Companies are smart if they understand they need a stronger security posture, says a hacking firm that has demonstrated the ease by which it fully compromised a power company.
In a 16-minute YouTube video produced by Tech Insider, St. Paul, Minn.-based RedTeam Security Consulting shows how at risk critical infrastructure can be when contracted by a Midwestern energy provider to test their defense. After reconnaissance and a failed attempt at social engineering a way past a dispatch center’s lobby, the white hat hackers set out to break into multiple buildings in three days.
Exploiting substandard barriers, cloned IDs and sensor blind spots to bypass physical security controls with relative ease, the "attackers" breach iPads, laptops and server rooms, gather administrator credentials and deploy malware that gives them control over microphones, web cams, screen captures and more. Covertly installing hardware botnets, the offensive team gains the ability to continually install new penetration scripts.
Without devaluing RedTeam’s techniques and resourcefulness, the video gives the impression that the power grid could potentially face great vulnerability to any motivated enough group with some character actor skills, programming abilities, observational abilities, tool belts, wool blankets, tin foil and sub-$100 single-board computers.
The takeaway is that the NSA is right in saying that it’s "when, not if" there’s a cyberattack, and companies that manage the power grid, among other infrastructure, must properly train their people and secure their systems to avoid catastrophe.
Watch the full video below and find more information on RedTeam at https://www.redteamsecure.com.