Experts Hack Power Grid in Less Than a Day

bednarz writes "Cracking a power company network and gaining access that could shut down the grid is simple, a security expert told an RSA audience, and he has done so in less than a day. Ira Winkler, a penetration-testing consultant, says he and a team of other experts took a day to set up attack tools they needed then launched their attack, which paired social engineering with corrupting browsers on a power company's desktops. By the end of a full day of the attack, they had taken over several machines at the unnamed power company, giving the team the ability to hack into the control network overseeing power production and distribution."

I hate the term "Social Engineering"

What's wrong with the good old fashioned "lying" or "scamming"? Fucking con-artists trying to sound legit.

Re:I hate the term "Social Engineering"

[IBBoard]

"Social Engineering" is using normal behaviour and expectations to get people to do what you want when they're not supposed to, without them noticing.

Lying is telling a falsehood as truth.

Scamming is offering something but never following up, or following up with less than was promised (e.g. bait and switch or fake companies that run off with money).

There's big differences in those definitions.

The most obvious example I know of is social engineering with USB pen drives. A penetration testing company was asked to test corporate security. They did it by leaving a number of USB pen drives around the office. With no lying or scamming, people took the drives, wondered whose it was, plugged it into the computer, and the drive automatically grabbed some data. At the end of the exercise the pen. testers listed the names of people who had connected the drives, even when its origin was unknown. No lying or scamming was involved, but there was a social norm that they exploited as social engineering, which is that people will look to see what is on it to see if they know whose it is. If it had been a virus/trojan then that simple social engineering could have taken down the network, been pumping out spam, or allowed someone access via a back door.

Re:I hate the term "Social Engineering"

[vux984]

The most obvious example I know of is social engineering with USB pen drives. A penetration testing company was asked to test corporate security. They did it by leaving a number of USB pen drives around the office. With no lying or scamming, people took the drives, wondered whose it was, plugged it into the computer, and the drive automatically grabbed some data.

That is probably the ONLY example I've seen that DOESN'T involve lying or scamming. Usually 'social engineering' refers to calling in to the receptionist, posing as the IT helpdesk, or something else, and then have them tell you their passwords...or type 'arcane things into a command line'...or run the attachment in an email you send them...and they do it without a 2nd thought. And that, would be a clear case of 'lying' or even 'scamming'.

Phishing sites, email spam from 'John' that says "Check out our Vacation Photos", etc also fall under the wide umbrella of 'social engineering'.

Re:I hate the term "Social Engineering"

[IBBoard]

It's the only well known one I can think of, but "check out our vacation photos" is more social engineering than scamming. You're not exactly lying (you can argue you are because you're not actually giving them the photos, or they're not really John, but that's not necessarily the case - they could put the photos up anyway to make it look more legit) and you're not scamming by offering something of value and taking something away from the victim, you're relying on 'normal' human behaviour to go "I don't know who this is, but I'll check out the link anyway in case I can tell from the photos".

Similarly, wearing a fluorescent jacket and working on an exchange box or other equipment isn't lying or scamming anyone, but through social engineering and societal training you'll get away with what you're doing because people go "oh, he's a contractor, he must be doing some contract work".

Ditto for walking in to buildings - we've got guards at the main gates, but once you're in then you can get in to a lot of buildings without question just by looking like you belong and having something pass-like hung around your neck. You're using people's social expectations of "he is on site, has a pass and knows what he is doing so must be allowed here" to get you in to places where your swipe card won't work.

Re:I hate the term "Social Engineering"

[somersault]

If it's an accident then it's a mistake. If it's purposely tring to make someone believe, or knowingly let someone believe something you know to be a lie, then it's deceit.

Re:I hate the term "Social Engineering"

[vux984]

"You're not exactly lying (you can argue you are because you're not actually giving them the photos, or they're not really John, but that's not necessarily the case - they could put the photos up anyway to make it look more legit).

Lying by omission is when an important fact is omitted, deliberately leaving another person with a misconception. This includes failures to correct pre-existing misconceptions. One may by careful speaking contrive to give correct but only partial answers to questions.

Even my 4 year old has no difficulty understanding that weaseling like this is a form of lying. :)

I agree you can engage in social engineering without lying, but its an important and ubiquitous tool of the trade.

As for your uniformed workers, while they don't by definition have to communicate with anyone, odds are they will. And odds are they'll at the very least have a prepared lie to go along with their outfit. Whether or not they use it. Hell, even the guys that went around leaving usb drives probably had a cover story in case someone had confronted them. "I'm just returning it." or "Its got some marketing materials for the new yadda yadda..." or whatever.

Re:I hate the term "Social Engineering"

[famebait]

What's wrong with the good old fashioned "lying" or "scamming"?

The problem with them is that they do not denote the subject at hand with the precision required in a serious discussion of security.

Sure, lying and scamming may tools of social engineering, but there are social engineering attacks that do not use those, and there are plenty of lies and scams that do not qualify as social engineering.
I.e. there is an overlap but not congruence. Draw your own Venn diagram if you have to.

They are simply different concepts. Get over it.

Re:I hate the term "Social Engineering"

[IBBoard]

Still, lying or omissions are just an (optional) part of a social engineering "attack", so social engineering cannot be covered by just "scamming" and "lying" - it's a more complex act of sociology and human behaviour.

Besides, are you actually lying when you only tell truths and never say a false word? It is deceit by omission because you're giving a wrong impression by missing out information, but is that lying or is it just deceit as no untruth has been spoken?

Re:I hate the term "Social Engineering"

Social engineering IS used by bad guiys, but not everyone who uses it is a bad guy. These sorts of security professionals ARE legitamate, and though they lie to front-line workers, they have (and MUST have) agreements with managment to do it. Otherwise, they're legally liable and can be sued. Part of this agreement, I'm sure, involves "first, do no harm." That's what makes these guys bettert than phishers and hackers.

In order to immunize you from certain diseases a doctor injects you with a vaccine, which is pretty much the same thing but unable to do real harm. once your body knows what the threat is, it can react appropriately when it encounters the actual thing.

Re:I hate the term "Social Engineering"

[g0bshiTe]

I can vouch for this one. I used to do contract work at a military hospital, Portsmouth Naval not that it matters. The work I did was washing windows, still had to have a hard hat. I went through areas of the hospital that I probably shouldn't have, as a shortcut to get to somewhere I needed to be. Radiology, even went through an empty surgery once. Because I was wearing a hard hat, no one ever questioned or asked me to leave or even show ID, or even asked so much as what company I was with. This was all pre 9/11 though so one would hope things are not this lax now.

Re:I hate the term "Social Engineering"

[FredFredrickson]

Do we need a venn diagram? Come on folks, they're not exclusive! Certain subsets of lying and scamming intersect some subsets of Social Engineering.

Father, I have my foot in your bedroom and also in the hallway. As you can see from my diagram I am not only in the bedroom, I am also in the hallway. - Eddie Izzard

Is everything on the internet?

[Armon]

Why wouldn't the power company use a private network? Why is there EVER a need to have access to those systems over the internet?
Realistically, no part of a nations critical infrastructure should be networked (other than the internet itself). That seems pretty obvious.

Re:Is everything on the internet?

Connectness is transitive. It wasn't a private network if it can be accessed from the outside.

Oops.

[Renraku]

An attack on a control point of the power grid could cause millions in damage if properly executed, and possibly lives from extended loss of power. I'd like to think the power grid has built-in protections to keep a 'bad node' from ruining several others, but it just might not..seeing as how companies build for economy before they build for safety.

Even something as simple as opening a few junctions could cause fireworks..take a look at some online videos about 'opening hot' for example..now imagine if that arc caught other pieces of equipment because the line was still energized.

Simply put, the power industry needs to step up to the plate and harden both their network infrastructure and their meatspace infrastructure against malicious attack.

Re:Oops.

[Firethorn]

seeing as how companies build for economy before they build for safety.

I'd argue that building for safety is right up there, perhaps before economy even.

It's just that the power company's idea of safety != producing, delivery 100% of the time.

Electricity itself is dangerous. So the power companies do all sorts of things like install breakers to shut off the power if a potentially dangerous situation is detected. First is protect human life*, second is the expensive equipment. A fuse is cheap, even if it costs $100 because it's designed for 18KV@1KA compared to a switching station transformer.

Anyways, on 'possibly lives from extended loss of power.'

Anybody dependant on electricity for life should already have backups as necessary. If you're dependant on electricity to power a charger for your artificial heart, dialysis machine, breathing assistance device**, or whatever, you should have a generator, battery backup, whatever's needed. I mean, the way power delivery goes, local events can take out power to a house/business fairly easily, and are fairly common.

I think one guy with a medical problem requiring frequent access to electricity had the house hookup, a backup generator, and a 12V adaptar for cars.

*If nothing else, dead people tend to be REALLY expensive.
**Though I imagine simple pressurized O2 and an appropriately selected mechanical valve system should be able to eliminate the need for electricity for a good while.

Re:I'm Shocked!

[QuantumG]

Require the security guard at my place of employment to scan my ID each and every time I walk in the building? If you work with national infrastructure, they god damn better.

Re:I'm Shocked!

[teh+moges]

Maybe don't go to the extremes of requiring everything to need high security (such as entering the building or doing everyday work), but things such as shutting down the power grid should require extra security. Access to the important controls should have extra security. With security, one size does not fit all.

Security Measures

[Ihmhi]

I should hope that critical things like "TURN THE WHOLE POWER GRID OFF" are not even on a secure server. They should be on terminals that are not even connected to the Internet, much less networked to anywhere else in the building.

It's awfully difficult to hack something when it isn't connected to the Net. Even simple security like multiple checkpoints, a keycard, and several biometric scans (as well as regular, and often, virus and spyware scans) to get to a secure terminal would go well towards protecting the security of our power networks. Hell, post a guard nearby who isn't incompetent.

The one thing Social Engineers/Con Men fear most is challenges - and by challenges, I mean challenges of authority. PROVE you are who you say you are. Check their records against a secure terminal or a hard copy of an employee roster. If anything is remotely fishy, no matter how "important" they say the work is, don't let them past you.

Vigilance is the key, and far too many critical parts of our infrastructure still fail at it to this day.

Here is a "sane" security measure

[johannesg]

Disconnect the damn control network already. It will be much harder to break into when it is not physically connected to the internet.

Re:Here is a "sane" security measure

[chaoticgeek]

I'm kinda confused by this too, why is the power grid on the Internet? Seems like a very illogical thing to do in my opinion. I think they would have two networks in each building, one for the power grid computers and controls and one for anything that needs access to the Internet. If something has to be transmitted to another building either they need to lay down some sort of infrastructure or use SneakerNet...

Re:Here is a "sane" security measure

[borgboy]

Money. Why else? Private networks are more expensive than plugging into the ol' tubes.

Doesn't make it right. I'm not defending, just pointing out the obvious reason.

Re:Here is a "sane" security measure

No, it's not illogical, it's obvious. Connecting control computers over the internet - possibly via a VPN is easy and cheap, building separate infrastructure is expensive. Now tell me why a company that's in it for a profit should go with the latter?

Re:Here is a "sane" security measure

[Sleepy]

>I'm kinda confused by this too, why is the power grid on the Internet?

Cost.

In a lot of cases, you have the power company desktops on the Internet and they have their own lan for desktops etc.
But then those computers CAN access the critical systems.
Then they slap a firewall or VPN inbetween the desktops and the critical systems... wow, it's magically OFF THE INTERNETS!

If you disconnect the two LANS, you're much more secure, but then Lazy McFatass has to WALK to a boring green screen to manage it.

It's much cheaper and employee friendly to just let these people access the secure systems from their desktop, using a remote terminal. Very sad, but true... and very risky.

Remember, it was poor desktop security and a WINDOWS VIRUS that knocked out the US Northeast power grid some 5 or 6 years ago.

Seperate networks?

[ludomancer]

Why do we keep critical networks connected to the rest of the net? Why don't resources like these, and the governments, set up proprietary networks that are inaccessible from the global internet base to prevent these sort of things? I never really understood that.

Re:I'm Shocked!

[Yvanhoe]

Accessing to the crucial computers should require a training where computer security and social engineering are explained. Every user access should have different passwords easily revocable as soon as a flaw is detected. Of course, crucial computers should be on a different network than internet-connected systems.

Re:I'm Shocked!

[witherstaff]

After the '03 outage it made me wonder how safe all those high-rise electrical towers that run across the country are. A stick of dynamite on a tower itself, or even just a few shots with a rifle to the wires attached. Would just one tower lead to another blackout - scary considering those towers are of course everywhere.

I've wondered over the years what someone with a high powered rifle taking potshots at oil/propane/liquid hydrogen tankers on the interstates would do. Mainly this crosses my mind while driving alongside one of them and having seen too many Hollywood movies with things blowing up.

Re:I'm Shocked!

[Jessta]

Seperation of privileges is the best method. Social engineering tends to work because people who have privileges lack certain information and/or lack authority in the role of the privileges they have.

If you have full authority in your role and personally know everyone who is involved in your role then you can't be easily tricked by people outside your role in to doing things.

This requires education and a proper company structure, which requires good smart people in management.

Re:I'm Shocked!

shutting down the power grid should require extra security

DANGER WILL ROBINSON!

CRITICAL FAILURE IS IMMINENT, YOU MUST SHUT DOWN THE REACTOR IMMEDIATELY

Please enter password:

Password is incorrect!
Password is incorrect!
Password is incorrect!

You have been locked out for 10 minutes.

Re:What kind of oversight do Loyal Bushies give???

[robot_lords_of_tokyo]

It's too easy to blame it on lack of oversight from regulators. The prime people that are responsible for this are the people that run the company, and to a lesser degree, the people that work there.

Re:die hard

[Anonymous+Brave+Guy]

Bah... If you can't do it in under a minute while a gorgeous girl is <ahem> distracting you and John Travolta is holding a gun to your head, you're no-one.

Re:I blame the cold medicine

[arminw]

....Same way autorun works from a CD....

Of course this works only in Windows! There you have another reason to use a Mac or Linux. Why, oh WHY does MS program their OS to automatically run whatever crap is on a data storage device?