For Whitaker, it starts with phishing emails targeting SCADA engineers.
"We go after you because you know how to get into the industrial control systems, and we want to find out how are you getting in there," he told attendees. "I could try to brute-force your login credentials, but it's so much easier just to ask."
How much easier? According to Whitaker, 18 percent of the people fall for these password phishing requests -- not an insignificant number, considering the fact that an attacker needs only one set of account credentials to access a network. It could start off with the spoofing of a login page for Microsoft Outlook Web Access, for example.
I've spoke about the same subjects and issues at the Suits and Spooks conference back in 2012 and again on private forums several times last year.
Putting aside the fact that engineers working on these national infrastructure sites are vulnerable (1), the software ran by the SCADA systems, the controllers, the terminals and the network devices are so out of date that it doesn't take much of an effort to find or write an exploit that can compromise them.
Red Teaming must be performed on quartely basis in order to identify and secure the vulnerabilities. Of course this requires money, time and the willingless to actually perform the penetration tests.
I'm not very optimistic.
(1) For example we discovered one engineer that went for coffee and left the laptop he used inside the secure network laying around in his car. What if a bad guy breakes in, grabs the laptop, installs a backdoor and returns the laptop? I'm just saying...