And that’s a good thing because Carson demonstrated just how easy it is for a determined attacker to make mincemeat of a supposedly impregnable cyber defense.
In this case, the target was a power station, an installation that tightly controls access to its physical plant and where SCADA systems are used to monitor and control equipment. In other words, it’s the sort of place where security is Jobs No. 1, 2 and 3.
At least that’s the theory. It was up to Carson, who was brought on board 3 years ago, to test the institution’s security readiness. (He wasn’t able to reveal the identity of the company involved in the test.)
“It’s critically important to know how criminal hackers will target you so you can better protect yourself,” said Carlson, who talked about the trial-and-error approach he employed to gain insider access.
“When I began my resource investigation, I began to wonder what I had got myself into. Power stations are very different. Their physical security is impressive. You couldn’t get near the gates. You couldn’t fly a drone over (the installation) because it’s illegal and you couldn’t gain physical access to the perimeter.”
Other than that, it was a piece of cake.
“The first thing I always do is reconnaissance – I do a digital blueprint to understand everything that I can [about the target.] I might look at videos about what they’re doing, review resumes of people they hire, and try to understand what technologies that they are using.”
In this case, though, he needed to tweak the standard plan.
“I can’t buy SCADA systems on eBay, so I couldn’t have a hands-on look. I had to read all the available documentation on the systems, but that wasn’t easily accessible. Then I focused on, ‘Who are the easiest persons to target? Where do they go for coffee? What football teams do they support?’ Etc.”
Carson was tempted to deploy a phishing campaign that normally allows him to get a foot in the door. He recalled that he often sends victims fake emails Friday afternoons after their offices close notifying victims that they had been clocked for speeding and were now on the clock to pay a fine.
“Everyone has now gone home and the office is closed at 5. Nobody wants to break the law. Another thing we play off is time-based fear of breaking the law. We were saying that if you don’t pay the fine, it will triple within 24 hours.”
He had to modify the attack plan because his main concern was to not get detected.
“If I did a phishing campaign, it would have raised alarms and that would caused me some problems. So, I needed to change my method of access and realized I would need to get inside the power station physically,” he said.
Carson reviewed the reconnaissance data he had compiled and scoured the plant’s supply chain, thinking that he might be able to take a job that would allow him to enter the site premises. “I was even willing to wash floors to gain access,” Carson said.
He didn’t need to.
Carson discovered that a recording crew would be visiting the installation to do a television commercial and he arranged credentials as a photographer who was going to take shots of the crew.
This was a calculated risk given his notoriety within the security industry.
“I was up the night before talking with a friend about the PEN test when he said, `Joe, what if someone recognizes you?’ When you have been doing this for a long time, you get recognized.”
He did not sleep well.
But Carson’s worries were unfounded. Despite what he recalled as “impressive” physical security, he was admitted as a guest.
Lugging his camera equipment in tow, Carson look for opportunities to reach into his pockets, which were bulging with infected USB devices.
“Normally, I would scan the network. We live off the land and use your own solutions to do my scanning. In this case, I wasn’t on the network. I was watching it. I was looking for a place to plug into the network but nothing was exposed. All the controls and potential areas of entry were either locked up or protected behind cabinet doors.
By the time the crew was brought to the engine room, Carson was still stumped how to breach the network and almost ready to concede that, yes, this one time he had met his match.
“I felt I was going to fail when on an engineer’s desk, I saw a piece of printed paper containing passwords and default credentials. I was in shock. This was the keys to the kingdom and it would let me do anything I wanted.”
Victory? Not Yet
Thinking that this was going to be a slam dunk presentation, Carson reported his findings about the flaws and potential risks to the site’s cyber security to the board of directors.
“They don’t do background checks on visitors. Default passwords don’t get changed, etc. – I presented all these vulnerabilities. The board meeting ended. It was `Thank you for your time. The budget was declined and you can go home.’ I was thinking what did I do wrong?”
This was revealing. When Carson sat down with the CSO, he learned that the presentation didn’t help solve any of the board’s business problems and so his report landed with a proverbial thud.
“I talked about cyber security and I realized that I was speaking the wrong language to the board,” he said.
Carson got a reprieve and came back a couple of days later to tell the same story – but in a decidedly different way.
“This time I reported on risks but focused on things like cost and efficiency. I talked about the business and spoke to [the board] on their terms. And here is how cyber security can help you solve the goal.”
This time the message got through. And it also left Carson with words of advice for cyber security professionals when they need to interact with the decision-makers: Keep the message simple and focus on the business, not the technology.
“You need a people-centric approach,” he said. “There’s no space in this industry for complexity.”