Experts Hack Power Grid in Less Than a Day 302
bednarz writes "Cracking a power company network and gaining access that could shut down the grid is simple, a security expert told an RSA audience, and he has done so in less than a day. Ira Winkler, a penetration-testing consultant, says he and a team of other experts took a day to set up attack tools they needed then launched their attack, which paired social engineering with corrupting browsers on a power company's desktops. By the end of a full day of the attack, they had taken over several machines at the unnamed power company, giving the team the ability to hack into the control network overseeing power production and distribution."
Don't do this for real. (Score:2, Informative)
http://www.google.com/search?q=%40ercot.com&btnG=Search&hl=en&safe=off&rlz=1B3GGGL_enUS264US264 [google.com]
That's a search for "@ercot.com", and if you don't know, ERCOT runs the Texas power grid market. There's another one for the East grid, and another for the West. You can find them yourself.
Re:Is everything on the internet? (Score:2, Informative)
Call me paranoid, (Score:3, Informative)
Re:Is everything on the internet? (Score:5, Informative)
In an ideal world, they'd have two PCs on each desktop. One on the internet, one on the SCADA network. The two should never be connected. That's how the military is suppoesd to do it between different levels of their networks (the two different levels are never to be connected).
But that costs you twice as much, and isn't convenient. But you'd never have a security breach.
Oh, and they buy and sell power over the internet between different power companies, so right there is a reason you'd need some SCADA system connected with internet access (but you could have those systems very, very locked down as to what and how they can access between things).
Re:Is everything on the internet? (Score:4, Informative)
"Individual desktops have Internet access and access to business servers as well as the SCADA network, making the control systems subject to Internet threats."
Machines run Windows (Score:4, Informative)
Re:I'm Shocked! (Score:5, Informative)
Re:I'm Shocked! (Score:2, Informative)
I've wondered over the years what someone with a high powered rifle taking potshots at oil/propane/liquid hydrogen tankers on the interstates would do. Mainly this crosses my mind while driving alongside one of them and having seen too many Hollywood movies with things blowing up.
Don't you watch Mythbusters? They proved you can't just go blowing up canisters in huge firey explosions with rifles. It takes a fair bit of explosives to do that.
Now where did I leave that RPG...? :)
Re:Is everything on the internet? (Score:4, Informative)
In the power plants I have worked in (mostly gas turbine, only one nuclear), there was not any type of internet access from PC's on the controls network. For the most part these systems only ran some form of HMI software (WW, RS, WESstation, whatever) and occasionally something like MS Word or Excel for shift pass-down notes. Sure they had a browser (on the Windows systems) but it wouldn't get them anywhere because there was only one system that had any level of access to both the business intranet and the controls systems. This system (data historian) could only receive communications from the controls side (which had interface software that knew how to contact the historian) and communicates in a proprietary protocol.
Now, as far as the corporate office is concerned, pencil and paper are good enough to keep track of which plants are running which generators, which plants have which generators down for minors or majors, and which plants have generators idling (running with no load at very low levels, not on the grid - cheaper to idle them in most cases then to shut them down). However, in the case of at least one company I worked for, their historian had an interface that pushed data back to a corporate historian, then some reports and so on would run at corporate that drew data from the corporate historian and reported machine statuses, load level, etc up to the last few seconds. This is again using the same proprietary protocol (or heck, maybe a different one).
I don't know what power company this article is about, only that I didn't work there and didn't do any type of integration for them. Whoever setup their infrastructure hopefully learned a lesson and will do it right next time.
Re:Seperate networks? (Score:3, Informative)
Re:I'm Shocked! (Score:4, Informative)
Here's the first clue:
Public utilities are public! They're not armed fortresses. They were originally created to be open institutions where people could see what is going on. They're supposed to share data and cooperate with each other.
Here's the second clue:
There are many who need the information about the utility's performance to do their day to day jobs. The volumes of information and the volumes of regulatory agencies, and other groups they need to inform increase every day. Securing these connections isn't for the faint of heart. I say this as a member of ISA-99, the international standards body for SCADA security.
That said, most companies have secured the distribution systems. However, these are highly customized systems. You can't bolt security on them after the fact. Replacing them is nothing like replacing or upgrading an information system. There is this little problem known as system validation. It is extremely expensive. Furthermore, the standards for securing these systems are still very much in development (I'm on one of those standards committees too).
SCADA systems are in the Ford Model T days. You want to bolt a seat-belt and airbags to it. These things may help, but if you really want things to be secure, we need to rethink the entire infrastructure. And that will not be cheap...
Re:Here is a "sane" security measure (Score:3, Informative)
Re:I'm Shocked! (Score:4, Informative)
The computer systems that control the grid are extremely secure. So secure in fact, they do not HAVE a network connection outside of their own server to server interaction.
The mainframes, UNIX systems, and other systems that operate the switcing grid are isolated in a section of the building that even their own network engineers can not enter without being padded down to ensure they carry no computer media of any kind.
When media does need to be brought in, say to patch the OS on a machine for a bug, or to update the backup server software, the media for that must pass through a several step security scan, including scans by not less than 3 AV applications, repeated on not less than 3 different PCs. All install media for machines in that area are kept in that area, seperate from all other company media.
You wouldn't believe the process we had to go through to bring a new backup system in there...
These systems are so isolated it is virtually impossible to infect them.
On the other hand, the PCs connected to the billing systems, yes, they could be infected. These systems however are backed up in many ways, and even if they had to roll back the database a few days, all they'd have to do is correlate the accounting records with meter readings, and they'll know exactly how much everyone owes or paid. They might have to type a few customer change orders back into the system, but all that is in hard copy anyway... It would be an inconvenience, but not that big of one. Of course, the billing system is only accessible via terminal session from PCs on a specific VLAN that are not used for any other purposes (no web browser, document creation, etc), so infecting it is not exactly easy, and I doubt is could be done with a bot without intimate network design knowledge, a few passwords, and a lot of attempts. It would have to be a targeted hack.
This particular power company is a locally owned co-op, small time company. If they can implement security like this, I'm sure others do as well.
I imaging the power grid itself, not so much the systems controlling them, could somehow be hacked, or fooled with conflicting signals that could cause issues, but I seriously doubt anyone let these people try...
Re:I'm Shocked! (Score:4, Informative)
The utility business has three tactical concerns: Safety, Availability, and Security --in that order of priority.
Utilities have been running for decades on old infrastructure. Using SCADA, we're managing the existing capacity in the original infrastructures built by our parents and grandparents. They invested monies that in today's economy would make your utility bills look ridiculously small.
Utilities aren't building infrastructure because the rate payers don't know there is a problem with it. Even when they do know, they may not realize how much it is going to cost to really build in the kind of capacity that previous generations were willing to commit to.
No, instead, we get leaders who slash staff, offer early buy outs, and then discover they don't have anyone who knows where anything is or how it works. Realizing they don't know how to hire people who know what they're doing, because they don't know what to look for, they contract the whole thing out to some private company that in theory could run a utility, but in practice is also understaffed.
And against that backdrop you'd have us invest in a tertiary concern called security? I mean, we are all interested, but there are higher priorities right now.
Re:I blame the cold medicine (Score:3, Informative)
"Public" utilities (Score:3, Informative)
You cannot just stroll into a nuclear plant to see how things work.
After your smug and false assertion that you can, everything else you have to say, no matter how "insightful" is may seem to some, is suspect.