Breaking into a power station in three easy steps

"I will tell (you) how to break into a nuclear reactor," Ira Winkler, president of security firm ISAG said as he launched into his presentation on "How to Take Down the Power Grid" at RSA 2008 on Tuesday night.

"Frankly, it's really easy to break into the power grid," he said. "It happens all the time."

First, you set up a Web server that downloads spyware onto the computers that visit.

Second, you send an e-mail to people who work inside a power station that entices them to click on a hyperlink to the Web server with the spyware. Warning them that their human resources benefits are going to be cut and sending them to a Web site with "hr.com" in the domain would work, according to Winkler, who said he has done this several times in company-approved penetration tests.

Third, you wait as the recipients--and everyone else they forwarded the e-mail to--visit the server and get infected.

"Then we had full system control," he said. "Once the malware was downloaded onto their systems...we could see the screens and manipulate the cursors."

It took about a day to set up the attack and was effective within minutes, according to Winkler.

"It had to be shut down after a couple of hours because it was working too well," he said.

This is akin to social engineering attacks that happen all the time, but this attack has more far-reaching consequences than most such attacks.

Power stations running special SCADA control software have the perception that they are more secure than other networked systems. However, they are just as vulnerable because they are connected to the Internet and run on computers that also run Windows NT, he said.

"Things are really this bad," Winkler said. "I'm not exaggerating."

Below is a video showing a staged cyber attack on a power station that Winkler showed during his presentation: