Experts Hack Power Grid in Less Than a Day

bednarz writes "Cracking a power company network and gaining access that could shut down the grid is simple, a security expert told an RSA audience, and he has done so in less than a day. Ira Winkler, a penetration-testing consultant, says he and a team of other experts took a day to set up attack tools they needed then launched their attack, which paired social engineering with corrupting browsers on a power company's desktops. By the end of a full day of the attack, they had taken over several machines at the unnamed power company, giving the team the ability to hack into the control network overseeing power production and distribution."

Security Measures

[Ihmhi]

I should hope that critical things like "TURN THE WHOLE POWER GRID OFF" are not even on a secure server. They should be on terminals that are not even connected to the Internet, much less networked to anywhere else in the building.

It's awfully difficult to hack something when it isn't connected to the Net. Even simple security like multiple checkpoints, a keycard, and several biometric scans (as well as regular, and often, virus and spyware scans) to get to a secure terminal would go well towards protecting the security of our power networks. Hell, post a guard nearby who isn't incompetent.

The one thing Social Engineers/Con Men fear most is challenges - and by challenges, I mean challenges of authority. PROVE you are who you say you are. Check their records against a secure terminal or a hard copy of an employee roster. If anything is remotely fishy, no matter how "important" they say the work is, don't let them past you.

Vigilance is the key, and far too many critical parts of our infrastructure still fail at it to this day.

Here is a "sane" security measure

[johannesg]

Disconnect the damn control network already. It will be much harder to break into when it is not physically connected to the internet.

Re:Here is a "sane" security measure

[chaoticgeek]

I'm kinda confused by this too, why is the power grid on the Internet? Seems like a very illogical thing to do in my opinion. I think they would have two networks in each building, one for the power grid computers and controls and one for anything that needs access to the Internet. If something has to be transmitted to another building either they need to lay down some sort of infrastructure or use SneakerNet...

Re:I hate the term "Social Engineering"

[IBBoard]

"Social Engineering" is using normal behaviour and expectations to get people to do what you want when they're not supposed to, without them noticing.

Lying is telling a falsehood as truth.

Scamming is offering something but never following up, or following up with less than was promised (e.g. bait and switch or fake companies that run off with money).

There's big differences in those definitions.

The most obvious example I know of is social engineering with USB pen drives. A penetration testing company was asked to test corporate security. They did it by leaving a number of USB pen drives around the office. With no lying or scamming, people took the drives, wondered whose it was, plugged it into the computer, and the drive automatically grabbed some data. At the end of the exercise the pen. testers listed the names of people who had connected the drives, even when its origin was unknown. No lying or scamming was involved, but there was a social norm that they exploited as social engineering, which is that people will look to see what is on it to see if they know whose it is. If it had been a virus/trojan then that simple social engineering could have taken down the network, been pumping out spam, or allowed someone access via a back door.

Re:I hate the term "Social Engineering"

[vux984]

The most obvious example I know of is social engineering with USB pen drives. A penetration testing company was asked to test corporate security. They did it by leaving a number of USB pen drives around the office. With no lying or scamming, people took the drives, wondered whose it was, plugged it into the computer, and the drive automatically grabbed some data.

That is probably the ONLY example I've seen that DOESN'T involve lying or scamming. Usually 'social engineering' refers to calling in to the receptionist, posing as the IT helpdesk, or something else, and then have them tell you their passwords...or type 'arcane things into a command line'...or run the attachment in an email you send them...and they do it without a 2nd thought. And that, would be a clear case of 'lying' or even 'scamming'.

Phishing sites, email spam from 'John' that says "Check out our Vacation Photos", etc also fall under the wide umbrella of 'social engineering'.

Re:I hate the term "Social Engineering"

Social engineering IS used by bad guiys, but not everyone who uses it is a bad guy. These sorts of security professionals ARE legitamate, and though they lie to front-line workers, they have (and MUST have) agreements with managment to do it. Otherwise, they're legally liable and can be sued. Part of this agreement, I'm sure, involves "first, do no harm." That's what makes these guys bettert than phishers and hackers.

In order to immunize you from certain diseases a doctor injects you with a vaccine, which is pretty much the same thing but unable to do real harm. once your body knows what the threat is, it can react appropriately when it encounters the actual thing.