• Copy link
• Facebook
• X
• Reddit
• Email

Share this article

7

Join the conversation

Follow us

Add us as a preferred source on Google

Newsletter

Get the Tom's Guide Newsletter

Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!

Become a Member in Seconds

Unlock instant access to exclusive member features.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

---

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

---

Want to add more newsletters?

Daily (Mon-Sun)

Tom's Guide Daily

Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.

Signup +

Weekly on Thursday

Tom's AI Guide

Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!

Signup +

Weekly on Friday

Tom's iGuide

Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.

Signup +

Weekly on Monday

Tom's Streaming Guide

Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.

Signup +

---

Join the club

Get full access to premium articles, exclusive features and a growing list of member rewards.

Explore

---

An account already exists for this email address, please log in.

Subscribe to our newsletter

Employees are the weakest link when securing industrial control systems that run power plants, municipal water supplies, electric grids and other pieces of critical infrastructure, a professional hacker said at the RSA conference here in San Francisco.

Andrew Whitaker, director of the Cyber Attack Penetration Division at the Reston, Va.-based Knowledge Consulting Group, is paid by companies to penetration test or "pen test" their own systems — to try to break into corporate computers, just as a malicious attacker would."

MORE: 12 More Things You Didn't Know Could Be Hacked

"The objective is simple — to gain access," Whitaker told the audience of information-technology professionals. "We target SCADA engineers. You know how to get into industrial control systems."

SCADA, or supervisory control and data acquisition systems, are the largest form of computerized industrial control systems, and use both hardware and software to monitor and control large industrial processes. "So how do we gain access?" Whitaker asked. "We often just ask for an engineer's username and password."

Whitaker said his team crafts simple phishing attacks, usually consisting of a brief email message that looks like it comes from a staffer in the company's IT department. "We're made some recent changes to our Web-based Outlook access," reads the message. "When you get a free minute, please try logging in using your network credentials and let me know if you have any problems."

A link to the Outlook login page is included — but that link really goes to a fake Outlook page on a site controlled by Whitaker's company. "In our experience," Whitaker said, "18 percent of employees will give up their passwords when asked."

That may not sound like a winning rate, but Whitaker said it was: "We email 20 people, and get four sets of credentials. That's all we need."

Canned air and fence hopping

Sometimes a company will have two-factor authentication enabled, requiring a second login device that the employee carries on his person and making remote break-ins much more difficult.

"Then we need physical access," Whitaker said. "We'll hop fences or figure out ways to walk into buildings." Doors that use electronic badge systems, he explained, can usually be defeated by a $10 can of compressed air. "Spray the canned air along the crack of the door" where the elecronic lock is, he said, "and you can open the door."

It's also quite easy to create a fake corporate badge, Whitaker explained — and then "tailgate" a group of legitimate employees who will glance at the badge and let the wearer in. "Thanks to all the smokers out there," he joked, "for leaving doors unlocked" and not looking too hard at a new employee who seems to cough a lot when he smokes.

Once they're physically inside a facility, pen testers wander the halls, looking official even as they look for network closets and administrative rooms.

Owning the network

But getting into the company network is only the first step. Whitaker's pen testers then grab everything they can get from employee accounts to try to gain administrative power over the network. "Administrative passwords and other valuable information show up in archived emails," he explained.

One of Whitaker's skilled hackers will take between two and four hours to gain administrative access, he explained, and then it's off to the races. "We take sceeenshots of engineers' desktops, inject keyloggers, use [protocols] to dump routing tables, compromise firewalls and create tunnels," he explained.

Sometimes, Whitaker will hack into employees' webcams, just to see what they're looking at. "There was one guy who always sat a weird angle," Whitaker recalled. "I figured out he was looking at two screens — his corporate computer, and his air-gapped SCADA computer. Since I was already in the building, I just waited until he left and then walked over to his desk."

MORE: How to Encrypt Your Files and Folders

End of the line

Through monitoring engineers' email messages, hacking into their SCADA-connected machines or simply taking screenshots as engineers log in, Whitaker's team will almost always gain access to a critical-infrastructure company's SCADA system, even if that system is air-gapped, or not connected to any other network.

"Once we're in, that's where we stop," he said. "We don't need to prove anything else."

The real danger to the company, he explained, and to the public at large, is that it's almost always possible for an outside adversary to gain access to a SCADA system that controls an electrical utility, a railway or any other kind of critical infrastructure.

"Most SCADA protocols are still transmitting in clear," or using unencrypted internal processes, Whitaker said. "That's a problem because a network attack upon an industrial control system can have a kinetic [physical] effect on the safety of others."

Taking action

But there's almost no amount of security software a company can buy, he said, that will protect it from human error and frailty. To that end, companies need to make sure their employees are informed and educated to resist social engineering attacks.

"Here's how to make my job harder," Whitaker told the audience. "Secure your people. Involve your people. Invest in your people."

Whitaker closed with an anecdote about how a simple practice using extremely time-tested technology was able to foil him.

"There was one utility company where we couldn't get into the SCADA system," he admitted. "I finally asked an engineer how they kept us out. He told me they used floppy disks, which were kept in locked drawers, to transfer data between systems."

• Best PC Anti-Virus Software 2014
• How to Buy Stolen Credit Cards from the 'Amazon of Cybercrime'
• 10 Best Computer Protection Software Products