this? Please don't, we can't fix it." In this case, I pointed out to my manager that his password was (insert password here), and that I could find out the password to anyone on the system, as could anyone who used the system. Ironically, I noted that he changed his password the next day.
With utilities that big, they have such inertia, that it takes *forever* for any change to happen, to include technological innovation. On top of that, they promote based on longevity rather than merit (no bitterness here, this was *explicitly* stated to me at my time of hire), so any person in a field office has a shot at management...which doesn't always get you the most qualified people making the best decisions.
I really don't see this changing any time soon, sadly.
"these computer systems were not designed with the internet in mind. SCADA systems that control physical systems over a wide geographic area were built before the internet even existed"
I assume you mean by 'these computers' Microsoft Windows, and Windows was most certanly designed for the Internet and security at the very least from Windows NT. Connecting these 'computers' through the Internt was an economic measure, designed to save on maintaining a private network. What's mind boggling is that they are still connecting such 'computers' to the Internet in 2008. Have these 'computer' professionals learned nothing since the Blackout of 2003. See also SQL virus takes down Nuclear Power Plant SPDS system.
davecb5620@gmail.com
'They sent the workers an e-mail about a plan to cut their benefits and included a link to a Web site where they could find out more'
..
'When employees clicked on the link, they were directed to a Web server set up by Winkler and his team. The employees' machines displayed an error message, but the server downloaded malware that enabled the team to take command of the machines.
"Then we had full system control," Winkler says.
"It was effective within minutes."'
Any guess as to which Operating System this malware runs on
davecb5620@gmail.com
When she gets that down to 60 seconds,
with a gun pointed at her head,
while receiving oral sex,
you let me know.
[Fuck Beta]
o0t!
Even with that, he complained about how his hands were tied during these penetrations - the team had permission to probe the security of the said company, but he wasn't able to say break into Microsoft or Sun or IBM and learn about unpatched bugs, or break into the local Bell company and reroute or monitor calls and circuits of the company, things he had been able to do in days when his "hat" was less alabaster. Another friend of mine, who had also switched hats and was working for a large consulting company used to complain how what he was doing was cookie cutter - they would install vendor-approved patches and the like, but were not actually securing the systems from stuff floating around in the wild which had not been patched yet. He used to go against company policy and fix stuff not on his checklist anyhow.
My company sells control systems to utilities for operating their power plants.
The system is sold with the hardware and... there is not connection to the internet.
It is a segregated system that stands on its own.
Why would you need to connect it to the internet or even a modem?
tape backups and/or DVDs of the operating data are moved from the control system to the back office, but it is a one way communication OUT of the control system.
Software upgrades happen rarely at best.
In order to support our customers we maintain copies of their systems down to the OS and patches. We have a mimic of their plant in our labs. Old operating systems and all. Why bother with security patches when your server and 4 PCs are not on a network?
Slowly waving my hand - "This is not the sig you are looking for."
Actually the USB drives don't even fall under the heading of 'Social Engineering'. Social engineering involves communicating with someone. The only way it could be social engineering is if you are interacting with your hardware on WAY to much of a personal level.
>>>>Ira Winkler, a penetration-testing consultant With a name and job title like that you'd think he worked in a different industry...
~Vexed and loving it!
If I were a terrorist, I'd just lob a grenade over the chain link fence into a big substation.
I love how they think about computer security on BSG.
For those who haven't see it, on Battlestar Galatica, they're fighting an enemy they assume can near-instantly take over any computer, especially any network connected to the outside comms.
So they have plenty of computers, but none of them are connected to any others. (Although they can network them in an emergency...and the one time they did that to calculate something faster, they ended up having the computers almost taken over. Smartly, they only used non-critical computers.) They can reset and reload any of the computer in a few minutes. Their comm system appears to be some sort of analog switched and radio network, without any sort of 'modem' that would allow it to connect to any computer at all, and with hardware controls.
If corporations are people, aren't stockholders guilty of slavery?
This is precisely why the SCADA (Control Systems) networks and the Business networks must be physically segregated. A utility I worked for until downsized early in 2003 opted for this route. Up until 9/11, there were compelling business reasons to interconnect the two networks for access to data for the GIS and other systems that could use the data. After 9/11, no reason existed that trumped the 'what if' security question.
Personally, I feel it is not only incompetent but also pridefully arrogant to think that you can secure interconnected control networks that ultimately have access to the outside world. The guidelines that were set down by Homeland Security are not exactly the strictest you would find, they're pretty lax IMHO; which is why this proof of concept could be successful.
The only solution is to physically segregate the two networks. If you need data, I would even venture to say that even Sneaker Net would be a hazard (think malicious software); but one that could be managed far easier than interconnected Control and Business networks.
In America today you can murder land for private profit. You can leave the corpse for all to see, and nobody calls the c
makes claim he can't back, news at 11.
The Kruger Dunning explains most post on
scada networks are a scary mess. Luckily most of the systems they control are usually designed by an engineer and if someone were to take control, the safeguards will usually keep most bad things from happening. But still...
I'm not sure I believe the claims being made here. I've worked as a subcontractor in power plants all over North America and I've never seen a single plant where this would even be possible. Power plants have LANs with internet access like every other business, but plant operations, as controlled by the DCS, are completely isolated from the internet. It might indeed be trivial to compromise the LAN, but that is a far cry from actually gaining control of the power block. The DCS does have connections to the outside world in the form of frame relays (sometimes) to power marketing cooperatives (such as ERCOT in Texas...), or telephone access by analog router, but these are highly secure, isolated connections. The analog routers are usually disconnected when not explicitly required for remote support. This appears to me more media-inspired scaremongering.
It's not like getting into the desktop machines was all that had to be done. There is no magic button that turns it all off. They had send settings and data to protective relays throughout the network to simulate some failure and relay that to SCADA to bring anything down.
In some cases it takes in-depth knowledge of not only Power Engineering, but the devices and schema of the system. You will be hard pressed to find anyone outside the company that has all of the pieces to actually do it.
The easy way to take down a large chunk of power distribution in the United States is to drive a couple trucks into substations. It's just a matter of picking the right ones.
"..and the drive automatically grabbed some data."
Whats?that work?
The Kruger Dunning explains most post on
for that sentence.
How about:
How does a program on the pen drive work without someone running it?
The Kruger Dunning explains most post on
I thought the Die Hard 4 plot was ludicrous. Apple guy: Jesus Christ. It's a fire sale. Bald Actor: What? Apple guy: It's a fire sale. Deputy Director Miguel Bowman: Hey! We don't know that yet. Token Asian Chick: And it's a myth anyway. It can't be done. Apple guy: Oh, it's a myth? Really? Please tell me she's only here for show and she's actually not in charge of anything. Bald Actor: What's a fire sale? Apple guy: It's a three-step... it's a three-step systematic attack on the entire national infrastructure. Okay, step one: take out all the transportation. Step two: the financial base and telecoms. Step three: You get rid of all the utilities. Gas, water, electric, nuclear. Pretty much anything that's run by computers which... which today is almost everything. So that's why they call it a fire sale, because everything must go. //taken from imdb with some... modifications
sig here
i'd like to point out once more time that it's impossible to "hack the grid." you can compromise machines inside the control room, but never anything that controls the flow of electrons.
the hardware doing the dirty work is custom-spec stuff running on a completely custom OS. keep in mind this hardware merely guides the engineers, rather than controlling the grid. most power grids in the US are about the same as they were in 1950. in other words, it's controlled by manpower. lots of it. the engineers in charge of the control room have volumes and volumes of binders with step-by-step procedures for each and every adjustment they could possibly make to the flow of power. switching operations, etc are all done by manpower, NOT cpu cycles.
basically, when someone says "you can hack the power grid" it's like they are saying "you can hack a wwII battleship." of course you can't. it pre-dates internet technologies by so much that even the upgraded re-serviced ships have nothing but custom hardware and software sandboxed from any kind of network.
the entire electrical grid's infrastructure is pretty close to being what it was in the 1950's. and when i say "pretty close" i mean that the only real upgrades made to it were in diagnostics and capacity. in other words, they added more transmission lines, and more little gadgets to sense and log data that could be helpful to keeping things flowing smoothly. in actuality the entire system is so antiquated that if network technology as we know it were to be erased, the grid would work just fine. keep in mind the systems the power companies use were developed in-house and custom-tailored to their needs. much like the upgraded wwII battleships the US was using until recently, if all the tech were stripped from it, it would still work fine. instead of accessing the custom-built touchscreen diagnostic panel, you'd pick up the secure internal-only telephone and ask the engineer for readings.
p.s. robot lords: i'm assuming that name is a Clutch reference, and i'm a rabid fan, so hats off to you. (i must have muttered "smile, taste kittens" at least 10 times while writing this)
Now thats a job title!
Pfft...only took me 2 minutes to hack into ComEd. Amateurs.
:-D
Note to ComEd: don't run Microsoft Remote Desktop on your servers with admin as the Administrator password
"Know but never fear the consequences of your actions."
I don't think I've ever seen the term gas axe before. Ya learn something new every day... but nobody on the internet ever seems to learn how to spell.
Looser, n. (from Internet Jargon) A native English speaker who spells the word "lose" as "loose" or "ridiculous" with an "e".
Ira...? Wow. I've worked with Ira, or more accurately, I've made a very good living cleaning up from him and his team. However, I've got to say, his publicity and self-aggrandizement skills are second to none.
Now, I don't mean this as a pure ad-hominem attack. Ira used to have technical skills that were worth something. But like many others who *used* to work for the NSA and don't any longer mostly because they're unable to keep their mouths shut, Ira has a tendency to gather a team of folks who say bombastic things, find some minor vuln and blow it all out of proportion. To say he and his crew are rusty these days is an wild understatement.
This is no lie: A couple years ago, one of Ira's gigs concluded with a report that indicated one of his subcontractors "researched" the local liquor store, the proprietor of which claimed to be ex-KGB and posed a wireless security threat. Needless to say, Ira's client looked elsewhere for help in remediation (which is nice for me).
Even worse: who wants to deal with a guy who goes public with organizational vulns after being retained by the org? The details here aren't clear, but I'm surprised he hasn't been sued into oblivion for afore-mentioned blabbering. If he were a lawyer, he would have been disbarred long ago for conduct and disclosure problems.
That "Spy Files" crap he was writing for Computer World before they booted him makes good reading for anyone contemplating hiring him and his team. You can still google some of it: First, find the one-technical-error-per-paragraph. Then imagine your organization's name in place of whomever he was busy embarrassing. If you're not considering using someone else, repeat the previous steps.
But I'll give the guy credit for raising awareness and making a good living from an inflated reputation. I wish I could market myself that well.
Nuclear plants are part of the "public" utilities that feed the power grid.
You cannot just stroll into a nuclear plant to see how things work.
After your smug and false assertion that you can, everything else you have to say, no matter how "insightful" is may seem to some, is suspect.
-- What you do today will cost you a day of your life.
I've been telling my bosses about the threats that our browsers and unpatched machines pose. There are countless machines that are not patched on our network and our data center did not have access to XP SP2 for some two years after it was released because the machines weren't allowed to install it under our super user account, but field services never came to install it for us because it's too much of a hassle for them to get physical access to the data center. So we couldn't install it, and they wouldn't. I actually hacked the install to my machine with an admin account I had access to, but even after demonstrating to my boss a malware infection and how the patched machine was NOT vulnerable to it he didn't think it was much of a big deal. As long as management (manglement) doesn't understand the threats posed to their networks, then they will likely stay vulnerable. In the end no one cares until they loose data and of course, by then it's too late. Maybe if they lost some MONEY they'd listen. This case was a power grid, something is important for a great number of people. But most companies won't listen until you tell them they are loosing money.
The eternal struggle of good vs. evil begins within one's self.
I doubt there will be serious inquiry into fixing this until someone actually causes a lot of damage.
And even then, the only thing that will be done about will be an invasion of some random middle-eastern country and possibly full-body searches of suspicious (read: busty female) looking people near power plants.
Windows.
That could mean they had compromised systems on the EMS LAN, or it could mean that they had access to desktops on the corporate LAN that had been given some kind of operator access to the EMS LAN. Best practices in the industry include restricting operator access to systems behind the EMS firewall, restricting those systems access to the Internet, and requiring the operator access Internet resources from physically separate computers on a separate physical LAN than the dispatcher and operator consoles, and corporate LAN access limited to an EMS DMZ hosting reports "pushed" from the EMS LAN.
I'm not sure such a thing exists.
I used to be an operator for a water works, their security was a complete joke. Under their system, the municipal water supply was only safe as long as nobody wanted to poison it. The plant grounds weren't secure (there was a gaping hole under the perimeter fence due to terrain, nobody cared), the fence wasn't topped with barbed-wire as I recall, and while the proper doors on the plant were secured with locks, the assorted access hatches, some at ground level, were completely unlocked. There was no intrusion alert system of any sort, and the location wasn't staffed 24/7. Well, it should've been staffed 24/7, but the district manager was a kook who maintained a hard line that "nobody should ever have to work a graveyard shift!", even when we all volunteered for it and desperately wanted to improve operations by doing so during summer when we ran over our rated capacity for 18 hours a day. But I digress.
That was just the pathetic security picture at the water works plant itself. Neither of the two ~300k gallon water tanks off-grounds had their main hatches secured with more than a flimsy padlock (there were no 'hatch open' alarms or anything, not that it would've mattered with nobody working overnight anyway and the district being so technologically incompetent that there simply was no technology), and they weren't in visible locations.
I'm sure things have gotten a little better since I worked there, 9/11 happened in the meantime. This water district served a suburb of one of the larger US cities, so it could well have been a target. There was no excuse for even the simplest security measures not being taken. All it would've taken was someone with a twisted mission from God to wreak havoc, and the water supply for tens of thousands of people would've been tainted and unsafe.
I work for a power company, heard the presentation. Ira is an idiot - there's no nice or better way to say it. Get up on stage and spew a lot of generalizations with no proof, no permission from the organization you did the work for and you too can get quoted by all the (clueless) news wires.
Bah!
And you people thought Die Hard 4 was bullshit. Bruce Willis > Chuck Norris.
custom OS? Not sure what you got in the US, but down under its just a plain jane windows box (win 98, nt, 2000, xp.. depending on age and enthusiasm of engineer responsible) running a SCADA package such as Citect, interfacing to some PLC's and/or RTU's.
Or if its not a SCADA system, it'll be a DCS of some sort... but nothing custom per se.
The moral: pr0n sites are safer!! Remember this when you surf.
.. paranoid crackpot leftover from the days of Amiga.
I worked at a local utility for three years in the IT department, and there is nowhere that their SCADA system touches the rest of the corporate network. They sneakernet tapes and disks from one machine to the other when they need data transfers. They're far more worried about someone getting into one of the rural substations and tapping into the sytem from there.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
A person with a deer rifle, on the other hand, could take out an entire substation in a couple minutes, drive to the next and take it out, and then bring down a third before the police could even come to the conclusion that they need to post guards. Few utilities have more than two of the largest transformers or relay sets in stock, since they cost so damn much, and the backorder times on most of them are 3 to 18 months. In addition, Federal regulations will make most damaged substations into chemical hazard sites for weeks or months.
Utility security directors are a lot more worried about people with rifles than they are about hackers.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
If you want a demonstration of what an unreliable power grid does to a country's economy just look at the difference in Peru's economy before and after the Sendero Luminoso were taken down (yes, I realize there were other factors as well). Additionally, the big equipment has delivery times ranging from 3 to 18 months because it's all essentially custom made and it's so expensive that no one carries more than the absolute minimum of spares. The factories don't have the ability to rapidly ramp up production or delivery either.
This stuff isn't rocket science. If the US isn't being attacked right now, it's because they don't WANT to attack us. And that's a very, very scary thought to most people, since their whole world view says otherwise.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
...it is insane to have any kind of physical connection to the power control grid and the Internet. And to have access thru a Microsoft system is just ASKING for trouble, with a captial "T" and that is TERRIBLE.
Those involved need to find other works.
Check out "social" on dictionary.com: http://dictionary.reference.com/browse/social
Social engineering requires some sort of social interaction. Just because it is a human involved with an action it doesn't make it a social action.
If a guy accidentally drops a $5 bill so I can pick it up off the street there is no social component. If someone distracts him so he drops the 5 then there is a social component. Looking at an inanimate object is not a social behavior.