Desmond File

Blog archive

Power Down

It's the kind of story that should rightly give anyone the chills. Yesterday at the RSA Conference in San Francisco, penetration testing expert Ira Winkler told the audience that the networks of power companies are vulnerable to attack.

He should know. Winkler, you see, was able to hack into one such network in less than a day.

Winkler and his team, working at the company's behest, were quickly able to gain access to several employees' systems -- by way of a simple phishing attack. From there, they could access the network controlling the power station's monitoring and distribution operations. And from there, a lot of things -- mostly bad -- can happen. You can read a Network World article about Winkler's presentation here.

The problem, Winkler contends, isn't so much with gullible employees who should know better than to click a link on a faux e-mail message. It's with the slap-dash evolution of systems and networks at the power companies. As Winkler explains in a 2007 blog post, the Supervisory Control and Data Acquisition (SCADA) systems employed inside power companies are no longer isolated from external threats. The air gap that once protected these systems has been bridged by what Winkler calls the "lazy and cheap" behavior of people at these companies.

The worst thing? Winkler says power companies' fear of service interruptions makes them reluctant "to update SCADA systems, and the systems and networks that support them." It's a recipe for disaster that Winkler has urged power companies to uncook. He calls for SCADA systems to be unlinked from the public network and for power companies to deploy software and systems that enable reliable and rapid patching.

What do you think of Winkler's warning to the power industry? And what can development managers do to ensure that critical systems like these prove less susceptible to attack? E-mail me at [email protected].

Posted by Michael Desmond on 04/10/2008

comments powered by Disqus


Subscribe on YouTube