• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Test & Measurement Tips

Oscilloscopes, electronics engineering industry news, how-to EE articles and electronics resources

  • Oscilloscopes
    • Analog Oscilloscope
    • Digital Oscilloscope
    • Handheld Oscilloscope
    • Mixed-signal Oscilloscope
    • PC-based Oscilloscopes – PCO
  • Design
  • Calibration
  • Meters & Testers
  • Test Equipment
  • Suppliers
  • Video
  • EE Learning Center
    • Design Guides
      • WiFi & the IOT Design Guide
      • Microcontrollers Design Guide
      • State of the Art Inductors Design Guide
      • Power Electronics & Programmable Power
  • FAQs
You are here: Home / Digital Edition Back Issue / April 2022 Special Edition: Internet of Things Handbook

April 2022 Special Edition: Internet of Things Handbook

April 6, 2022 By Dave Miyares

How to turn off a smart meter the hard way

Potential cyber attacks have a lot of people worried thanks to the recent conflict in Ukraine. So it might be appropriate to review what happened when cybersecurity fi rm FireEye’s Mandiant team demonstrated how to infiltrate the network of a North American utility. During this exercise, Mandiant hacked into the utility’s industrial control systems and switched off one of its smart meters.

A point to note is that most large industrial fi rms wall-off their industrial networks from their ordinary IT networks somehow. And the utility that Mandiant stress-tested thought it had protected its network this way. These measures slowed Mandiant down but didn’t stop its researchers from eventually owning the industrial network.

In the first phase of the attack, the Mandiant team adopted techniques used by Iranian hackers to breach an industrial network in an attack on a Saudi petrochemical plant. The usual approach, says Mandiant, is to first break into the company IT network, rather than the industrial network, to collect information about security operations.

The way Mandiant hacked into the network during its exercise was almost embarrassingly simple: It embedded a link for a malicious fi le in an email attachment to a Microsoft Office document containing auto-executable macro code. This got the white-hat hackers to a point where they could execute code on a single user workstation connected to the IT side of the network. Then they used a set of publicly available offensive security tools to make it look as though their code had the privileges of a domain administrator.

It is interesting to review some of the tools they employed, all of which are publicly available. One called ldapsearch retrieves information from LDAP servers (which often stores usernames and passwords). Another called PowerSploit is a collection of programs written in the PowerShell scripting language used to manage IT resources. Typical PowerSploit tasks include listing installed security packages, impersonating logon tokens, and creating logons without triggering suspicious event warnings.

To get from the initial compromised workstation out to other equipment installed on the network, the Mandiant hackers used a program called WMImplant, also written in PowerShell, to access remote servers and run programs or issue commands on them. Then a program called Mimikatz extracted credentials for local user and domain administrator accounts.

Once they had free run of the IT network, Mandiant’s team determined targets of interest (people, processes, or technology) and looked for avenues from the IT to the industrial network. There turned out to be several ways of getting control of the industrial side. Perhaps most obvious was to get someone to copy a malicious fi le onto a USB stick which then got plugged into the industrial network. Mandiant also found that some applications on the industrial network accessed data and services on the compromised IT side; similarly, some applications on the compromised IT side could get to the industrial server.

Perhaps the biggest security screwup was that the industrial utility used a single centralized admin that handled resources on both the IT and industrial network. This software resided on the IT network. So once Mandiant got control of the IT network, it pretty much had admin status on everything. That made it easy for researchers to steal login credentials for the meter control infrastructure and issue a command to disconnect the smart meter.

For a bit of irony, consider that back in 2015 a popular TV series called Mr. Robot depicted a hack of a climate control system. The show was praised at the time because experts claimed it’s hacking approach was realistic. The hack hinged on issuing bogus commands from a rogue controller spliced onto the industrial network which could be accessed via an ordinary internet connection.

Today, sophisticated firewalls between IT and industrial networks, VPNs, and similar measures are supposed to thwart such antics. But clearly even companies that should know better are still susceptible to the Mr. Robots of the world.

Leland Teschler • Executive editor

Filed Under: Digital Edition Back Issue

Primary Sidebar

Current Digital Issue

A frequency you can count on There are few constants in life, but what few there are might include death, taxes, and a U.S. grid frequency that doesn’t vary by more than ±0.5 Hz. However, the certainty of the grid frequency is coming into question, thanks to the rising percentage of renewable energy sources that…

Digital Edition Back Issues

Oscilloscopes Finder

Search Millions of Parts from Thousands of Suppliers.

Search Now!
design fast globle

Subscribe to our Newsletter

Subscribe to test and measurement industry news, new oscilloscope product innovations and more.

Subscribe Today

EE TRAINING CENTER CLASSROOMS

EE Classrooms

RSS Current EDABoard.com discussions

  • Automotive reverse polarity
  • Woven fiberglass, Tufnol or Asbestos?
  • Read, Write using file demo example code for lpc4357 in keil version5
  • Extract spice netlist from Prime Time
  • Esp8266 Voip switch

RSS Current Electro-Tech-Online.com Discussions

  • Peltier control
  • How know if solder iron has good quality tip?
  • How to set USB port as RS-485 entrance? How to interpret Growatt solar inverter commands?
  • question about speaker crossover
  • How does a transistor works as a switch?

Footer

EE World Online Network

  • DesignFast
  • EE World Online
  • EDABoard
  • Electro-Tech Online
  • Analog IC Tips
  • Microcontroller Tips
  • Power Electronic Tips
  • Sensor Tips
  • Connector Tips
  • Wire and Cable Tips
  • 5G Technology World

Test & Measurement Tips

  • Subscribe to our newsletter
  • Advertise with us
  • Contact us
  • About us
Follow us on TwitterAdd us on FacebookFollow us on YouTube Follow us on Instagram

Copyright © 2022 · WTWH Media LLC and its licensors. All rights reserved.
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media.

Privacy Policy