A team of experts headed by security guru Ira Winkler was hired by an anonymous power company to test the security of a power grid's network. The door was practically held open for them.
In a matter of hours, the team infiltrated the grid's supervisory, control and data acquisition (SCADA) networks using simple phishing tools: social engineering and browser exploits.
Social Engineering is seen by many as a glamorized confidence trick. The penetration team checked distribution lists for SCADA user groups, harvested appropriate email addresses, and then employed a simple trick to gain the targeted user's access. Employees were sent an e-mail about a plan to cut their benefits which included a link to a Web site with "more information." The address linked to a malware that granted the hackers remote access. The trick was effective within minutes.
What could be done given the level of access these white hats obtained would not be limited to simply shutting down a grid, like a group of hackers managed to do for 17 days to a "practice network" in California in 2001. In comments to CNN last year regarding a leaked video of a staged hack that resulted in the self-destruction of a power generator, Joe Weiss of Applied Control Solutions said, "What people had assumed in the past is the worst thing you can do is shut things down. And that's not necessarily the case. A lot of times the worst thing you can do, for example, is open a valve -- have bad things spew out of a valve."
Winkler says that these SCADA systems suffer the same vulnerabilities any system does that runs on the same standard operating system and server hardware. Companies have perpetuated the weakness of these systems by not performing important software upgrades because they would force downtime.
But a scheduled downtime is no doubt preferable to suffering the consequences of an exploit. Winkler stressed the seriousness of security in these systems while maintaining a lighthearted air to his job, "We had to shut down within hours," Winkler says, "because it was working too well. We more than proved that they were royally screwed."
Ten years ago Wired published an article called Hacking the Power Grid, which included the following: "With deregulation, there is an increasing interest in energy futures trades at the commodities exchange on Wall Street. [IBM senior consultant Nick] Simicich said hackers might use social engineering techniques to obtain passwords to computers with access to the networks containing sensitive information from these sources."
Apparently little has changed in a decade.