Breaking into a power station in three easy steps

"I will tell (you) how to break into a nuclear reactor," Ira Winkler, president of security firm ISAG said as he launched into his presentation on "How to Take Down the Power Grid" at RSA 2008 on Tuesday night.

"Frankly, it's really easy to break into the power grid," he said. "It happens all the time."

First, you set up a Web server that downloads spyware onto the computers that visit.

Second, you send an e-mail to people who work inside a power station that entices them to click on a hyperlink to the Web server with the spyware. Warning them that their human resources benefits are going to be cut and sending them to a Web site with "hr.com" in the domain would work, according to Winkler, who said he has done this several times in company-approved penetration tests.

Third, you wait as the recipients--and everyone else they forwarded the e-mail to--visit the server and get infected.

"Then we had full system control," he said. "Once the malware was downloaded onto their systems...we could see the screens and manipulate the cursors."

It took about a day to set up the attack and was effective within minutes, according to Winkler.

"It had to be shut down after a couple of hours because it was working too well," he said.

This is akin to social engineering attacks that happen all the time, but this attack has more far-reaching consequences than most such attacks.

Power stations running special SCADA control software have the perception that they are more secure than other networked systems. However, they are just as vulnerable because they are connected to the Internet and run on computers that also run Windows NT, he said.

"Things are really this bad," Winkler said. "I'm not exaggerating."

Below is a video showing a staged cyber attack on a power station that Winkler showed during his presentation:

[Zero187]

HINT: Hire smart(er) people AND/OR sit down with them for 5 minutes teaching them about phishing, executables, and basic common sense computer defense. For example, if you get an email from Paypal that says "Dear Customer" delete it right away. But if it says "Dear Mr. Smith" and you are infact Mr.Smith, then it's 95% going to be legit (unless the hacker is directly targeting someone they know personally, which doesn't happen often at the work place). If I was a boss I would do that test once a month and fire anyone who downloaded a virus because it shows their lack of awareness, and bad/lazy awareness == stupidity (at least in the long run). 95% of the time it only takes 10 seconds to use google to find out if the site is legit or not.

[Zero187]

HINT: Hire smart(er) people AND/OR sit down with them for 5 minutes teaching them about phishing, executables, and basic common sense computer defense. For example, if you get an email from Paypal that says "Dear Customer" delete it right away. But if it says "Dear Mr. Smith" and you are infact Mr.Smith, then it's 95% going to be legit (unless the hacker is directly targeting someone they know personally, which doesn't happen often at the work place). If I was a boss I would do that test once a month and fire anyone who downloaded a virus because it shows their lack of awareness, and bad/lazy awareness = stupidity (at least in the long run). 95% of the time it only takes 10 seconds to use google to find out if the site is legit or not.

[EnergyWise]

The author forgot to include the real STEP 1. First, find a moronic utility that has not isolated SCADA systems and controls from the Internet. I find it hard to believe that nuclear plants don't have complete isolation from the Internet to their SCADA networks.