Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Experts Hack Power Grid in Less Than a Day

samzenpus posted more than 6 years ago | from the quick-everyone-panic dept.

Security 302

bednarz writes "Cracking a power company network and gaining access that could shut down the grid is simple, a security expert told an RSA audience, and he has done so in less than a day. Ira Winkler, a penetration-testing consultant, says he and a team of other experts took a day to set up attack tools they needed then launched their attack, which paired social engineering with corrupting browsers on a power company's desktops. By the end of a full day of the attack, they had taken over several machines at the unnamed power company, giving the team the ability to hack into the control network overseeing power production and distribution."

cancel ×

302 comments

Sorry! There are no comments related to the filter you selected.

I hate the term "Social Engineering" (1, Insightful)

Anonymous Coward | more than 6 years ago | (#23021148)

What's wrong with the good old fashioned "lying" or "scamming"? Fucking con-artists trying to sound legit.

Re:I hate the term "Social Engineering" (5, Funny)

causality (777677) | more than 6 years ago | (#23021192)

What's wrong with the good old fashioned "lying" or "scamming"? Fucking con-artists trying to sound legit.
It's "social engineering" if you fell for it.

Re:I hate the term "Social Engineering" (-1, Offtopic)

zoukaikai (1269902) | more than 6 years ago | (#23021946)

What's wrong with the good old fashioned "lying" or "scamming"? Fucking con-artists trying to sound legit.
It's "social engineering" if you fell for it.
runescape money [vgoldseller.com] runescape gold [vgoldseller.com] runescape gold [runescapem...apegold.cn] http://www.runescapemoney-runescapegold.cn/ [slashdot.org] >runescape money buy runescape gold [runescapem...apegold.cn] http://www.runescapemoney-runescapegold.cn/ [slashdot.org] >buy runescape money runescape money [runescape2store.com] runescape gold [runescape2store.com] wow power leveling [vgoldsupply.com] wow powerleveling [vgoldsupply.com] Warcraft Power Leveling [vgoldsupply.com] Warcraft PowerLeveling [vgoldsupply.com] buy runescape gold [vgoldseller.com] buy runescape money [vgoldseller.com] runescape items [vgoldseller.com] runescape accounts [vgoldseller.com] runescape gp [vgoldseller.com] dofus kamas [vgoldsupply.com] buy dofus kamas [vgoldsupply.com] Guild Wars Gold [vgoldseller.com] buy Guild Wars Gold [vgoldseller.com] lotro gold [buylotrogold.org] buy lotro gold [buylotrogold.org] lotro gold [buy-lotro-gold.cn] buy lotro gold [buy-lotro-gold.cn] lotro gold [vgoldseller.com] buy lotro gold [vgoldseller.com] runescape money [800millions.com] runescape power leveling [trainrunescape.com] runescape money [runescape2vip.cn] runescape gold [runescape2vip.cn] dofus kamas [buydofuskamas.com] cheap runescape money [runescape4money.net] cheap runescape gold [runescape4money.net] Hellgate Palladium [vgoldseller.com] Hellgate London Palladium [vgoldseller.com] Hellgate money [vgoldseller.com] Tabula Rasa gold [vgoldseller.com] http://www.vgoldseller.com/tabula-rasa-c-1107.html [slashdot.org] >tabula rasa money Tabula Rasa Credit [vgoldseller.com] Tabula Rasa Credits [vgoldseller.com] Hellgate gold [vgoldseller.com] Hellgate London gold [vgoldseller.com] wow power leveling [wow-power-leveling.net] wow powerleveling [wow-power-leveling.net] Warcraft PowerLeveling [wow-power-leveling.net] Warcraft Power Leveling [wow-power-leveling.net] World of Warcraft PowerLeveling [wow-power-leveling.net] World of Warcraft Power Leveling [wow-power-leveling.net] runescape power leveling [vgoldseller.com] runescape powerleveling [vgoldseller.com] eve isk [vgoldseller.com] eve online isk [vgoldseller.com] eve isk [vgoldsupply.com] eve online isk [vgoldsupply.com] tibia gold [vgoldseller.com] Fiesta Silver [vgoldseller.com] Fiesta Gold [vgoldseller.com] VIè®¾è® [superidea.net.cn] ç"åOEè®¾è® [superidea.net.cn] èç®ç [xueguanliu99.com] èèç®ç [xueguanliu99.com] éYäå [nncbroadway.com] ç¦å [www.fuka.cc] éé(TM)ç"åoeæ [beijingketong.com] ç¾Zå½ç(TM)å¦ [i97usa.com] ç(TM)å¦ç¾Zå½ [i97usa.com] ç"éå(TM) [sdrdq.cn] äé"é'ç"éå(TM) [sdrdq.cn] é'æç"éå(TM) [sdrdq.cn] ççoeå'¼åæoe [huxiji.net.cn] ä¼Yåå'¼åæoe [huxiji.net.cn] å'¼åæoe [huxiji.net.cn] æ--åå'¼åæoe [huxiji.net.cn] å®ç"å'¼åæoe [huxiji.net.cn] å'¼åæoeçsä½ç" [huxiji.net.cn] åOE--äæåOE-ççYç-¾ç--... [qhgyg.cn] åOE--äåfè'èç®ç-¾ç--... [qhgyg.cn] åOE--äè¾ç--... [qhgyg.cn] åOE--ääåOEåç' [qhgyg.cn] åOE--äé'çåè¥ [qhgyg.cn] é'çåè¥ [qhgyg.cn] åOE--äç-åç--... [qhgyg.cn] åOE--äç-¼ç--ç--... [qhgyg.cn] åOE--äç±é£Zæ [qhgyg.cn]

Re:I hate the term "Social Engineering" (5, Insightful)

IBBoard (1128019) | more than 6 years ago | (#23021672)

"Social Engineering" is using normal behaviour and expectations to get people to do what you want when they're not supposed to, without them noticing.

Lying is telling a falsehood as truth.

Scamming is offering something but never following up, or following up with less than was promised (e.g. bait and switch or fake companies that run off with money).

There's big differences in those definitions.

The most obvious example I know of is social engineering with USB pen drives. A penetration testing company was asked to test corporate security. They did it by leaving a number of USB pen drives around the office. With no lying or scamming, people took the drives, wondered whose it was, plugged it into the computer, and the drive automatically grabbed some data. At the end of the exercise the pen. testers listed the names of people who had connected the drives, even when its origin was unknown. No lying or scamming was involved, but there was a social norm that they exploited as social engineering, which is that people will look to see what is on it to see if they know whose it is. If it had been a virus/trojan then that simple social engineering could have taken down the network, been pumping out spam, or allowed someone access via a back door.

Re:I hate the term "Social Engineering" (-1)

Anonymous Coward | more than 6 years ago | (#23022062)

There's big differences in those definitions.

Not really. All three boil down to lying to morons to achieve a particular nefarious goal. The only difference is "lying" isn't a security buzz-word.

Re:I hate the term "Social Engineering" (5, Insightful)

vux984 (928602) | more than 6 years ago | (#23022116)

The most obvious example I know of is social engineering with USB pen drives. A penetration testing company was asked to test corporate security. They did it by leaving a number of USB pen drives around the office. With no lying or scamming, people took the drives, wondered whose it was, plugged it into the computer, and the drive automatically grabbed some data.

That is probably the ONLY example I've seen that DOESN'T involve lying or scamming. Usually 'social engineering' refers to calling in to the receptionist, posing as the IT helpdesk, or something else, and then have them tell you their passwords...or type 'arcane things into a command line'...or run the attachment in an email you send them...and they do it without a 2nd thought. And that, would be a clear case of 'lying' or even 'scamming'.

Phishing sites, email spam from 'John' that says "Check out our Vacation Photos", etc also fall under the wide umbrella of 'social engineering'.

Re:I hate the term "Social Engineering" (4, Insightful)

IBBoard (1128019) | more than 6 years ago | (#23022294)

It's the only well known one I can think of, but "check out our vacation photos" is more social engineering than scamming. You're not exactly lying (you can argue you are because you're not actually giving them the photos, or they're not really John, but that's not necessarily the case - they could put the photos up anyway to make it look more legit) and you're not scamming by offering something of value and taking something away from the victim, you're relying on 'normal' human behaviour to go "I don't know who this is, but I'll check out the link anyway in case I can tell from the photos".

Similarly, wearing a fluorescent jacket and working on an exchange box or other equipment isn't lying or scamming anyone, but through social engineering and societal training you'll get away with what you're doing because people go "oh, he's a contractor, he must be doing some contract work".

Ditto for walking in to buildings - we've got guards at the main gates, but once you're in then you can get in to a lot of buildings without question just by looking like you belong and having something pass-like hung around your neck. You're using people's social expectations of "he is on site, has a pass and knows what he is doing so must be allowed here" to get you in to places where your swipe card won't work.

Re:I hate the term "Social Engineering" (1)

Daimanta (1140543) | more than 6 years ago | (#23022474)

Lying is telling a falsehood as truth.

I am not entirely convinced of that. Some people see lying as telling a falsehood as truth. But others see lying as intentionally try to lie to a person even when telling the truth. It's all about intention. If you accidentally misinform someone, are you lying or are you simply mistaken?

one word. (1)

Neuropol (665537) | more than 6 years ago | (#23021156)

bzzt.

I'm Shocked! (5, Interesting)

ookabooka (731013) | more than 6 years ago | (#23021160)

Not really though. A good team of social engineers (con men) and CS people can accomplish many many things...How can you prevent such things? Ridiculously strong security? Require the security guard at my place of employment to scan my ID each and every time I walk in the building? Is he supposed to also stop law enforcement from going in without clearance from HQ? I'm quite serious, what would be an effective way to stop these tactics? Everything I think of is either too impractical for most situations or prone to the same failures, but at different points.

Re:I'm Shocked! (4, Insightful)

QuantumG (50515) | more than 6 years ago | (#23021262)

Require the security guard at my place of employment to scan my ID each and every time I walk in the building?
If you work with national infrastructure, they god damn better.

Re:I'm Shocked! (2, Funny)

kestasjk (933987) | more than 6 years ago | (#23021404)

Yup the terrorists could shut down the power grid; it'd be like 9/11 but with light bulbs instead of people!

Since OTT security costs OTT money I think they should stick with sane security checks, and not worry about headline grabbing pranks like these

Here is a "sane" security measure (5, Insightful)

johannesg (664142) | more than 6 years ago | (#23021580)

Disconnect the damn control network already. It will be much harder to break into when it is not physically connected to the internet.

Re:Here is a "sane" security measure (1)

robot_lords_of_tokyo (911299) | more than 6 years ago | (#23021654)

There is no excuse for that. Incompetence on the design level, as well as the enforcement level...Probably worthless auditors as well...

What kind of oversight do Loyal Bushies give??? (-1, Troll)

mikelieman (35628) | more than 6 years ago | (#23022392)

What kind of oversight do Loyal Bushies give???

None.

That's why the control network can be exploited using web resources.

Re:Here is a "sane" security measure (5, Insightful)

chaoticgeek (874438) | more than 6 years ago | (#23021664)

I'm kinda confused by this too, why is the power grid on the Internet? Seems like a very illogical thing to do in my opinion. I think they would have two networks in each building, one for the power grid computers and controls and one for anything that needs access to the Internet. If something has to be transmitted to another building either they need to lay down some sort of infrastructure or use SneakerNet...

Re:Here is a "sane" security measure (2, Funny)

kestasjk (933987) | more than 6 years ago | (#23022492)

I'm sure they have a good reason for it; they're not stupid

Re:I'm Shocked! (1)

GeigerBC (1056332) | more than 6 years ago | (#23021610)

The transmission lines and interstate network are also part of the national infrastructure. Hard to scan IDs when you walk by those.

Re:I'm Shocked! (3, Insightful)

witherstaff (713820) | more than 6 years ago | (#23021704)

After the '03 outage it made me wonder how safe all those high-rise electrical towers that run across the country are. A stick of dynamite on a tower itself, or even just a few shots with a rifle to the wires attached. Would just one tower lead to another blackout - scary considering those towers are of course everywhere.

I've wondered over the years what someone with a high powered rifle taking potshots at oil/propane/liquid hydrogen tankers on the interstates would do. Mainly this crosses my mind while driving alongside one of them and having seen too many Hollywood movies with things blowing up.

Re:I'm Shocked! (2, Informative)

FireBreath (724099) | more than 6 years ago | (#23021752)

I've wondered over the years what someone with a high powered rifle taking potshots at oil/propane/liquid hydrogen tankers on the interstates would do. Mainly this crosses my mind while driving alongside one of them and having seen too many Hollywood movies with things blowing up.

Don't you watch Mythbusters? They proved you can't just go blowing up canisters in huge firey explosions with rifles. It takes a fair bit of explosives to do that.

Now where did I leave that RPG...? :)

Re:I'm Shocked! (1)

Mikkeles (698461) | more than 6 years ago | (#23022370)

Tracers.

Re:I'm Shocked! (4, Informative)

dbIII (701233) | more than 6 years ago | (#23021748)

I have to admit I have gained that sort of access just with a pair of overalls. It was one of those stupid catch22 situations where you had to do a one day safety course to be authorised to get through the gate and you had to get through the gate and walk through the middle of the turbine hall to get to where the course was held so you could get your ID. A similar thing happened at another power station but that time I actually had the company logo on the overalls - but yes I did just walk in and go right up to the control room that time. Oil refineries are a different story - the ones I visited had administrative buildings outside the gate so you didn't have to get full site access just to meet someone in the place.

Re:I'm Shocked! (4, Insightful)

teh moges (875080) | more than 6 years ago | (#23021332)

Maybe don't go to the extremes of requiring everything to need high security (such as entering the building or doing everyday work), but things such as shutting down the power grid should require extra security. Access to the important controls should have extra security. With security, one size does not fit all.

Re:I'm Shocked! (2, Insightful)

Anonymous Coward | more than 6 years ago | (#23022268)

shutting down the power grid should require extra security

DANGER WILL ROBINSON!

CRITICAL FAILURE IS IMMINENT, YOU MUST SHUT DOWN THE REACTOR IMMEDIATELY

Please enter password:

Password is incorrect!
Password is incorrect!
Password is incorrect!

You have been locked out for 10 minutes.

Re:I'm Shocked! (0)

Anonymous Coward | more than 6 years ago | (#23021378)

Security, in all forms, is never about prevention - its about deterrence. Even nuclear weapons don't prevent anything, but the threat of a counterstrike deters a nuclear attack. Similarly, WEP keys don't mean shit, passive scanning (completely undetectable) can crack the best WEP keys in probably under a day as well, and good security experts have tricks not just to crack, but the bypass and cut down those issues far further (if I prepare and then try to go crack a secure wifi home/small office wifi network - even larger companies as well - it takes me all of about 10-30 seconds. That time is just the physical time it takes the gateway to update after I log in and hijack, which can be done essentially instantly.

Just the same, bouncers outside a club don't prevent entry, they just deter brute forcing the door. If you really wanted to get in the club in a hurry you could walk up with a gun, mow them down, and walk in - wouldn't even have to break stride.

It's not a matter of computer encryption, the level of good modern encryption and layering is a very very effective deterrent to common attacks and even clever ones. Why bother trying to hack a password or bypass routines when you can write an email to an employee from a fake email address claiming to be company tech support and just ask them for their login/password? Or walk in the front door of the building and say your with city power. People are so fucking easy to manipulate that social engineering is the real way to hack nowadays, properly setup linux is really quite secure.

Using both in conjunction? Almost any modern deterrence becomes trivial.

Hell DARPA got 'cracked' awhile back by a guy logging in using the login: Admin, password: , the default windows setup. No social engineering, no computer knowledge required. It's sort of like trying to build a space elevator, putting a satelite and a counterweight and actually getting a nanotube cable and then having a guy just hold the cable from earth. Why bother trying to sabotage the satelite or the counterweight or the cable when you can just wait until the guy gets tired and falls asleep - shit practically cracks itself.

Re:I'm Shocked! (4, Funny)

Anpheus (908711) | more than 6 years ago | (#23021682)

Wait, guys, I have a fix!

*unplugs cat-5 from firewall between power control computer and local intranet*

Wait, you were saying something about prevention and deterrence and I rudely interrupted. Please, carry on.

Prevention is easy, don't network the systems (0)

Anonymous Coward | more than 6 years ago | (#23021430)

The subject says it all. Just don't network systems that are so damn important to the fucking Internet or networks you don't trust. Why is that so complicated for people to understand? Sure you lose the Internet's utility and access to some of your internal resources, but on the plus side, the power grid to thousands/millions of customers is secure. The only desktop that should have access to this kind of network should be the desktop of the engineer maintaining the system.

Re:I'm Shocked! (2, Insightful)

Yvanhoe (564877) | more than 6 years ago | (#23021630)

Accessing to the crucial computers should require a training where computer security and social engineering are explained. Every user access should have different passwords easily revocable as soon as a flaw is detected. Of course, crucial computers should be on a different network than internet-connected systems.

Re:I'm Shocked! (1)

witherstaff (713820) | more than 6 years ago | (#23021668)

Why not take measures akin to the nuclear facilities? The local ones don't even allow parking right near the facilities, they bus the employees in from remote parking lots on a regular schedule. Let alone the stringent security within the plants.

Re:I'm Shocked! (3, Insightful)

Jessta (666101) | more than 6 years ago | (#23021762)

Seperation of privileges is the best method. Social engineering tends to work because people who have privileges lack certain information and/or lack authority in the role of the privileges they have.

If you have full authority in your role and personally know everyone who is involved in your role then you can't be easily tricked by people outside your role in to doing things.

This requires education and a proper company structure, which requires good smart people in management.

IMHO (1)

onion_joe (625886) | more than 6 years ago | (#23021826)

apply similar tactics to Real Life situations as you would to computer to computer transictions.

Depending on the level of security required: a combination of all post, contextual transmissions, one time keypads, PGP encryption, ROT 13, plain text.

Yes, compputers and people are different. These are the best encryption techniques, in order of security, to date.

Security is not just computers, it is a constant in all possible 'power based' scenarios.

and thats my $0.02

Re:I'm Shocked! (1)

Idaho (12907) | more than 6 years ago | (#23022570)

Not really though. A good team of social engineers (con men) and CS people can accomplish many many things...How can you prevent such things? Ridiculously strong security?


It looks to me like having ridiculously *weak* security every step of the way is what made it so easy for these social engineers to be effective. Countering this by saying "well yeah, but what are we supposed to do, they can break it anyway!!" is not a valid argument, IMO.

Of course it will always be possible if someone is really determined and is willing to spend significant resources and take a lot of risk (such as bribing people, blackmailing, hiring PI's, breaking and entering the physical building), but that does not mean it's ok to say "well, someone could break our security system anyways so let's just not bother with placing any security constraints in place whatsoever".

Because if both risk and cost are close to zero (investing 1 day of time and probably some equipment doesn't sound *that* expensive to me), you're practically inviting something bad to happen.

Concretely, it is ridiculous that the same terminals that can be used to control the power plant, are also directly connected to the internet. Had this not been the case, I'm sure it would have taken a lot more effort to do anything interesting (like, shutting down the plant).

So that's what really happened.... (0)

Anonymous Coward | more than 6 years ago | (#23021166)

Hope it wasn't some hacker who really caused the 2003 blackout.... http://en.wikipedia.org/wiki/2003_North_America_blackout [wikipedia.org]

Is everything on the internet? (3, Insightful)

Armon (932023) | more than 6 years ago | (#23021182)

Why wouldn't the power company use a private network? Why is there EVER a need to have access to those systems over the internet?
Realistically, no part of a nations critical infrastructure should be networked (other than the internet itself). That seems pretty obvious.

Re:Is everything on the internet? (1, Informative)

Brian Gordon (987471) | more than 6 years ago | (#23021216)

They did- and the penetration testers got access to internal-networked workstations and hacked from there.

Re:Is everything on the internet? (3, Insightful)

Anonymous Coward | more than 6 years ago | (#23021308)

Connectness is transitive. It wasn't a private network if it can be accessed from the outside.

Re:Is everything on the internet? (4, Informative)

Anonymous Coward | more than 6 years ago | (#23021312)

I don't understand "they did". Internet and SCADA where available on the same desktops:

"Individual desktops have Internet access and access to business servers as well as the SCADA network, making the control systems subject to Internet threats."

Re:Is everything on the internet? (0)

Anonymous Coward | more than 6 years ago | (#23021240)

Given how cheap computers are why are these machines on the internet at all. Stupid, stupid, stupid. It took 5 years after http://www.computerworld.com/printthis/2003/0,4814,84510,00.html [computerworld.com] for this one company to look into their security? How screwed are the others? At what point does this become criminal negligence?

Re:Is everything on the internet? (4, Informative)

jroysdon (201893) | more than 6 years ago | (#23021260)

The problem is the layers. The Desktop PCs (you know, the ones you use to check email and surf the web) have access to the internet (probably just outbound), and access to the SCADA networks. While you cannot initiate an inbound connection to those Desktop PCs, all you have to do is get someone to click on a link and get infected with something that sits on their PC and maintains an outbound connection (think GoToMyPC [gotomypc.com] ). From there, the exploit team has access to their PCs and everything their PCs have access to.

In an ideal world, they'd have two PCs on each desktop. One on the internet, one on the SCADA network. The two should never be connected. That's how the military is suppoesd to do it between different levels of their networks (the two different levels are never to be connected).

But that costs you twice as much, and isn't convenient. But you'd never have a security breach.

Oh, and they buy and sell power over the internet between different power companies, so right there is a reason you'd need some SCADA system connected with internet access (but you could have those systems very, very locked down as to what and how they can access between things).

Re:Is everything on the internet? (1)

QuantumG (50515) | more than 6 years ago | (#23021276)

But you'd never have a security breach.
Unless someone wants to transfer a file between the two machines, so they use a USB storage device [quantumg.net] to do it.

Re:Is everything on the internet? (2, Interesting)

jroysdon (201893) | more than 6 years ago | (#23021326)

Even still, you wouldn't have any way for someone to remotely control those systems. A virus/worm might get spread from the internet PCs to SCADA PCs at the worst, but there is no way to control them (short of sending another message via virus and long time delay via "sneakernet" USB storage device).

But safer than that would be a way to have a DMZ storage system (not internet DMZ, but DMZ between internal Internet-access PCs and SCADA system PCs) that each different type of PC can drop data off in, but that DMZ system has no access out to either side. So you can drop data off, and then go get it from the other side. So long as your data is just raw data (db info of some sort, I'd imagine), there isn't away you're ever going to push a virus/worm back and forth.

Re:Is everything on the internet? (0)

Anonymous Coward | more than 6 years ago | (#23021366)

Ya, this used to be called sneaker net. When two networks are totally separate, it becomes much harder to socially engineer someone to play a game or watch porn on the (secure) separate network.

Re:Is everything on the internet? (1)

emjay88 (1178161) | more than 6 years ago | (#23021376)

Airwalls [wiktionary.org] are great!

Unless there's a wireless network...

Re:Is everything on the internet? (5, Interesting)

utunga (113450) | more than 6 years ago | (#23021552)

I worked at a place that supposedly had two totally separate networks - one connected to the internet, one corporate wide, for news/data/intranet stuff.

So, sure, everybody has two desktops.. one for internal one for everything else. It was great in theory - really stupid in practice. Just doesn't work.

Reality is - there is an expectation that data from outside is available inside. In the power company case it might be everything from the latest gas pricing information to weather reports to who knows what else - and so in 'getting things done' this will inevitably require connections between the outside and the inside.

So, as a result of this 'blanket policy' contrasting with the 'real world' people would circumvent the rule - but do it in stupid, sneaky ways -- for example in one data center there was, literally, an infrared tunnel between two computers -- "see, they are not 'physically connected' !!" .. And try to keep it secret from the network ops guys, of course.

It would've made a lot more sense to supply a safe, heavily controlled/monitored firewall that connects outside to inside and let the network security people manage it. Otherwise your choices are (1.) actually enforece the rule and totally cripple the effectiveness of the internal system (with the result that nothing of any importance gets put there) or (2.) really lame hacks pretending to be secure and working around the blanket rule, when in actual fact they are invisible bridges that the network ops guys don't know about.

I saw the alternative 2. in real world practice. Lets consider option 1. - if they really did manage to make the SCADA network totally seperate **and enforce that**. In that case you'd probably just end up with the forecasting/power-station-scheduling app running on the 'outside' network - and just the final 'implement it' step on the internal SCADA. Since the scheduling app is the one where the real decisions are made - hacking into that would let you send signals and information that would look relatively harmless but would still, in effect shut down the power grid. You are still sending information - in this case mediated by human brains, but not in a way that the human brain can easily understand because its low level commands (turn this up, turn that down) - that could very effectively mess up the voltage balance or frequency timing or whatever, and causing rolling blackouts and thus achieving the same aim of shutting down the power grid. There is information flowing from outside to inside - whether it is via human or machine.

Security through dis-connectivity is a dangerous myth in most cases. In some cases, say military situations where you are willing to absorb the huge cost to re-implementing a complete replacement for just about every dang thing you might need on the inside (e.g. weather data, or radar data, say) then it may make sense. In just about every realistic corporate case - even power companies - its likely to only cause people to take their eye off the ball of implementing real security and proper firewalls etc.

Re:Is everything on the internet? (1)

utunga (113450) | more than 6 years ago | (#23021562)

Consider -- if the military used data from the 'normal' weather satellites and supplied over, the internet, say, then potentially you could hack that, tell them the wrong weather - resulting in stranded helicopters, or catching them off balance or who knows what else. TO be safe they have to (presumably) have a totally seperate downlink to get weather data directly into the military network - that has to be expensive!!

Re:Is everything on the internet? (2, Interesting)

1u3hr (530656) | more than 6 years ago | (#23021814)

The problem is the layers.

The problem, as usual, is Windows. If you RTFA, they just set up a site and emailed the power station guys that there was a change to their pensions or health benefits, for more information.... so they clicked on the link and were pwned immediately. No specifics, but does anyone doubt this was Internet Explorer running on Windows?

Solution: Others have pointed out the need to transfer information routinely via the Internet. How about the desktops run Ubuntu, or OSX or ANYTHING except Windows? Risks of an exploit of the desktop will be much reduced, and even if successful, there is a bigger barrier if it has to work across different OSs (sadly the power supply monitoring software apparently runs on Windows, and is unlikely to be rewritten).

Whatever the solution, it will have as Step 1: Get rid of Windows facing the Internet.

Re:Is everything on the internet? (1)

BSAtHome (455370) | more than 6 years ago | (#23022388)

Well, the update policy is lacking at those companies. Your idea works much better if you use a different processor architecture (like ppc or arm). Most threats are geared at wintel architecture. Going away from that makes it much harder (and windows luckily won't run on it, which is an implicit benefit).

Re:Is everything on the internet? (1)

itsthebin (725864) | more than 6 years ago | (#23022482)

yes - that windows thing every single Plant Control System that I have used for the past 10 years runs on top of Windows. The PCS will be separated from the inter/intranet via a hardware firewall.

Re:Is everything on the internet? (3, Informative)

Tarwn (458323) | more than 6 years ago | (#23022358)

In cases where buying and selling of power is happening at the plant level, it is not going to be the equipment operator that is buying and selling power. And the person selling power does not need access to SCADA systems, thats what the telephone is for and why they have operators at plants to run the equipment. if somewhere there is a plant that is small enough that one person is both buying and selling power AND running the equipment, I'm betting they barely have an internet connection, much less the money to keep up on annual maintenance for the equipment, etc.
In the power plants I have worked in (mostly gas turbine, only one nuclear), there was not any type of internet access from PC's on the controls network. For the most part these systems only ran some form of HMI software (WW, RS, WESstation, whatever) and occasionally something like MS Word or Excel for shift pass-down notes. Sure they had a browser (on the Windows systems) but it wouldn't get them anywhere because there was only one system that had any level of access to both the business intranet and the controls systems. This system (data historian) could only receive communications from the controls side (which had interface software that knew how to contact the historian) and communicates in a proprietary protocol.

Now, as far as the corporate office is concerned, pencil and paper are good enough to keep track of which plants are running which generators, which plants have which generators down for minors or majors, and which plants have generators idling (running with no load at very low levels, not on the grid - cheaper to idle them in most cases then to shut them down). However, in the case of at least one company I worked for, their historian had an interface that pushed data back to a corporate historian, then some reports and so on would run at corporate that drew data from the corporate historian and reported machine statuses, load level, etc up to the last few seconds. This is again using the same proprietary protocol (or heck, maybe a different one).

I don't know what power company this article is about, only that I didn't work there and didn't do any type of integration for them. Whoever setup their infrastructure hopefully learned a lesson and will do it right next time.

Re:Is everything on the internet? (1)

pseudochaos (1014063) | more than 6 years ago | (#23021274)

I agree - that's a rookie mistake.

Re:Is everything on the internet? (2, Interesting)

kitsunewarlock (971818) | more than 6 years ago | (#23021436)

At this point its probably a money saver. They wanted the internet in the building, but didn't want to buy another set of computers when they already had internet capable computers probably (I'm guessing) as monitoring stations.

The short answer is: "Boss is cheap and employees will quit if they can't watch YouTube in one window as they watch the grid in the other."

Of course, they could be completely incompetant and simply be using the internet this way so they can monitor things from outside the building...which still doesn't make much sense to me. If anything, it should be one man's job to manually transfer the data via flash memory device to and from the non-networked computer and the networked computer every 15 minutes to ensure whoever was too lazy to come to work can get up to the minute information. or, you know, just connect it to the internet when its absolutely necessary. Its the same reason I don't keep my cell phone on all the time: I don't want people accessing it when I'm in the shower, class, driving, etc...

To continue your sentiments: if you don't want people accessing your device, turn it the hell off or snip the (many times, due to wireless technology, metaphorical) chord that connects it to everyone else. There is no shame in unplugging your Ethernet once in a while. If anything connect it with such a slow connection that by the time a virus got through, the connection would sever due to the person attempting to view two images at once (28.5 kbs moden FTW).

I am black (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23021184)

I am black. Does that make me a nigger?

Don't do this for real. (2, Informative)

Profane MuthaFucka (574406) | more than 6 years ago | (#23021188)

Google can help you pick your target.

http://www.google.com/search?q=%40ercot.com&btnG=Search&hl=en&safe=off&rlz=1B3GGGL_enUS264US264 [google.com]

That's a search for "@ercot.com", and if you don't know, ERCOT runs the Texas power grid market. There's another one for the East grid, and another for the West. You can find them yourself.

Oops. (4, Insightful)

Renraku (518261) | more than 6 years ago | (#23021194)

An attack on a control point of the power grid could cause millions in damage if properly executed, and possibly lives from extended loss of power. I'd like to think the power grid has built-in protections to keep a 'bad node' from ruining several others, but it just might not..seeing as how companies build for economy before they build for safety.

Even something as simple as opening a few junctions could cause fireworks..take a look at some online videos about 'opening hot' for example..now imagine if that arc caught other pieces of equipment because the line was still energized.

Simply put, the power industry needs to step up to the plate and harden both their network infrastructure and their meatspace infrastructure against malicious attack.

Re:Oops. (1)

Ruke (857276) | more than 6 years ago | (#23021294)

To be fair, there have been steps taken since the 2003 blackout to make the power system more reliable. With the Energy Policy Act of 2005, membership in the North American Reliability Council (NERC) has gone from completely voluntary to federally mandated. Failure to adhere to industry standards [nerc.com] can carry a fine of up to $1 million per day. The CIP- standards all deal with cyber-security, and the EOP- standards specify what happens in an emergency situation - for example, a big node goes down, and initiates a cascading failure. Automated systems are required to be in place that will cut the power in such situations, leaving some people in the dark, but protecting the grid as a whole. Is the system perfect? No, probably not. A good social engineer could probably still weasel his way into a system. But steps have been taken to minimize damage in such a situation.

Re:Oops. (1)

Pastis (145655) | more than 6 years ago | (#23021434)

seeing as how companies build for economy before they build for safety.

The funny thing is that building for safety would build for economy on the long run. A good example is nature. We are fairly resistant systems and we wouldn't have survived if not for it.

free electricity? (1)

suck_burners_rice (1258684) | more than 6 years ago | (#23021206)

Why shut down the grid? Get free electricity! Joking aside, this reminds me of a true story I once heard. It took place sometime in the late 1940's and involved the British energy company providing free electricity to a factory, due to someone's connections with employees of the energy company. This continued for many months, maybe even a few years. They were never caught, as far as I know, and the story was kept secret by all those involved for at least two decades.

Re:free electricity? (2, Funny)

Anonymous Coward | more than 6 years ago | (#23021324)

An unknown someone in Great Britain got free power for an unknown factory for an unspecified amount of time, because they knew another unknown someone at the unnamed power company. Sometime in the late 1940s.

No-one was ever caught.

Cops probably didn't have much to go on, really.

That's a great story. Delivery could use a little work though.

penetration-testing? (5, Funny)

Anonymous Coward | more than 6 years ago | (#23021218)

How do i get a job as a penetration tester? I wonder what that interview would be like?

Re:penetration-testing? (4, Funny)

Anonymous Coward | more than 6 years ago | (#23021388)

If an applicant goes to an interview, then he cannot merit the job.

In penetration testing, the successful applicant hires himself.

Re:penetration-testing? (1)

mr_walrus (410770) | more than 6 years ago | (#23022004)

does the interviewer provide the test bed ? :)
if i'm wearing protection, did i really penetrate?

Re:penetration-testing? (4, Funny)

gnud (934243) | more than 6 years ago | (#23022104)

I wonder how that works as a pickup line.
Hey Baby, have you been with an professional penetrator before?

Pfft.. (5, Funny)

dartarrow (930250) | more than 6 years ago | (#23021220)

Trinity did it in 3 minutes.

In Leather

Social engineering (1)

JayTech (935793) | more than 6 years ago | (#23021236)

Social engineering, eh? Kevin Mitnick would be proud...

Re:Social engineering (1)

Lovat (1248352) | more than 6 years ago | (#23021284)

I hope I'm taking it the wrong way but incase I'm not:

Mitnick used social engineering . . .

At least if I'm remember it right.

Re:Social engineering (1)

JayTech (935793) | more than 6 years ago | (#23021372)

That rephrase please? ;-) Sometimes it's better to make sense than dollars...

Call me paranoid, (3, Informative)

pitchpipe (708843) | more than 6 years ago | (#23021238)

but this is why we have one of our operator's desktops totally disconnected from regular TCP/IP networks. It communicates to the rest of the system through PROFIBUS, which would be difficult to hack. If we need to run and all hell is breaking loose (virii, hackers, etc.) we just disconnect from the rest of the world and run. We will lose historical data and remote access, but if we're running the rest is just gravy.

If real hackers had done it... (1)

retech (1228598) | more than 6 years ago | (#23021252)

it would have taken a an hour and had a helluva goatsee up for all to see. It only took a day 'cuz they were union and had a power lunch and a massage appt. at 3pm.

amateurs

Re:If real hackers had done it... (0)

Anonymous Coward | more than 6 years ago | (#23021306)

Getting paid loads of money makes them amateurs?

Re:If real hackers had done it... (0)

Anonymous Coward | more than 6 years ago | (#23021406)

I don't think you've watched War Games 2: The limits of the writers' understanding enough times today. You have a quota to fill, fanboy.

Fire Sale. Go, go, go! (0)

Anonymous Coward | more than 6 years ago | (#23021290)

Time to Live Free or Die Hard.

By the power of Grayskull... (4, Funny)

Bob54321 (911744) | more than 6 years ago | (#23021296)

He better of said "I have the power!" when he finally had access to everything.

Re:By the power of Grayskull... (1)

trouser (149900) | more than 6 years ago | (#23021440)

"of" is not a verb.

Re:By the power of Grayskull... (0)

Anonymous Coward | more than 6 years ago | (#23021816)

He's right, have course.

Re:By the power of Grayskull... (1)

johannesg (664142) | more than 6 years ago | (#23021834)

I believe the mafia thinks differently.

Best Job Ever (5, Funny)

SmlFreshwaterBuffalo (608664) | more than 6 years ago | (#23021316)

"Trust me baby, I'm a professional. See? It says so right here on my card -- Penetration-Testing Consultant."

Same problems since 1980 (0)

Anonymous Coward | more than 6 years ago | (#23021370)

I think the same problems exist that were around in the 1980's and nothing has been done about it, you could read all about them in text files on old school BBS systems.

I could do it in less than 1 minute with only a steel ladder. There is definitely a lot of room for security improvement in this industry...

(although thank you PG&E for the quick response times when people kept rupturing the gas lines near my house)

Security Measures (5, Insightful)

Ihmhi (1206036) | more than 6 years ago | (#23021418)

I should hope that critical things like "TURN THE WHOLE POWER GRID OFF" are not even on a secure server. They should be on terminals that are not even connected to the Internet, much less networked to anywhere else in the building.

It's awfully difficult to hack something when it isn't connected to the Net. Even simple security like multiple checkpoints, a keycard, and several biometric scans (as well as regular, and often, virus and spyware scans) to get to a secure terminal would go well towards protecting the security of our power networks. Hell, post a guard nearby who isn't incompetent.

The one thing Social Engineers/Con Men fear most is challenges - and by challenges, I mean challenges of authority. PROVE you are who you say you are. Check their records against a secure terminal or a hard copy of an employee roster. If anything is remotely fishy, no matter how "important" they say the work is, don't let them past you.

Vigilance is the key, and far too many critical parts of our infrastructure still fail at it to this day.

Re:Security Measures (1)

IKILLEDTROTSKY (1197753) | more than 6 years ago | (#23021486)

agree competent guards is a must, but also workers too. As a guard for a ware house that let a ton of questionable things go through, it really comes down to what the guards incentive is. most violations seem to be that the guard doesn't care. he wont get a bonus for stopping someone and if the place blows he won't get blamed.

Re:Security Measures (1)

luciddr34m3r (1232248) | more than 6 years ago | (#23021602)

Unfortunately it is never practical to maintain an air gap. If you rely on an air gap for your digital security, you are going to get royally screwed when someone brings in a wireless router or something and bypasses your entire security mechanism. Even the government's classified computer network gets bridged with the normal tubes once in awhile.

Re:Security Measures (4, Interesting)

HexaByte (817350) | more than 6 years ago | (#23021646)

It's NOT just "TURN THE WHOLE POWER GRID OFF" that you have to worry about. The power grid automated when no one worried about computer security, and they still have that old infrastructure in place.

How would you like it if the hackers got into the grid control system and told the IP motors that control the floodgates on the big dams to open all the way, and then send them into a tizzy that burns them out, so they can't be used to shut the gates? How much damage would the downstream flooding cause?

Or how about the test the DHS did, where they gave a generator a command to generate power out of phase with the network, causing it to physically self-destruct? It only takes a few tings like this to screw up the country big-time! And it doesn't have to be done on site, it can be comfortably done from the safety and security of your ChiCom hacker network (they've been walking all over our networks for years) or your zombie bot-net.

I've been sounding the alarm on this for years, (although many others have been doing a far better job, don't want to take credit for others work) and finally the industry is responding. It will take billions to correct it in the US, Europe and Far East, while some poor countries don't have the financial means to do it at all.

Re:Security Measures (1)

necro2607 (771790) | more than 6 years ago | (#23022556)

How would you like it if the hackers got into the grid control system and told the IP motors that control the floodgates on the big dams to open all the way, and then send them into a tizzy that burns them out, so they can't be used to shut the gates? How much damage would the downstream flooding cause?
Yeah, no kidding. Imagine what would happen if that occured with the Three Gorges Dam [wikipedia.org] in China... Woot, 39,300,000,000 cubic metres of water suddenly dropped on your cities! ...

If they really wanted to protect the grid... (3, Interesting)

Anonymous Coward | more than 6 years ago | (#23021446)

They'd post armed patrols out in the mountains..even then good luck.

Why the hell would someone go to all the effort mucking around with computers and hacking and leaving evidence everywhere when they could just go buy a gas axe from the local hardware store and knockdown a few of the big towers and cause havoc for days...and have about 0% of getting caught to top it off.

I was 4wding up in the highcountry near my city the other weekend, driving along the maintenance tracks for the big lines that run from the hydro electricty plant to the city. A gas axe to a few of the supports and you could cut power to the city in an hour. Choose the right towers, remote and hard to get to and it could be out for days. The big lines run through the rugged and isolated mountains for about 100kms (60miles)...good luck stopping someone motivated doing that.

And yet, no one ever has..perhaps, just perhaps there isn't bogey men trying to get us hiding around ever corner?

These 'security experts' that seem to be cropping up left, right and centre these days crying about how unsafe and insecure everything is seem to be little more than a new incarnation of snake oil salesmen.

Rediculous.

Thats nothing (1)

timmarhy (659436) | more than 6 years ago | (#23021450)

I hacked a kebab in less then 30 seconds.

How exactly did they do it? (1)

Bromskloss (750445) | more than 6 years ago | (#23021560)

That would be the interesting info here. I don't really know why this gets published (on Slashdot!) when there is know specifics available.

"corrupting browsers" (0)

Anonymous Coward | more than 6 years ago | (#23021584)

corrupting browsers on a power company's desktops


No name mentioned, but I think I have a good idea ;-)

Machines run Windows (3, Informative)

pembo13 (770295) | more than 6 years ago | (#23021598)

Not that other operating systems are perfect, but from what I understand, some power grids are mandated to run Windows on as many of their systems as possible - ie. the technician/engineers are not allowed to evaluate what OS best meets their needs.

I'm doing some research... (1)

luciddr34m3r (1232248) | more than 6 years ago | (#23021620)

I'm actually doing an undergraduate thesis on computer security and critical infrastructure. It really is shocking what kinds of things you can do on these "critical" systems. It's a big combination of things causing such a headache. The big problem is that these computer systems were not designed with the internet in mind. SCADA systems that control physical systems over a wide geographic area were built before the internet even existed. That means there's poor authentication, and little security at all (and no encryption to boot). This is all very bad, HOWEVER I have been quite pleased that everywhere I have been so far, apparently I'm on the heels of the DHS who are actively investigating these weaknesses, and lots of federal resources are being used to bring these standards up. Yes its bad. Yes its getting better. No its not ever going to be good enough.

Why so long? (0)

Anonymous Coward | more than 6 years ago | (#23021622)

In 2000/2001 I took a look around the LAN of GE. General Electric had power substations(as well as several pieces of medical equipment, including an X-ray machine that could be calibrated remotely) with admin pages available over HTTP and vulnerable to null password authentication(and a few other misc things that didn't require any auth at all.). Here's the kicker: GE owns 3.0.0.0/8, and it was all visible to the world.

I don't know if this is the case now, or remember specific hosts that were vulnerable, but I can tell you that if you go looking on 3./8, you'll find interesting shit, and if you lift a laptop from a GE work vehicle(atleast a GEMS(General electric medical systems) laptop), VPN information is cached on an unnencrypted windows partition, and if you're on the VPN you can hit nearly every machine. I can also tell you GE laid off hundreds of techs responsible for managing GEMS, and they were already hurting... I can just imagine what it looks like now.


-AC to save myself from the lawyers.

Seperate networks? (3, Insightful)

ludomancer (921940) | more than 6 years ago | (#23021626)

Why do we keep critical networks connected to the rest of the net? Why don't resources like these, and the governments, set up proprietary networks that are inaccessible from the global internet base to prevent these sort of things? I never really understood that.

Re:Seperate networks? (2, Informative)

necro2607 (771790) | more than 6 years ago | (#23022546)

Actually, the particular machines that control the resources are very very probably not online. However, other machines with access to their intranet/LAN are. Get yourself control of one employee's machine and you are then effectively sitting inside the office, with the same level of LAN access as the person whose machine you've gained access to, theoretically...

yeah, where's the blackout (1)

davek (18465) | more than 6 years ago | (#23021746)

unnamed this, coulda-done that... My problem with these grey hat hacks is this:

if you didn't actually take down the grid, how do you know with absolute certainty that you could have finished the job?

From TFA, this is what we have:

the server downloaded malware that enabled the team to take command of the machines. "Then we had full system control," Winkler says
sure, buddy. Right. How did you know? What did you try to do? What was the last step where you decided NOT to press "Enter"?

I'll wait until someone actually has the gonads to bring down the system, and then use the "I told you so" argument to prevent being totally raped by the authorities. In other words, we need a sacrificial lamb.

Any takers?

Re:yeah, where's the blackout (1)

necro2607 (771790) | more than 6 years ago | (#23022538)

It's a good point - perhaps if they had attempted to start some shutdown sequence, there would have been password prompts, or who knows what.

They might see the full interface that a full admin might have, but if the system was even half-decently-designed, the developers/designers would probably attempt to make it so sitting down at one of the control machines doesn't just give you the immediate ability to shut down everything...

So the Fuck What? (5, Funny)

EdIII (1114411) | more than 6 years ago | (#23021770)

Nobody would ever, ever, ever take down the power grid. Do you realize the implications of such an act? Screw 9/11 .... We are talking about PORN here. Hundreds of thousands of men that get off work everyday, all at different shifts, and have their pants around their ankles within 10 minutes of being home.

You turn the power off, you take away the porn, the air conditioning for the cold beer, the TV to distract you from your bullshit. You force men to deal with that and I predict a couple hundred thousand men rabidly searching for whoever was responsible for THAT.

Bin Laden has not been found yet, the idiot that takes out the power grid will be found in 30 minutes.....

Re:So the Fuck What? (0)

Anonymous Coward | more than 6 years ago | (#23022472)

Although the above is funny I think it should be modded insightfull.

Fir5t (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23021928)

my efforts w3re is the worst off of an admittedly see... The number

I don't doubt it at all. (1)

necro2607 (771790) | more than 6 years ago | (#23022522)

I don't doubt it at all. Many, many businesses running important systems and infrastructure are no more secure than anywhere else. And that security "everywhere else" is basically a lack thereof.

When you think about it for a moment, these kind of key things could be successfully attacked and shut down no problem. It's never been otherwise. There are people that just love to break into systems, and it's obvious that some of those people inevitably have far more destructive intentions than simply "penetration testing". I mean, I guess it doesn't get a lot of attention because no one's really done a major attack that has had drastic immediate effects (like shutting down the power grid). Frankly I'm amazed something of a comparable scale hasn't happened - but I guess people with those intentions are probably pacified by the fear of being thrown in jail forever...

Dunno, just growing up in quite a high-tech age, I'm amazed electronic break-ins and destructive vandalism aren't happening notably regularly...

The kind of orchestrated attack mentioned in TFA is definitely not "rocket science". A few talented people could pull off major hacks with a pretty trivial level of effort, especially considering all of these networks that run just plain old Windows XP or 2000. Get some clueless data-entry person to "open the important security update i'm emailing you", whee, you're in, have fun. Even in places with pretty strong security policies, you can never really secure your network from weaknesses and variability of the human mind.

It's not even some action-thriller-cyberpunk movie, I'm sure it could happen at pretty much any time - and it doesn't have to be some foreign intelligence agency - it could just be a couple of teenagers who are super pissed about [whatever] and have the know-how and drive to do it.

Hilarious editorial problem (2, Funny)

Dekortage (697532) | more than 6 years ago | (#23022548)

From the article: "In addition to consulting, Winkler is author of the books Spies Among Us and Zen and the Art of Information Security."

(italics in the original)

Spies Among Us and Zen? Can't wait to read that. And: "Hi, I'm Art. Art of Information Security." Or maybe that is a coffee-table book of famous paintings reimagined through security logs, Matrix-style.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?