北极星智能电网在线讯:尽管电力行业可能会担心复杂的网络攻击,但其最大的威胁来自于它的员工。公用事业单位的员工极易受到技术含量相对较低的“网络钓鱼”攻击,这些攻击基于“社会工程学”,能够诱骗人们泄露敏感信息。
维基百科将“网络钓鱼”定义为“试图伪装成可信的组织机构,通过电子邮件的形式骗取信息,如用户名,密码和信用卡信息的行为”。毫无戒心的用户经常被这些声称来自流行网站的邮件诱骗。这些邮件可能含有已被感染的网站链接,或者可能说服读者他们面对的是一个可靠的信息源而使读者泄露敏感信息。
反钓鱼培训公司首席执行官兼共同创始人贝拉尼如是说道:“你给人们发送邮件......里面包含看似可靠的信息...人们于是相应地点击链接或打开附件,然后,攻击者就会获得他们想要找到的最初漏洞。”
贝拉尼讲述了一位监控SCADA系统的员工所遭遇的攻击。攻击者通过互联网上发现,该位员工有四个孩子。于是他精心伪造了一封电子邮件,以公司人力资源部门名义向其提供了一份特殊报价的健康保险。该员工打开了这封电子邮件,整个公司的网络都遭到了感染。
紧急情报研究员泰勒˙克林格声称工程师都是易受攻击的对象。他举证了一个实验,在该实验中,针对工程师的网络钓鱼攻击成功率达到了百分之二十六。
大理石安全公司的董事长兼首席技术官戴夫则警告说,大部分的SCADA系统没有真正的安防功能,所以它们避免直接连接到Internet,但有时联网是不可避免的。(国网电科院国电通公司 刘伊萍 编译)
【原文】Smart grid security: The grid's biggest threat - your people
Although the electric power industry may fear sophisticated cyberattacks, its biggest vulnerability is its people. Utility employees are vulnerable to relatively low-tech "phishing" attacks that rely on "social engineering" to trick people into revealing sensitive information.
Wikipedia defines phishing as "the act of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity" in an email. Unsuspecting users are lured by emails purporting to be from popular web sites. Those emails may contain links to infected web sites. Or they may convince the readers to give out sensitive information because they think they are dealing with a trusted source.
"You send them something... that contains a believable story... and people will act on it by clicking a link or opening a file attached to it," said Rohyt Belani, CEO and co-founder of the anti-phishing training firm PhishMe to PC World. "Then, boom, the attackers get that initial foothold they're looking for."
Belani described an attack on an employee monitoring a SCADA system. The attacker discovered on the Internet that the worker had four children. He then crafted a bogus email from the company's human resources department with a special health insurance offer. The employee clicked a link in the email and infected his company's network.
Researcher Tyler Klinger of Critical Intelligence claims engineers are vulnerable to such attacks. He cites an experiment that determined that 26% of phishing attacks on engineers were successful.
Dave Jevans, chairman and CTO of Marble Security, warns that most SCADA systems have no real security. They rely on not being directly connected to the Internet, "but there's always some Internet connection somewhere."
