Experts Hack Power Grid in Less Than a Day

bednarz writes "Cracking a power company network and gaining access that could shut down the grid is simple, a security expert told an RSA audience, and he has done so in less than a day. Ira Winkler, a penetration-testing consultant, says he and a team of other experts took a day to set up attack tools they needed then launched their attack, which paired social engineering with corrupting browsers on a power company's desktops. By the end of a full day of the attack, they had taken over several machines at the unnamed power company, giving the team the ability to hack into the control network overseeing power production and distribution."

I'm Shocked!

[ookabooka]

Not really though. A good team of social engineers (con men) and CS people can accomplish many many things...How can you prevent such things? Ridiculously strong security? Require the security guard at my place of employment to scan my ID each and every time I walk in the building? Is he supposed to also stop law enforcement from going in without clearance from HQ? I'm quite serious, what would be an effective way to stop these tactics? Everything I think of is either too impractical for most situations or prone to the same failures, but at different points.

Re:Is everything on the internet?

[jroysdon]

Even still, you wouldn't have any way for someone to remotely control those systems. A virus/worm might get spread from the internet PCs to SCADA PCs at the worst, but there is no way to control them (short of sending another message via virus and long time delay via "sneakernet" USB storage device).

But safer than that would be a way to have a DMZ storage system (not internet DMZ, but DMZ between internal Internet-access PCs and SCADA system PCs) that each different type of PC can drop data off in, but that DMZ system has no access out to either side. So you can drop data off, and then go get it from the other side. So long as your data is just raw data (db info of some sort, I'd imagine), there isn't away you're ever going to push a virus/worm back and forth.

Ira Winkler?

[drakyri]

There's a nice feature on Ira Winkler in attrition.org's charlatan file:

http://attrition.org/errata/charlatan.html#winkler [attrition.org]

Re:Is everything on the internet?

[kitsunewarlock]

At this point its probably a money saver. They wanted the internet in the building, but didn't want to buy another set of computers when they already had internet capable computers probably (I'm guessing) as monitoring stations.

The short answer is: "Boss is cheap and employees will quit if they can't watch YouTube in one window as they watch the grid in the other."

Of course, they could be completely incompetant and simply be using the internet this way so they can monitor things from outside the building...which still doesn't make much sense to me. If anything, it should be one man's job to manually transfer the data via flash memory device to and from the non-networked computer and the networked computer every 15 minutes to ensure whoever was too lazy to come to work can get up to the minute information. or, you know, just connect it to the internet when its absolutely necessary. Its the same reason I don't keep my cell phone on all the time: I don't want people accessing it when I'm in the shower, class, driving, etc...

To continue your sentiments: if you don't want people accessing your device, turn it the hell off or snip the (many times, due to wireless technology, metaphorical) chord that connects it to everyone else. There is no shame in unplugging your Ethernet once in a while. If anything connect it with such a slow connection that by the time a virus got through, the connection would sever due to the person attempting to view two images at once (28.5 kbs moden FTW).

If they really wanted to protect the grid...

[Anonymous Coward]

They'd post armed patrols out in the mountains..even then good luck.

Why the hell would someone go to all the effort mucking around with computers and hacking and leaving evidence everywhere when they could just go buy a gas axe from the local hardware store and knockdown a few of the big towers and cause havoc for days...and have about 0% of getting caught to top it off.

I was 4wding up in the highcountry near my city the other weekend, driving along the maintenance tracks for the big lines that run from the hydro electricty plant to the city. A gas axe to a few of the supports and you could cut power to the city in an hour. Choose the right towers, remote and hard to get to and it could be out for days. The big lines run through the rugged and isolated mountains for about 100kms (60miles)...good luck stopping someone motivated doing that.

And yet, no one ever has..perhaps, just perhaps there isn't bogey men trying to get us hiding around ever corner?

These 'security experts' that seem to be cropping up left, right and centre these days crying about how unsafe and insecure everything is seem to be little more than a new incarnation of snake oil salesmen.

Rediculous.

Re:Is everything on the internet?

[utunga]

I worked at a place that supposedly had two totally separate networks - one connected to the internet, one corporate wide, for news/data/intranet stuff.

So, sure, everybody has two desktops.. one for internal one for everything else. It was great in theory - really stupid in practice. Just doesn't work.

Reality is - there is an expectation that data from outside is available inside. In the power company case it might be everything from the latest gas pricing information to weather reports to who knows what else - and so in 'getting things done' this will inevitably require connections between the outside and the inside.

So, as a result of this 'blanket policy' contrasting with the 'real world' people would circumvent the rule - but do it in stupid, sneaky ways -- for example in one data center there was, literally, an infrared tunnel between two computers -- "see, they are not 'physically connected' !!" .. And try to keep it secret from the network ops guys, of course.

It would've made a lot more sense to supply a safe, heavily controlled/monitored firewall that connects outside to inside and let the network security people manage it. Otherwise your choices are (1.) actually enforece the rule and totally cripple the effectiveness of the internal system (with the result that nothing of any importance gets put there) or (2.) really lame hacks pretending to be secure and working around the blanket rule, when in actual fact they are invisible bridges that the network ops guys don't know about.

I saw the alternative 2. in real world practice. Lets consider option 1. - if they really did manage to make the SCADA network totally seperate **and enforce that**. In that case you'd probably just end up with the forecasting/power-station-scheduling app running on the 'outside' network - and just the final 'implement it' step on the internal SCADA. Since the scheduling app is the one where the real decisions are made - hacking into that would let you send signals and information that would look relatively harmless but would still, in effect shut down the power grid. You are still sending information - in this case mediated by human brains, but not in a way that the human brain can easily understand because its low level commands (turn this up, turn that down) - that could very effectively mess up the voltage balance or frequency timing or whatever, and causing rolling blackouts and thus achieving the same aim of shutting down the power grid. There is information flowing from outside to inside - whether it is via human or machine.

Security through dis-connectivity is a dangerous myth in most cases. In some cases, say military situations where you are willing to absorb the huge cost to re-implementing a complete replacement for just about every dang thing you might need on the inside (e.g. weather data, or radar data, say) then it may make sense. In just about every realistic corporate case - even power companies - its likely to only cause people to take their eye off the ball of implementing real security and proper firewalls etc.

Re:Security Measures

[HexaByte]

It's NOT just "TURN THE WHOLE POWER GRID OFF" that you have to worry about. The power grid automated when no one worried about computer security, and they still have that old infrastructure in place.

How would you like it if the hackers got into the grid control system and told the IP motors that control the floodgates on the big dams to open all the way, and then send them into a tizzy that burns them out, so they can't be used to shut the gates? How much damage would the downstream flooding cause?

Or how about the test the DHS did, where they gave a generator a command to generate power out of phase with the network, causing it to physically self-destruct? It only takes a few tings like this to screw up the country big-time! And it doesn't have to be done on site, it can be comfortably done from the safety and security of your ChiCom hacker network (they've been walking all over our networks for years) or your zombie bot-net.

I've been sounding the alarm on this for years, (although many others have been doing a far better job, don't want to take credit for others work) and finally the industry is responding. It will take billions to correct it in the US, Europe and Far East, while some poor countries don't have the financial means to do it at all.

Re:Is everything on the internet?

[1u3hr]

The problem is the layers.

The problem, as usual, is Windows. If you RTFA, they just set up a site and emailed the power station guys that there was a change to their pensions or health benefits, for more information.... so they clicked on the link and were pwned immediately. No specifics, but does anyone doubt this was Internet Explorer running on Windows?

Solution: Others have pointed out the need to transfer information routinely via the Internet. How about the desktops run Ubuntu, or OSX or ANYTHING except Windows? Risks of an exploit of the desktop will be much reduced, and even if successful, there is a bigger barrier if it has to work across different OSs (sadly the power supply monitoring software apparently runs on Windows, and is unlikely to be rewritten).

Whatever the solution, it will have as Step 1: Get rid of Windows facing the Internet.

cripple the internal network?

[keirre23hu]

The SCADA network is not designed for browsing the internet. It should not be connected.

Security through dis-connectivity is a dangerous myth in most cases. In some cases, say military situations where you are willing to absorb the huge cost to re-implementing a complete replacement for just about every dang thing you might need on the inside (e.g. weather data, or radar data, say) then it may make sense. In just about every realistic corporate case - even power companies - its likely to only cause people to take their eye off the ball of implementing real security and proper firewalls etc.

You make a good point here, but I'd argue that, for National Infrastructure Issues (including the power grid), the same security expected of the military should be required. These systems are just as critical. One of the primary diffrentiators between the modern world and the third world is the ability to provide reliable utilities. If the grid went down for any length of time on a national scale.. umm.. it would be a big problem.

Re:I'm Shocked!

[Oktober Sunset]

Just the same, bouncers outside a club don't prevent entry, they just deter brute forcing the door. If you really wanted to get in the club in a hurry you could walk up with a gun, mow them down, and walk in - wouldn't even have to break stride.

Umm, yea, try that in a club in a real city, the bouncers will have bullet proof vests, there will be double barriers in front of the club that you have to jump over , by which time the bouncers will have retreated inside, closed the shutters and radioed for the police who are only 2 or 3 streets away and will be getting the submachines guns out of the boot of thier car. Armed police would be there in about 2 minutes to gun you down.

Clubs in citys with gang problems usualy have extremly well armoured entrances, thats why you go through those such narrow little doorways when you get inside, so they can lock it up real easy.

I've been in a club where someone pulled a gun at the door, we never even knew about it, untill cops and bouncers came down and told everyone the club was closing cos there had been an 'incident' outside, when we got outside, there were cops everywhere, but we didn't even notice anything inside, the bouncers inside just shut the doors and they couldn't do shit except wave thier gun about until they the police turned up and they ran away.


It's all a question of what you are expecting, if you expect a few drunken monkeys, you just hire a couple of big blokes, if you expect armed gang members, you hire a professional security team.

Likewise, if you expect your scallywag neighbour might be mooching your broadband, you turn on WEP. If you expect that determined saboteurs are going to shut down your power grid, you do what the guy in the last reply said, unplug the computer that controls the grid from the network.

Re:I hate the term "Social Engineering"

[DavidTC]

Because, dumbass, it's easy to have walk-in escorted access to most offices on some pretense or another. But they tend to stop you if they see you carrying things out, or even if they see you typing on their computer.

Dropping flash drives, OTOH, is easy.

Probably Nonsense...

[mick_stockinger]

I'm not sure I believe the claims being made here. I've worked as a subcontractor in power plants all over North America and I've never seen a single plant where this would even be possible. Power plants have LANs with internet access like every other business, but plant operations, as controlled by the DCS, are completely isolated from the internet. It might indeed be trivial to compromise the LAN, but that is a far cry from actually gaining control of the power block. The DCS does have connections to the outside world in the form of frame relays (sometimes) to power marketing cooperatives (such as ERCOT in Texas...), or telephone access by analog router, but these are highly secure, isolated connections. The analog routers are usually disconnected when not explicitly required for remote support. This appears to me more media-inspired scaremongering.

Re:What kind of oversight do Loyal Bushies give???

[Anonymous Coward]

i'd like to point out once more time that it's impossible to "hack the grid." you can compromise machines inside the control room, but never anything that controls the flow of electrons.

the hardware doing the dirty work is custom-spec stuff running on a completely custom OS. keep in mind this hardware merely guides the engineers, rather than controlling the grid. most power grids in the US are about the same as they were in 1950. in other words, it's controlled by manpower. lots of it. the engineers in charge of the control room have volumes and volumes of binders with step-by-step procedures for each and every adjustment they could possibly make to the flow of power. switching operations, etc are all done by manpower, NOT cpu cycles.

basically, when someone says "you can hack the power grid" it's like they are saying "you can hack a wwII battleship." of course you can't. it pre-dates internet technologies by so much that even the upgraded re-serviced ships have nothing but custom hardware and software sandboxed from any kind of network.

the entire electrical grid's infrastructure is pretty close to being what it was in the 1950's. and when i say "pretty close" i mean that the only real upgrades made to it were in diagnostics and capacity. in other words, they added more transmission lines, and more little gadgets to sense and log data that could be helpful to keeping things flowing smoothly. in actuality the entire system is so antiquated that if network technology as we know it were to be erased, the grid would work just fine. keep in mind the systems the power companies use were developed in-house and custom-tailored to their needs. much like the upgraded wwII battleships the US was using until recently, if all the tech were stripped from it, it would still work fine. instead of accessing the custom-built touchscreen diagnostic panel, you'd pick up the secure internal-only telephone and ask the engineer for readings.

p.s. robot lords: i'm assuming that name is a Clutch reference, and i'm a rabid fan, so hats off to you. (i must have muttered "smile, taste kittens" at least 10 times while writing this)

Re:Security Measures

[Critical Facilities]

Unfortunately it is never practical to maintain an air gap.

Bullshit. I've worked at several MAJOR data centers with fully integrated Building Automation Systems which were completely separated from the companies' intranets and from the internet. You must bear in mind that this type of security protects BOTH sides. That is, in addition to protecting the B.A.S./SCADA system from outside attack directly, it also prevents someone from being able to access the SCADA system and from there, hack into corporate intranets.

Re:Security Measures

[luciddr34m3r]

Well from the reports of penetration tests I've heard, many places do claim their systems are not connected to the internet, the gap has been bridged by someone, be it management or whomever. Someone above said he's heard of people bridging the networks with IR interfaces. When I interviewed computer security professionals at local power plants for me research on this topic, I was told people connect things to the network all the time that are supposed to be isolated. Even the government's classified network gets bridged to the internet from time to time, and there are strict regulations on the air gap for it. Maybe your companies actually maintained an air gap, but if your entire security method is compromised when someone accidentally plugs something into the wrong port on the wall, you've seriously failed in your duties for security. If you protect it like its on the internet, even when an accident happens and its plugged in you'll be protected.