Well, at least they were white-hat hackers. BetaNews reported that an anonymous power company hired Internet Security hacker Ira Winkler to attempt to hack into and take over a power grid. The results were somewhat disturbing.
Ira and his team hacked the power grid in a matter of hours by using browser exploits and old-fashioned social engineering.
In order to get the power company employees to reveal sensitive access details, the hackers sent employees a fictitious email explaining that the power company was planning to cut their benefits. The email contained a link to an exploited website where employees could get “more information” – which they naturally did. After clicking the link, they were hacked.
Thereafter, the hackers had all necessary access to do whatever they wanted, including the self-destruction of power generators. According to Winkler, many of these software exploits were successful because the companies had not applied software upgrades and patches because doing so would result in system downtime.
So, should companies schedule downtime on their own schedule or wait until they are hacked and let the bad guys schedule the downtime for them? Hmm… According to Winkler, he stopped the hack within a few hours because it was painfully obvious that it was completely successful.
In June of 1998, Wired published an article called Hacking the Power Grid and here is an excerpt:
With deregulation, there is an increasing interest in energy futures trades at the commodities exchange on Wall Street. [IBM senior consultant Nick] Simicich said hackers might use social engineering techniques to obtain passwords to computers with access to the networks containing sensitive information from these sources.
It looks like little has changed… Social Engineering works because there is no patch for human stupidity.