How to Hack Into a City's Power Grid

Credit: wxin/Shutterstock

(Image credit: wxin/Shutterstock)

Employees are the weakest link when securing industrial control systems that run power plants, municipal water supplies, electric grids and other pieces of critical infrastructure, a professional hacker said at the RSA conference here in San Francisco.

Andrew Whitaker, director of the Cyber Attack Penetration Division at the Reston, Va.-based Knowledge Consulting Group, is paid by companies to penetration test or "pen test" their own systems — to try to break into corporate computers, just as a malicious attacker would."

MORE: 12 More Things You Didn't Know Could Be Hacked

"The objective is simple — to gain access," Whitaker told the audience of information-technology professionals. "We target SCADA engineers. You know how to get into industrial control systems."

SCADA, or supervisory control and data acquisition systems, are the largest form of computerized industrial control systems, and use both hardware and software to monitor and control large industrial processes. "So how do we gain access?" Whitaker asked. "We often just ask for an engineer's username and password."

Whitaker said his team crafts simple phishing attacks, usually consisting of a brief email message that looks like it comes from a staffer in the company's IT department. "We're made some recent changes to our Web-based Outlook access," reads the message. "When you get a free minute, please try logging in using your network credentials and let me know if you have any problems."

A link to the Outlook login page is included — but that link really goes to a fake Outlook page on a site controlled by Whitaker's company. "In our experience," Whitaker said, "18 percent of employees will give up their passwords when asked."

That may not sound like a winning rate, but Whitaker said it was: "We email 20 people, and get four sets of credentials. That's all we need."

Canned air and fence hopping

Sometimes a company will have two-factor authentication enabled, requiring a second login device that the employee carries on his person and making remote break-ins much more difficult.

"Then we need physical access," Whitaker said. "We'll hop fences or figure out ways to walk into buildings." Doors that use electronic badge systems, he explained, can usually be defeated by a $10 can of compressed air. "Spray the canned air along the crack of the door" where the elecronic lock is, he said, "and you can open the door."

It's also quite easy to create a fake corporate badge, Whitaker explained — and then "tailgate" a group of legitimate employees who will glance at the badge and let the wearer in. "Thanks to all the smokers out there," he joked, "for leaving doors unlocked" and not looking too hard at a new employee who seems to cough a lot when he smokes.

Once they're physically inside a facility, pen testers wander the halls, looking official even as they look for network closets and administrative rooms.

Owning the network

But getting into the company network is only the first step. Whitaker's pen testers then grab everything they can get from employee accounts to try to gain administrative power over the network. "Administrative passwords and other valuable information show up in archived emails," he explained.

One of Whitaker's skilled hackers will take between two and four hours to gain administrative access, he explained, and then it's off to the races. "We take sceeenshots of engineers' desktops, inject keyloggers, use [protocols] to dump routing tables, compromise firewalls and create tunnels," he explained.

Sometimes, Whitaker will hack into employees' webcams, just to see what they're looking at. "There was one guy who always sat a weird angle," Whitaker recalled. "I figured out he was looking at two screens — his corporate computer, and his air-gapped SCADA computer. Since I was already in the building, I just waited until he left and then walked over to his desk."

MORE: How to Encrypt Your Files and Folders

End of the line

Through monitoring engineers' email messages, hacking into their SCADA-connected machines or simply taking screenshots as engineers log in, Whitaker's team will almost always gain access to a critical-infrastructure company's SCADA system, even if that system is air-gapped, or not connected to any other network.

"Once we're in, that's where we stop," he said. "We don't need to prove anything else."

The real danger to the company, he explained, and to the public at large, is that it's almost always possible for an outside adversary to gain access to a SCADA system that controls an electrical utility, a railway or any other kind of critical infrastructure.

"Most SCADA protocols are still transmitting in clear," or using unencrypted internal processes, Whitaker said. "That's a problem because a network attack upon an industrial control system can have a kinetic [physical] effect on the safety of others."

Taking action

But there's almost no amount of security software a company can buy, he said, that will protect it from human error and frailty. To that end, companies need to make sure their employees are informed and educated to resist social engineering attacks.

"Here's how to make my job harder," Whitaker told the audience. "Secure your people. Involve your people. Invest in your people."

Whitaker closed with an anecdote about how a simple practice using extremely time-tested technology was able to foil him.

"There was one utility company where we couldn't get into the SCADA system," he admitted. "I finally asked an engineer how they kept us out. He told me they used floppy disks, which were kept in locked drawers, to transfer data between systems."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

  • skit75
    Future Headline....Defense Contractor sues Big Tobacco for compromising National Defense by way of nicotine addiction!
  • Rhinofart
    Not sure I'm liking these "How to break into stuff, and how to get to a website to buy peoples CC info" lately on here. They are just advertising different methods to different crowds of doing nefarious deeds.
  • RaDiKaL_
    Nice article, it's always good to find out about as many methods as possible so one can take proper action to prevent them. No doubt social engineering is the weakest link when securing a company's network/information.
  • itsnotmeitsyou
    That last paragraph was some Galactica level sh-t. Love it.
    Not sure I'm liking these "How to break into stuff, and how to get to a website to buy peoples CC info" lately on here. They are just advertising different methods to different crowds of doing nefarious deeds.
    Then show your boss. I'm not sure I like the truth about how fragile our protections systems are either. Unfortunately, its the truth. Time to fix it.
  • merikafyeah
    Foiled by the floppy disk. LOL Old-school FTW. The only thing more obscure now would be a ZIP disk. Unless they're talking about 5.25" floppy disks in which case color me impressed.
  • Pailin
    The more such vulnerabilities are highlighted the sooner those weak links are strengthened. All this leads to a better infrastructure safer from attacks.Each time a company hides its data breaches to safe public face = the attacker safer and more easily can move onto the next victim(s)Outing these issues publicly is the fastest way to securing those weaknesses on a broad scale :)
  • ddpruitt
    Not sure I'm liking these "How to break into stuff, and how to get to a website to buy peoples CC info" lately on here. They are just advertising different methods to different crowds of doing nefarious deeds.
    Actually this is the oldest and most reliable to get access to a system. I've occasionally used social engineering when gaining legitimate access to a system would take to long (needing access to files for my work off a secured server, etc). I'm aware of a number of systems that transfer sensitive information in plaintext because they are isolated. The companies running these systems found that they had more breaches from people doing something stupid than the security actually being broken, it was more cost effective to train the people using the system than to try to make it impenetrable. People have been the weakest link for a long time, sadly few realize this fact.