When employees clicked on the link, they were directed to a Web server set up by Winkler and his team. The employees' machines displayed an error message, but the server downloaded malware that enabled the team to take command of the machines. "Then we had full system control," Winkler says. "It was effective within minutes."
Winkler says SCADA systems are inherently insecure because they are software running on standard operating systems on standard server hardware, making them subject to all the vulnerabilities of those systems.
Power companies' desire to not risk interrupting service with software upgrades that could improve security perpetuates the inherent weaknesses, he says. "The power grid is so poorly maintained that it is easier to attack than most other systems and networks," he says. "They hope for the best and make the risk-avoidance excuse if something goes wrong."
Winkle says his talk doesn't expose power networks to any more danger than they face now. "The real bad guys already know what I'm saying," he says. "There is the potential for serious damage."
Winkler says power companies need to adopt SCADA software that is better tested for vulnerabilities and engineered for rapid patching when flaws are found. They also need to segment their networks so a breach from the Internet cannot reach the SCADA network.