Tumblr 101: Tips And Tricks To Get Started
Sebastian Thrun: Google's Driverless Car
Hacker Consultants Infiltrate Power Grid In Hours
To many, a power grid is just a bunch of wires spreading out like a web, some sort of a power plant sitting in the middle turning the lights on all along its reach. That perception leads to a feeling of security; so long as that plant in the middle is safe from physical attack, the grid itself is also safe. Surround the plant with barbed wire fences and armed guards and it's easy to think that those power plants are safe. Sadly, in this networked age, that's simply not the case, as proven by a team of security consultants who pulled a few simple hacking tricks to infiltrate the computer systems of an anonymous power company within a few hours.
The consultants apparently didn't have to resort to any advanced tactics to gain control over computers that monitored and controlled the power grid. They relied on human nature to get initial access, finding the e-mail addresses of many of the plant's employees and sending them a supposedly corporate e-mail that indicated their worker benefits were being cut. They were directed to a URL to get more information. That URL was, of course, bogus and simply resulted in the installation of malicious software.
Once installed the team had full control to do whatever they want, including shutting down the grid and potentially even causing physical damage to the plant itself. Thankfully, though, they were just there to find holes in the plant's security infrastructure, which they certainly did. So, be aware that your power is perhaps a bit more vulnerable than you might think, but be thankful the companies that provide it are at least working to find those vulnerabilities.
From BetaNews
16 Grammys Looks That Weren't Working
Whitney Houston Autopsy: Cause of Death Determined?
Matt Bomer Comes Out As Gay
Whitney Houston, Bobbi Kristina: Late Singer's Daughter Hospitalized
Adele Five-Year Break? Singer Plans to Focus on Relationship, Write 'Happy Record'
How Hattie Lost 300 Pounds: 'I Was Ready To Do Whatever It Took To Survive'
Whitney Houston Dead: Stars React to Legend's Sudden Death
Jennifer Hudson Whitney Tribute: Grammy President Reveals Why Singer Was Chosen for Musical Memorial
Grammy Awards 2012: The Best & Worst Of The Red Carpet!
Grammy 2012 Winners' List: Adele Sweeps Music's Biggest Night
Whitney Houston Dead: Singer Dies at 48, Body Found in Beverly Hilton Hotel
Mom Had Labor Induced To Let Dying Father See Daughter
3 Economic Misconceptions That Need to Die
5-Hour Energy: A Success Equal Parts Caffeine, Chemistry and Meditation
12 Grammys Stars Who Gave Good Style
People With Easy-To-Pronounce Names More Likely To Succeed, Study Says
PHOTOS: Beautiful Scars
15 Funny Valentine's Day Cards
Pastor's Daughter Accidentally Shot At Church
The Top 10 Slacker Colleges
Mystery Disease Kills Thousands
JUNGLE SURVIVAL: Marines Drink Snake Blood, Eat Insects
PHOTOS: Thank God For Grown-Up Glamour
Taylor Swift Does Great Depression Chic
PHOTO: Kate Upton Scores 'Sports Illustrated' Swimsuit Issue Cover!
Comments
7
Subscribe to commentsretro77Apr 11th 2008 10:30AM
grats. good thing they were consultants...this time.
teslasnpApr 11th 2008 11:25AM
they could still sell the information...
anytime
retro77Apr 11th 2008 11:28AM
Well being a security consultant you sign an NDA plus that would ruin your name in the business if your selling security holes to outside identities.
max klavanskyApr 13th 2008 8:27PM
metering and control system should be on different system and never cross over. prtective relays should have only local access.
Funke, Tobias Dr.Apr 11th 2008 4:42PM
I still don't understand why critical infrastructure can't run on a discrete network that is completely isolated from the internet. Remote control of plants and systems is surely more efficient than live operators, but this article proves that it comes with an increased risk. I don't mind paying a few more dollars per year for utilities so that some Homer can lounge around at a control panel all day, if it means a higher level of reliability.
I'm sure foreign entities with cyber-warfare units have already probed many of our vulnerabilities, and are just waiting until hostilities erupt to exploit them. I sure hope that DHS and others are staying on top of this.
Electric BobApr 13th 2008 5:47PM
Possible? Yes. Prevalent and widespread? No. Much power grid equipment is so old fashioned (compared to the networld) that it is still direct connected on dedicated and encrypted communications systems and not net enabled. Ya can't just surf in to the heavy duty stuff if it's done as it is required. As to plants, there are a few remote controlled small plants, but most have us "Homers" watching the meters, trying to keep the lights on. There are many requirements for reliabililty of the power grid. Surf thru NERC.COM to read up. Fines can be in the millions for non-compliance, so the utillities are well motivated to keep it locked up.
This kind of "Sky Is Falling" article seems to be mostly fear mongering (after all, it's missing significant information and how many readers are really going to call their Congressman without that?). That a hacker achieved entrance is more likely to the utilities IT side, not their system control side. It isn't specified if these "hacker-consultants" were doing intrusion testing, which is a normal part of checking compliance with required operations security, but that is normal and not really "news". Folks who know what they are doing (as in equally capable to the hackers) are working hard to keep them out.
To repeat: Possible? Yes, most anything is possible. Prevalent and widespread? No, the sky is not falling.
Funke, Tobias Dr.Apr 15th 2008 6:37PM
Thanks for sharing your insight into the world of electricity. I've never heard anybody mention "dedicated and encrypted...systems" before while discussing this, and that's fairly reassuring. I know it isn't the most interesting subject for people until the lights go out, but I haven't heard anything more about the massive national grid overhaul that was announced in 2003. Do you know if any headway is being made on this?
I am still troubled by the idea that if even just a small number of plants are vulnerable to an attack, a simultaneous shutdown of them would cascade like in 2003. I hope you can ease my mind on this too.