Ha! I love it when people I know get their 15 minutes. Scott Lunsford from
ISS IBM was interviewed in Forbes on Wednesday on the security posture of the US critical infrastructure.
The first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant’s owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM’s Internet Security Systems, found otherwise.
“It turned out to be one of the easiest penetration tests I’d ever done,” he says. “By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, ‘Gosh. This is a big problem.'”
In retrospect, Lunsford says–and the Nuclear Regulatory Commission agrees–that government-mandatsafeguards would have prevented him from triggering a nuclear meltdown. But he’s fairly certain that by accessing controls through the company’s network, he could have sabotaged the power supply to a large portion of the state. “It would have been as simple as closing a valve,” he says.
I’m sure that the infrastructure types will be up in arms about this article but, I know Scott. He actually knows what he is talking about and he is damn good at his job. Sadly, the same article went on to give Ganesh Devarajan more press for his Defcon talk.
[tags]SCADA, SCADA Security, Critical Infrastructure[/tags]