|
6
Nerd-Its
|
|
current event
by One of the most critical pieces of infrastructure in the United States today is our Power Grid. Time and time again, it has proven vulnerable to accidents. This time, however, it was vulnerable to an outside attack.
Ira Winkler, a world-renowned Information Security Expert recently addressed an RSA conference, and told them about a recent exploit; the successful penetration of a power company. Ira and his team were hired to test the security of an unnamed large power company. Through a combination of Social Engineering and Browser Exploits, his team was able to gain access to the SCADA systems used to control the power plant and distribution. This took a total of 2 days to accomplish; one day to set up, and one day to penetrate.
Many utility companies have SCADA Systems and the Administrative systems on the same network that have outside access to the internet. I have encountered places where they run on the same computers (just as Ira Winkler's team discovered). Power grids are not the only systems that run SCADA either--Water, Wastewater, Natural Gas supply--all of these vital and critical infrastructure components run control systems. The fortunate thing with the latter list is that they are nowhere near as interconnected as the Power Grid; but imagine dumping raw sewage from a lift station into a populated area, or cutting off the water supply to a city--or worse; opening all of the floodgates on a dam upstream of a populated area.
The DOE through its' subsidiary agency, the Federal Energy Regulatory Commission, recently published a set of standards designed to secure this critical part of the infrastructure. Many power companies, however, have alluded to the fact that they are running older SCADA software that could fail to adhere to strict guidelines for patching or security management. FERC's response is merely that the power companies are expected to upgrade their systems; something that should have been happening all along.
Add a Comment (3)
Email This
Message Author
RSS
No comments? by ldsudduth :: NR7 :: on 15 April 2008
I find this interesting, given the number of members of Omninerd who are affiliated with the computer industry in one way or another.
RE: No comments? by VnutZ :: NR8 :: on 15 April 2008
I've always been bothered with the fact that control systems are ever remotely accessible. I suppose somewhere, someone can make the argument that in an emergency situation, an expert can remotely take charge and correct an issue. I for one think that if your employees cannot be trained to be experts on their equipment, then you need to hire better employees. There is no legitimate reason for critical control systems to be on a network accessible outside the facility.
RE: No comments? by ldsudduth :: NR7 :: on 15 April 2008
I suppose somewhere, someone can make the argument that in an emergency situation, an expert can remotely take charge and correct an issue.
No, you can't make that argument; your supposition is correct; the employees need to have a high-level of expertise with the Control Systems. Granted, you can't be an expert on everything, but there should be *someone* that your personnel can contact in the event of an emergency who can guide them through a procedure to minimize impact or even fix the issue at hand.
\I don't expect the person running the gear to know what to do if the computer fails (that's why you have backup equipment), but certainly there should be a procedure to follow--even if it's a flow chart in a book.
At one utility, they would have smaller plants controlled by the larger facility during off-shift hours--effectively control was 'transferred' to a Master Panel. As long as you have connectivity between the two facilities that system works well. Thankfully, things are usually programmed to fail into a safe running mode.
The worst thing I ever saw: A facility with direct PC-Anywhere access via modem to the control system, and VNC being used to control the PC without any security of any kind, including passwords. The phone numbers for the modems (there were more than one) were unlisted, but any good wardialing program would find it. Today, that would be a security violation, but not against an law; only against guidelines from Homeland Security.