Tuesday, March 05, 2013
Recent media reports show how power grids can be compromised by cyber attacks -- careless employees
American and western power grid and energy installations can be vulnerable to cyberattack mainly through phishing attacks by email to employees. That concept is buried in a detailed story I the New York Times Monday March 4, “As hacking against U.S. rises, experts try to pin down motive”, link here.
Defense, utility and energy systems should normally be disconnected from the public Internet, including ordinary surfing and links from social media. However corporate email seems to be available on proprietary internal systems, and this provides a way for compromise. And apparently this has happened a few times, possibly with US agencies and the Saudi oil systems, among others.
It’s a little surprising that this would be a problem, as presumably companies and government agencies should have strict rules about what can be done on process control systems. Emails and communications would presumably be heavily screened before sent over to specialized systems, which often have specialized hardware and firmware designed for harsh environmental conditions. It’s a little surprising that power companies could have the vulnerabilities implied by these reports.