SAN FRANCISCO — Cracking a power company network and gaining access that could shut down the grid is simple, a security expert told an RSA audience, and he has done so in less than a day.
Ira Winkler, a penetration-testing consultant, says he and a team of other experts took a day to set up attack tools they needed then launched their attack, which paired social engineering with corrupting browsers on a power company’s desktops. By the end of a full day of the attack, they had taken over several machines, giving the team the ability to hack into the control network overseeing power production and distribution.
Winkler says he and his team were hired by the power company, which he would not name, to test the security of its network and the power grid it oversees. He would not say when the test was done, but referred to the timeframe as “now.” The company called off the test after the team took over the machines.
“We had to shut down within hours,” Winkler says, “because it was working too well. We more than proved that they were royally screwed.” In addition to consulting, Winkler is author of the books Spies Among Us and Zen and the Art of Information Security.
The problem is pervasive across the power industry, he says, because of how power company networks evolved. Initially their supervisory, control and data acquisition (SCADA) networks were built as closed systems, but over time intranets and Internet access have been added to the SCADA networks. Individual desktops have Internet access and access to business servers as well as the SCADA network, making the control systems subject to Internet threats. “These networks aren’t enclosed anymore. They’ve been open for more than a decade,” Winkler says.
The penetration team started by tapping into distribution lists for SCADA user groups, where they harvested the e-mail addresses of people who worked for the target power company. They sent the workers an e-mail about a plan to cut their benefits and included a link to a Web site where they could find out more.
When employees clicked on the link, they were directed to a Web server set up by Winkler and his team. The employees’ machines displayed an error message, but the server downloaded malware that enabled the team to take command of the machines. “Then we had full system control,” Winkler says. “It was effective within minutes.”
Winkler says SCADA systems are inherently insecure because they are software running on standard operating systems on standard server hardware, making them subject to all the vulnerabilities of those systems.
Power companies’ desire to not risk interrupting service with software upgrades that could improve security perpetuates the inherent weaknesses, he says. “The power grid is so poorly maintained that it is easier to attack than most other systems and networks,” he says. “They hope for the best and make the risk-avoidance excuse if something goes wrong.”
Winkler says his talk doesn’t expose power networks to any more danger than they face now. “The real bad guys already know what I’m saying,” he says. “There is the potential for serious damage.”
Winkler says power companies need to adopt SCADA software that is better tested for vulnerabilities and engineered for rapid patching when flaws are found. They also need to segment their networks so a breach from the Internet cannot reach the SCADA network.