Comment from Ralph Langner
Time: April 10, 2008, 8:24 am

I have heard Ira make that claim months ago, but did not see any details. Do you know if his RSA presentation included anything about HOW he would have “owned the control network”, Charles? I hold Ira in high esteem, but I have gotten somewhat sceptical about IT folks publishing stories about alleged SCADA hacks. So far I have yet to see substantial evidence for such claims.

Comment from Jake Brodsky
Time: April 10, 2008, 10:18 am

I’ll second Ralph’s quest for details. I’m curious to know what sorts of “social engineering” attacks worked, and which ones didn’t.

Keep in mind, these aren’t ordinary office people. These folk are operators. They usually know who they’re talking to most of the time. It’s part of the “inside-the-plant mentality.”

Comment from Michael Toecker
Time: April 10, 2008, 10:50 am

I’m skeptical as well. I’ve assessed ~30 transmission and generation control sites for adherence to NERC CIP and I’ve only once witnessed a situation where the systems that control the grid could access the Internet.

Now, what I have seen are business workstations on a network separate from Control network that hold Operator’s email, browsing, and other business functions, sometimes even located within the same cabinets as Control computers. These systems have no control over the grid operations, and would be as easily hackable as any other business workstation via the methods described. This allows operators access to Corporate functionality while protecting the actual systems that do SCADA.

More details please Ira, all this speculation is making my head hurt.

Comment from Stephan Beirer
Time: April 10, 2008, 11:46 am

Jake,

the article claims that they sent an email stating that recipient’s benefits will be cut. I bet this approach works quite often..;)

I doubt that the claim:

“Individual desktops have Internet access and access to business servers as well as the SCADA network, making the control systems subject to Internet threats.”

is valid for many SCADA operations (esp. throughout the power industry). But if the admins of said company haven’t done their homework and allowed such access the attack is not that unrealistic.

stephan

Comment from Charles Perine
Time: April 10, 2008, 2:57 pm

Unfortunately I wasn’t at the conference and the article lacks details that are important to those of us in the industry. Stephan covered the the social aspect of the attack, threatening the operators benefits. Hopefully more information will be released by Ira (doubtful, bound by a NDA) or the power plant.

Comment from Ralph Langner
Time: April 10, 2008, 4:30 pm

Charles, I fear that Ira will let us continue bump around in the dark until you apologize for misspelling his last name more than once. — BTW, the NDA argument was good. In our business, you can tell the weirdest fairy tails and get away with it by referring to a NDA. But honestly, I wouldn’t want to believe Ira falls in this category.

Comment from Charles Perine
Time: April 10, 2008, 6:28 pm

Ralph,

Thanks for the catch. The story seems very plausible and though I cannot confirm its authenticity, I am inclined to believe it.

Ira,

If you’re watching, sorry for slaughtering your name.