It's the kind of story that should rightly give anyone the chills. Yesterday
at the RSA Conference
in San Francisco,
penetration testing expert Ira Winkler told the audience that the networks of
power companies are vulnerable to attack.
He should know. Winkler, you see, was able to hack into one such network in
less than a day.
Winkler and his team, working at the company's behest, were quickly able to
gain access to several employees' systems -- by way of a simple phishing attack.
From there, they could access the network controlling the power station's monitoring
and distribution operations. And from there, a lot of things -- mostly bad --
can happen. You can read a Network World article about Winkler's presentation here.
The problem, Winkler contends, isn't so much with gullible employees who should
know better than to click a link on a faux e-mail message. It's with the slap-dash
evolution of systems and networks at the power companies. As Winkler explains
in a 2007
blog post, the Supervisory Control and Data Acquisition (SCADA) systems
employed inside power companies are no longer isolated from external threats.
The air gap that once protected these systems has been bridged by what Winkler
calls the "lazy and cheap" behavior of people at these companies.
The worst thing? Winkler says power companies' fear of service interruptions
makes them reluctant "to update SCADA systems, and the systems and networks
that support them." It's a recipe for disaster that Winkler has urged power
companies to uncook. He calls for SCADA systems to be unlinked from the public
network and for power companies to deploy software and systems that enable reliable
and rapid patching.
What do you think of Winkler's warning to the power industry? And what can
development managers do to ensure that critical systems like these prove less
susceptible to attack? E-mail me at firstname.lastname@example.org.
Posted by Michael Desmond on 04/10/2008 at 1:15 PM