Charles Hamilton, the chief security expert of the SpiderLabs team from the information security company Trustwave, described how he hacked into a nuclear power plant.In cybersecurity, the worst-case scenario is hackers taking control of critical infrastructure. In this scenario, cybercriminals or hackers working for a country’s government can use their exploits to endanger people’s lives.
The worst situation is when hackers gain access to nuclear power plants or nuclear missiles. It would seem that such sensitive objects should have enhanced protection against cyberattacks, but is this really so?
SpiderLabs security consultant Charles Hamilton shared his experience of conducting penetration testing at a nuclear power plant. For security reasons, Hamilton did not disclose the location and time of testing.
As explained by Hamilton, the main purpose of the testing was to find out if hackers could take control of a nuclear reactor. Fortunately, this is nearly impossible due to the physical barrier between the corporate network and the power plant itself.
Of course, we shouldn’t forget about malware like Stuxnet, designed specifically for attacks on a nuclear power plant and distributed via a USB stick. However, such scenarios are not part of a penetration testing plan.
The very first vulnerability discovered during testing was related to the contractors whose services the power plant was using. The contractors installed an unsecured Wi-Fi hotspot that became an entry point for the researcher into the corporate network.
Two hours later, the researcher already had domain administrator privileges and gained access to information about how the power plant works.
Even for companies or organizations not involved in critical infrastructure, Hamilton said, the key lesson here is that the corporate network will always be one of the most vulnerable points. Companies should always remember that their internal networks are just as vulnerable as their external perimeters.
Let me remind you that I also talked about the fact that Hacker changed the chemical composition of drinking water in a small Florida town.