Employees are the weakest link when securing industrial control systems that run power plants, municipal water supplies, electric grids and other pieces of critical infrastructure, a professional hacker said at the RSA conference here in San Francisco.
Andrew Whitaker, director of the Cyber Attack Penetration Division at the Reston, Va.-based Knowledge Consulting Group, is paid by companies to penetration test or "pen test" their own systems — to try to break into corporate computers, just as a malicious attacker would."
"The objective is simple — to gain access," Whitaker told the audience of information-technology professionals. "We target SCADA engineers. You know how to get into industrial control systems."
SCADA, or supervisory control and data acquisition systems, are the largest form of computerized industrial control systems, and use both hardware and software to monitor and control large industrial processes. "So how do we gain access?" Whitaker asked. "We often just ask for an engineer's username and password."
Whitaker said his team crafts simple phishing attacks, usually consisting of a brief email message that looks like it comes from a staffer in the company's IT department. "We're made some recent changes to our Web-based Outlook access," reads the message. "When you get a free minute, please try logging in using your network credentials and let me know if you have any problems."
A link to the Outlook login page is included — but that link really goes to a fake Outlook page on a site controlled by Whitaker's company. "In our experience," Whitaker said, "18 percent of employees will give up their passwords when asked."
That may not sound like a winning rate, but Whitaker said it was: "We email 20 people, and get four sets of credentials. That's all we need."
Canned air and fence hopping
Sometimes a company will have two-factor authentication enabled, requiring a second login device that the employee carries on his person and making remote break-ins much more difficult.
"Then we need physical access," Whitaker said. "We'll hop fences or figure out ways to walk into buildings." Doors that use electronic badge systems, he explained, can usually be defeated by a $10 can of compressed air. "Spray the canned air along the crack of the door" where the elecronic lock is, he said, "and you can open the door."
It's also quite easy to create a fake corporate badge, Whitaker explained — and then "tailgate" a group of legitimate employees who will glance at the badge and let the wearer in. "Thanks to all the smokers out there," he joked, "for leaving doors unlocked" and not looking too hard at a new employee who seems to cough a lot when he smokes.
Once they're physically inside a facility, pen testers wander the halls, looking official even as they look for network closets and administrative rooms.
Owning the network
But getting into the company network is only the first step. Whitaker's pen testers then grab everything they can get from employee accounts to try to gain administrative power over the network. "Administrative passwords and other valuable information show up in archived emails," he explained.
One of Whitaker's skilled hackers will take between two and four hours to gain administrative access, he explained, and then it's off to the races. "We take sceeenshots of engineers' desktops, inject keyloggers, use [protocols] to dump routing tables, compromise firewalls and create tunnels," he explained.
Sometimes, Whitaker will hack into employees' webcams, just to see what they're looking at. "There was one guy who always sat a weird angle," Whitaker recalled. "I figured out he was looking at two screens — his corporate computer, and his air-gapped SCADA computer. Since I was already in the building, I just waited until he left and then walked over to his desk."
End of the line
Through monitoring engineers' email messages, hacking into their SCADA-connected machines or simply taking screenshots as engineers log in, Whitaker's team will almost always gain access to a critical-infrastructure company's SCADA system, even if that system is air-gapped, or not connected to any other network.
"Once we're in, that's where we stop," he said. "We don't need to prove anything else."
The real danger to the company, he explained, and to the public at large, is that it's almost always possible for an outside adversary to gain access to a SCADA system that controls an electrical utility, a railway or any other kind of critical infrastructure.
"Most SCADA protocols are still transmitting in clear," or using unencrypted internal processes, Whitaker said. "That's a problem because a network attack upon an industrial control system can have a kinetic [physical] effect on the safety of others."
But there's almost no amount of security software a company can buy, he said, that will protect it from human error and frailty. To that end, companies need to make sure their employees are informed and educated to resist social engineering attacks.
"Here's how to make my job harder," Whitaker told the audience. "Secure your people. Involve your people. Invest in your people."
Whitaker closed with an anecdote about how a simple practice using extremely time-tested technology was able to foil him.
"There was one utility company where we couldn't get into the SCADA system," he admitted. "I finally asked an engineer how they kept us out. He told me they used floppy disks, which were kept in locked drawers, to transfer data between systems."