Hacker Consultants Infiltrate Power Grid In Hours

by Tim Stevens — Apr 11th 2008 at 10:21AM

To many, a power grid is just a bunch of wires spreading out like a web, some sort of a power plant sitting in the middle turning the lights on all along its reach. That perception leads to a feeling of security; so long as that plant in the middle is safe from physical attack, the grid itself is also safe. Surround the plant with barbed wire fences and armed guards and it's easy to think that those power plants are safe. Sadly, in this networked age, that's simply not the case, as proven by a team of security consultants who pulled a few simple hacking tricks to infiltrate the computer systems of an anonymous power company within a few hours.

The consultants apparently didn't have to resort to any advanced tactics to gain control over computers that monitored and controlled the power grid. They relied on human nature to get initial access, finding the e-mail addresses of many of the plant's employees and sending them a supposedly corporate e-mail that indicated their worker benefits were being cut. They were directed to a URL to get more information. That URL was, of course, bogus and simply resulted in the installation of malicious software.

Once installed the team had full control to do whatever they want, including shutting down the grid and potentially even causing physical damage to the plant itself. Thankfully, though, they were just there to find holes in the plant's security infrastructure, which they certainly did. So, be aware that your power is perhaps a bit more vulnerable than you might think, but be thankful the companies that provide it are at least working to find those vulnerabilities.

From BetaNews

Tags: breaking news, BreakingNews, hacking, security

Reader Comments (Page 1 of 1)

retro77 said 10:30AM on 4-11-2008

grats. good thing they were consultants...this time.

teslasnp said 11:25AM on 4-11-2008

they could still sell the information...

anytime

retro77 said 11:28AM on 4-11-2008

Well being a security consultant you sign an NDA plus that would ruin your name in the business if your selling security holes to outside identities.

max klavansky said 8:27PM on 4-13-2008

metering and control system should be on different system and never cross over. prtective relays should have only local access.

Funke, Tobias Dr. said 4:42PM on 4-11-2008

I still don't understand why critical infrastructure can't run on a discrete network that is completely isolated from the internet. Remote control of plants and systems is surely more efficient than live operators, but this article proves that it comes with an increased risk. I don't mind paying a few more dollars per year for utilities so that some Homer can lounge around at a control panel all day, if it means a higher level of reliability.

I'm sure foreign entities with cyber-warfare units have already probed many of our vulnerabilities, and are just waiting until hostilities erupt to exploit them. I sure hope that DHS and others are staying on top of this.

Electric Bob said 5:47PM on 4-13-2008

Possible? Yes. Prevalent and widespread? No. Much power grid equipment is so old fashioned (compared to the networld) that it is still direct connected on dedicated and encrypted communications systems and not net enabled. Ya can't just surf in to the heavy duty stuff if it's done as it is required. As to plants, there are a few remote controlled small plants, but most have us "Homers" watching the meters, trying to keep the lights on. There are many requirements for reliabililty of the power grid. Surf thru NERC.COM to read up. Fines can be in the millions for non-compliance, so the utillities are well motivated to keep it locked up.

This kind of "Sky Is Falling" article seems to be mostly fear mongering (after all, it's missing significant information and how many readers are really going to call their Congressman without that?). That a hacker achieved entrance is more likely to the utilities IT side, not their system control side. It isn't specified if these "hacker-consultants" were doing intrusion testing, which is a normal part of checking compliance with required operations security, but that is normal and not really "news". Folks who know what they are doing (as in equally capable to the hackers) are working hard to keep them out.
To repeat: Possible? Yes, most anything is possible. Prevalent and widespread? No, the sky is not falling.

Funke, Tobias Dr. said 6:37PM on 4-15-2008

Thanks for sharing your insight into the world of electricity. I've never heard anybody mention "dedicated and encrypted...systems" before while discussing this, and that's fairly reassuring. I know it isn't the most interesting subject for people until the lights go out, but I haven't heard anything more about the massive national grid overhaul that was announced in 2003. Do you know if any headway is being made on this?

I am still troubled by the idea that if even just a small number of plants are vulnerable to an attack, a simultaneous shutdown of them would cascade like in 2003. I hope you can ease my mind on this too.

Add your comments

Your comments:

Remember me

E-Mail me when someone replies to this comment

Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.

When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.

To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.

Switched Video

Most Emailed Stories

Editors' Picks

Deals of the Day

http://xml.channel.aol.com/xmlpublisher/fetch.v2.xml?option=expand_relative_urls&dataUrlNodes=uiConfig,feedConfig,entry&id=758444&pid=758443&uts=1256672453

http://cdn.channel.aol.com/cs_feed_v1_6/csfeedwrapper.swf

'Black Friday' Deals to Watch For

Getty Images

Black Friday' Deals to Watch For

Traditionalists might balk, but the holiday shopping season is already underway. Skeptical? Head to your local department store and you'll be inundated by Christmas trees and ornaments. Bargain hunters, though, know that the real deals are more than a month away.

Black Friday, traditionally, is when retailers truly slash prices. Early birds can save hundreds, if not thousands, of dollars off of their holiday bills. Switched.com checked with a few elves, who gave a sneak peek at what you can expect deal-wise this year.

Blu-ray Players and Movies: Blu-ray is shaping up to be the biggest door buster of this year's Black Friday. de Grandpre expects at least one retailer will offer a Blu-ray player for just $49. Look for bargains on Blu-ray films as well, with last year's hit titles (such as "Iron Man") to fall as low as $5.

Laptops: With the proliferation of Netbooks this year, it's never been easier to find affordable portable computing, but Dan de Grandpre, CEO of DealNews.com says it will get even cheaper on Black Friday. Look for well-equipped Netbooks to sell for $199 – and basic 15" laptops to go for as little as $249.

HDTVs (Pretty big): The holidays are typically the best time to buy a new TV – and Black Friday is the time to do it. If you're looking for a normal sized set, you're in luck. Piper Jaffrey analyst Mitch Kaiser says he expects to see 32-inch LCD sets for as low as $299. GottaDeal.com is estimating 37-inch plasma and LCD sets will fall to $399 or less.

HDTVs (Really big): Need something bigger? How about a 46-47 inch LCD set for $599 – a 25 percent savings? Or a 52-inch LCD for $999? Dealnews says you can expect both. Plasma deals will be a little harder to come by, but a 50-inch set should run roughly $899.

HD Camcorders: You've wanted to shoot your child's school play in HD for a while, but haven't been able to spring for the pricey camcorder. This might be the year. Low-end, flash-based 720p models could drop as low as $60 (though you won't be able to zoom with those). Expect a high quality 1080p HD camcorder for $349.

GPS: While navigation systems have dramatically expanded their reach this year – even making it onto the iPhone – there's still a market for car-based systems. Dealnews predicts you'll be able to find a no-name entry-level system for $49, while a Garmin or Tom-Tom brand will be as low as $69.

Digital Picture Frames: Showcasing your digital pictures consistently gets cheaper. This year, skip the 7-inch screens and focus on the 8- or 9-inch ones, which should be available on Black Friday for as little as $30.

Monitors: Computer monitors might not be the sexiest of gifts, but they're usually welcomed with open arms – and they'll be cheap this year. Name brand 22-inch LCD models may go for as low as $99, while 24-inch models will drop below $150.

Memory: Don't know anyone who needs a monitor? External hard drives are always popular, since they're an easy way to back-up data. Dealnews expects a 1TB drive to fall as low as $49 this year. Gottadeal is looking for 8GB flash drives to hit $15.

Latest Reviews from CNET.com

CNET provides the latest tech news, unbiased reviews, videos, podcasts, software, and downloads, making tech products easy to find, understand and use.

Top Product Reviews

Home Audio Reviews
9.0 out of 10
Definitive Technology BPX
Works great with Dolby Pro Logic and Dolby Digital. Full Review
9.0 out of 10
Denon AVR-4306 (black)
Incredibly well-featured 7.1-channel receiver; excellent sound quality; three HDMI inputs; converts analog video to HDMI output; upconverts analog video to 720p/1080i HD resolution; iPod and USB MP3 player connectivity; Internet radio and MP3/WMA streaming audio via built-in Ethernet port; XM Satellite Radio compatible; touch-screen remote; multizone, multisource operation; browser-based control via home network; accurate autocalibration routine. Full Review
8.8 out of 10
KEF KHT3005 (black)
The KEF KHT-3005 is one compact, beautifully designed speaker package with solid aluminum satellites that feature unique driver technology to produce incredible clarity. Meanwhile, the equally astounding dual 10-inch, 250-watt powered subwoofer delivers ultradeep bass. Full Review
Cell Phone Reviews

8.7 out of 10
SignalBoost Mobile Professional Amplifier Kit
The Mobile Professional Amplifier delivers a powerful signal boost to your cell phone. Also, it offers a compact design and easy setup. Full Review
8.6 out of 10
Wi-Ex zBoost YX510-PCS-CEL cell phone signal extender
The Wi-Ex zBoost YX510-PCS-CEL significantly boosts your cell phone reception and is easy to operate. Also, it uses a wireless connection to your phone. Full Review
8.3 out of 10
LG VX6000 (Verizon Wireless)
Compact and stylish; impressive battery life; solid audio quality; sharp color screen; built-in camera; USB ready; affordable. Full Review
Digital Camera Reviews

9.3 out of 10
Canon EOS 1D Mark III
Extremely fast, 10-megapixel continuous shooting; very low noise; highly customizable; well-designed body with weather sealing; 3-inch LCD; abundant optional accessories. Full Review
9.3 out of 10
Nikon D3 (body only)
Full-frame sensor; well designed, pro-level weather-sealed body; very low noise, even at extremely high ISOs; fast. Full Review
9.0 out of 10
Canon EOS-1Ds Mark III
Very low noise, high quality images; 21.1 megapixels; live view shooting; pro-level build-quality and performance. Full Review
Desktop Reviews

8.9 out of 10
Velocity Micro Edge Z30 (Intel Core i7)
Best value among midrange gaming PCs; Velocity Micro's consistently high build quality; compact case makes few sacrifices; second graphics card slot previously uncommon at this price. Full Review
8.5 out of 10
Apple iMac (24-inch, 2.8GHz)
A minor specification update results in some significant performance gains; graphics upgrade an option on this 24-inch model; sleek, polished design didn't receive an update, but we won't start clamoring for a new design until the current one is at least 12 months old. Full Review