• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Microcontroller Tips

Microcontroller engineering resources, new microcontroller products and electronics engineering news

  • Products
    • 8-bit
    • 16-bit
    • 32-bit
    • 64-bit
  • Applications
    • Automotive
    • Connectivity
    • Consumer Electronics
    • Industrial
    • Medical
    • Security
  • EE Forums
    • EDABoard.com
    • Electro-Tech-Online.com
  • Videos
    • TI Microcontroller Videos
  • EE Resources
    • DesignFast
    • eBooks / Tech Tips
    • FAQs
    • LEAP Awards
    • Podcasts
    • Webinars
    • White Papers
  • EE Learning Center

How to turn off a smart meter the hard way

April 14, 2022 By Lee Teschler

Potential cyber attacks have a lot of people worried thanks to the recent conflict in Ukraine. So it might be appropriate to review what happened when cybersecurity firm FireEye’s Mandiant team demonstrated how to infiltrate the network of a North American utility. During this exercise, Mandiant hacked into the utility’s industrial control systems and switched off one of its smart meters.

A point to note is that most large industrial firms wall-off their industrial networks from their ordinary IT networks somehow. And the utility that Mandiant stress-LeeTeschlertested thought it had protected its network this way. These measures slowed Mandiant down but didn’t stop its researchers from eventually owning the industrial network.

In the first phase of the attack, the Mandiant team adopted techniques used by Iranian hackers to breach an industrial network in an attack on a Saudi petrochemical plant. The usual approach, says Mandiant, is to first break into the company IT network, rather than the industrial network, to collect information about security operations.

The way Mandiant hacked into the network during its exercise was almost embarrassingly simple: It embedded a link for a malicious file in an email attachment to a Microsoft Office document containing auto-executable macro code. This got the white-hat hackers to a point where they could execute code on a single user workstation connected to the IT side of the network. Then they used a set of publicly available offensive security tools to make it look as though their code had the privileges of a domain administrator.

It is interesting to review some of the tools they employed, all of which are publicly available. One called ldapsearch retrieves information from LDAP servers (which often stores usernames and passwords). Another called PowerSploit is a collection of programs written in the PowerShell scripting language used to manage IT resources. Typical PowerSploit tasks include listing installed security packages, impersonating logon tokens, and creating logons without triggering suspicious event warnings.

To get from the initial compromised workstation out to other equipment installed on the network, the Mandiant hackers used a program called WMImplant, also written in PowerShell, to access remote servers and run programs or issue commands on them. Then a program called Mimikatz extracted credentials for local user and domain administrator accounts.

Once they had free run of the IT network, Mandiant’s team determined targets of interest (people, processes, or technology) and looked for avenues from the IT to the industrial network. There turned out to be several ways of getting control of the industrial side. Perhaps most obvious was to get someone to copy a malicious file onto a USB stick which then got plugged into the industrial network. Mandiant also found that some applications on the industrial network accessed data and services on the compromised IT side; similarly, some applications on the compromised IT side could get to the industrial server.

Perhaps the biggest security screw-up was that the industrial utility used a single centralized admin that handled resources on both the IT and industrial network. This software resided on the IT network. So once Mandiant got control of the IT network, it pretty much had admin status on everything. That made it easy for researchers to steal login credentials for the meter control infrastructure and issue a command to disconnect the smart meter.

For a bit of irony, consider that back in 2015 a popular TV series called Mr. Robot depicted a hack of a climate control system. The show was praised at the time because experts claimed it’s hacking approach was realistic. The hack hinged on issuing bogus commands from a rogue controller spliced onto the industrial network which could be accessed via an ordinary internet connection.

Today, sophisticated firewalls between IT and industrial networks, VPNs, and similar measures are supposed to thwart such antics. But clearly even companies that should know better are still susceptible to the Mr. Robots of the world.

You may also like:

  • router security
    Worst suspicions confirmed: The terrible security of internet routers
  • BLE hacks
    Breaking BLE — Vulnerabilities in pairing protocols leave Bluetooth devices…
  • RF won't hurt you
    No, IoT RF radiation won’t cause a pandemic
  • lidar
    A better way to measure LiDAR
  • flash
    Flash memory keeps cars connected

Filed Under: Applications, IoT, Security

Primary Sidebar

DesignFast

Design Fast Logo
Component Selection Made Simple.

Try it Today
design fast globle

EE Training Center Classrooms

EE Classrooms

CURRENT DIGITAL ISSUE

Featuring 15 articles, the 2022 5G Handbook looks at private networks, timing, connectivity, latency, mmWaves, test, and other topics.

Digital Edition Back Issues

Subscribe to our Newsletter

Subscribe to weekly industry news, new product innovations and more.

Subscribe today

RSS Current EDABoard.com discussions

  • Manifest in Git bitbucket
  • What's the deal with all these "MPPT" IC's with no current sense?
  • Photovoltaic MOSFET Drivers - Voltage Rating
  • Impedance requirement for SDRAM signals
  • A circuit that can adjust a resistance and probing a voltage node

RSS Current Electro-Tech-Online.com Discussions

  • How to quickly estimate lead acid battery capacity ?
  • IRS2453 the H circuit
  • Ampro 16mm Stylist projector woes.
  • Finally switched to Linux.
  • Multistage BJT amplifier

Footer

Microcontroller Tips

EE World Online Network

  • DesignFast
  • EE World Online
  • EDA Board Forums
  • Electro Tech Online Forums
  • Connector Tips
  • Analog IC Tips
  • Power Electronic Tips
  • Sensor Tips
  • Test and Measurement Tips
  • Wire and Cable Tips
  • 5G Technology World

Microcontroller Tips

  • Subscribe to our newsletter
  • Advertise with us
  • Contact us
  • About us
Follow us on TwitterAdd us on FacebookFollow us on YouTube Follow us on Instagram

Copyright © 2022 · WTWH Media LLC and its licensors. All rights reserved.
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media.

Privacy Policy