Critical plant control systems can be vulnerable to both physical and remote attacks. Marnie and Maya demonstrate some of these vulnerabilities as they become white-hat hackers at a biomass power plant.
The hotel room had the atmosphere of a tiger pit, as Maya Sharma, lead field engineer of Surfaceblow and Associates International, was vexed almost to the point of rudeness. “Ma’am, I am not comfortable with this assignment!” she protested.
Marnie Surfaceblow, vice president of said company, tried to put her best employee and friend at ease. Sitting at the meager desk in her room, she poured the last cup of her second pot of coffee and motioned for Maya to have a seat. “Maya, Maya, don’t worry. This is going to be so much fun! Just pretend you’re a secret agent, infiltrating the enemy’s base and sabotaging their master plan for world domination!” she exclaimed.
Shaking her head, Maya retorted, “Ma’am, I am an honest person! Acting as a thief, spy, or vandal in our client’s facility—it is most dishonorable!”
Putting on her serious face, Marnie leaned forward and held Maya’s hands. “Maya, my friend, by acting dishonorably by specific request of our client, we are actually behaving with the utmost honor,” Marnie assured her. “This white-hat security audit will help our client protect their systems by finding system vulnerabilities, security holes, and improving awareness among their staff, thus keeping this facility operating safely and reliably.”
The two women discussed the details of their plan. Maya would attend a VIP tour of a new ultra-supercritical biomass power plant to find security risks and acquire confidential information. Meanwhile, Marnie would use social engineering from her hotel room to work her mischief.
“Extraordinary efforts go into protecting assets from viruses and bots, but many security breaches are based upon human factors. And remember the most important thing,” Marnie emphasized, “we can only compromise their security without causing any significant disruption.”
Maya looked down to hide a smile as she said, “Ma’am, there are those who say you often cause significant disruption wherever you are found.”
“All in the cause of being an exemplary engineer,” Marnie cheerfully replied.
Hunting Expedition
The tour guide at the Greenleaf biomass power plant was Phil Weiss, an experienced engineer mere months from retirement. His guests for the tour represented several engineering firms, and he greeted each in turn as they received their visitor badges at the guard shack. As Phil greeted Maya, he said, “Glad to have you today, Ms. Sharma. Shame that Ms. Surfaceblow couldn’t make it.”
After an awkward hesitation, Maya replied, “Apologies, sir. Ms. Surfaceblow is … currently hunting … polar bears.”
“Polar bears? Where is she doing that?” replied an amazed Phil.
“I … think … Utah. Excuse me sir, I did not receive my visitor’s badge. Can you help me please?” Maya asked with an embarrassed smile.
“Sure, with all the guests here they probably overlooked you. Let me just grab one for you,” Phil said. As he turned to acquire a badge from the guards, Maya smiled nervously as she patted her original visitor badge in her pocket. Phil helpfully brought her a new visitor badge (Figure 1) and began his introductory speech to the group.
 |
|
1. Never assume honesty. Power plant security depends on vigilance in verifying every visitor’s identity and intent. Source: POWER |
Frowning and grabbing in her purse, Maya turned to face the guard station, where an old guard and a young one were listening to Phil with mild interest. Approaching the young guard, Maya smiled sweetly and said, “Excuse me sir, I lost my phone. Can you call mine please so I can find it?”
“Sure thing, ma’am,” the guard eagerly replied. “What’s your number?”
Feeling very nervous but pressing onward, Maya said, “Well, it’s an Indian phone number, so you have to dial a code first. It’s *82 555-444-6666.” In mere seconds her phone rang in her purse. Maya retrieved it while looking embarrassed, thanked the guard, and rejoined the tour group. As they walked to the personal protective equipment (PPE) station, she silently texted the guard station phone number to Marnie.
Meanwhile, Marnie lounged in her bathrobe, enjoying her third pot of coffee while phoning the plant receptionist. “Hello ma’am, I’m Jeanie Gold from corporate IT. It’s my first week on the job,” she said. “I’m trying to reach some big-shot engineer on duty today in the control room. I declare, I’m so nervous, I forgot their name. Do you know who I’m talking about? I’ll probably recognize the name once you say it.”
“You mean Chief Operator Martha Kolacia?” suggested the friendly receptionist.
“Martha, that’s it! Thank you so much. I really owe you one. Would you do me a giant favor and transfer me to her?” Marnie asked politely. “Tell her it’s Jeanie Gold from the Langley Falls center. Thanks so much!” As Marnie hummed along to the on-hold music, she devised the next tactic in her strategy.
Now You See It, Now You Don’t
“Our control room here is state of the art. We have remote monitoring and diagnostics over a secure internet connection to give us third-party real-time assessment of how we’re doing—and what we could do better,” Phil slyly joked to the tour group, of whom only Maya laughed. Then, raising her hand, she asked, “Excuse me, sir, as your plant is remote in this forest region, do you have backup communications if your monitoring and diagnostics lines are compromised?”
Phil nodded and said, “Sure, let me ask our chief operator here, Martha Kolacia. Martha, what do you do if the main datacom line goes down?”
Martha, who looked a little annoyed at a tour group in her control room, replied, “We just archive data locally until coms are restored. There’s nothing so urgent we need to send it right away. For reliability, we separate the voice lines from the data lines.” Martha’s phone rang, and as she turned to answer it Phil checked each guest had their PPE ready and led the group out the control room door. Maya dutifully followed, worrying that someone would miss the two USB drives she had swiped from one of the operator stations.
Sticky Situation
Marnie’s hotel desk was covered with sticky notes containing names and numbers, in some cases connected by lines drawn on the surface with marker pens. Marnie, now in her second hour on the phone, was working her magic.
“Martha, sorry to bother you again, but corporate says I need someone with authority. We’re testing the data link to make sure it’s ISO 17828:2025 compliant. We’re going to need you to shut down the system from your end, because shutting it down from our end triggers a security alarm. Then, the IT police would be hassling you folks at the plant doing the real work. I’m just trying to make this as easy as possible to get out of your hair, OK?” Marnie said.
Martha asked how long the testing would take, to which Marnie responded, “Maybe half an hour. Do you have an assistant you could dump this on?” she asked. Martha suggested Sanjay Wilson. “Can you patch me to his number, and maybe give me an introduction?” requested Marnie. Martha was very accommodating, and Marnie was appreciative. “Awesome possum! Thank you!” she said.
Truck Stop
Phil spoke to the tour group as they walked along the biomass handling fuel flow path. “We typically get 250 trucks of wood waste for six days a week. Each truck holds 40 tons, so that’s roughly 10,000 tons a day,” he explained. “We receive trucks for 16 hours a day from more than a dozen suppliers, and it’s a right pain if anything disrupts that schedule. For example, if too many folks send their trucks here at once, we have to send them back on the road to circle around, waiting until they can get on our plant road and not be backed up on the highway.”
“Like airplanes in a holding pattern?” asked one of the guests.
Nodding agreement, Phil replied, “Pretty much. If too many trucks start driving around waiting to unload, or parking along the local roads, the county can—and will—penalize us.”
“Who are your primary suppliers, sir?” Maya asked sweetly.
Holding up his hands, Phil replied, “We try to keep that secret, seeing as there’s some environmental groups that harass the folks selling us logging waste.”
“I understand sir, please ignore my improper question,” Maya said. As Phil led the group to view the biomass pile, Maya darted into a nearby maintenance building. Retrieving two 5G remote cameras disguised as electrical switches, she aimed their lenses toward the truck entrance, aligning them to observe every truck entering the plant.
Selfie Sabotage
Marnie was in high acting form and loving it. “Now Sanjay, full disclosure, this isn’t ‘by the book,’ but you know we all bend the rules sometimes, right?”she said. “For example—just between us—last month IT did employee security compliance assessments for all employees, remember?”
“I think so. You people are always sending us security alerts, it’s hard to remember any of them,” Sanjay guardedly replied.
Smiling at her good luck, Marnie closed the jaws of her trap. “Well Sanjay, they found some photos posted on your Facebook page from last month, just selfies you took in the control room one night. Unfortunately, you can see plant operations screens in the background of them, and that’s a no-no,” she admonished.
Sanjay blanched with trepidation, responding, “Sure, but you can’t make out anything on them.”
“I’m afraid it doesn’t matter,” Marnie replied in a sober schoolmarm voice. “Did you know that your phone’s camera also recorded the GPS coordinates where each photo was taken, as well as your phone’s model number and your name, giving hackers vital information about where you work?”
Clutching his head in mute horror, Sanjay was unable to reply.
Sighing exaggeratedly, Marnie said, “How about this, Sanjay? If you can help me finish fixing this IT issue by shutting off your data communications connection for 45 minutes, then I’ll hang up and give you time to clean up your social media. I’m sure by the time I phone you back to turn the data communications back on that I’ll be able to report that all non-compliant photos are gone from your account.”
“Thank you so much ma’am!” Sanjay said with relief, as the specter of unemployment suddenly fled. “I’m shutting it down right now … um, ma’am, there’s an alarm going off … it’s about shutting down the data communications,” he said.
“Hmmmm,” Marnie replied. “Oh, that. That’s a normal security measure, and I’m glad to see it’s still working! There should be an option to cancel that awful noise. Now, you go sanitize your social media, and don’t take any other calls until I call you back in 45 minutes. Thanks!”
As she hung up on the grateful yet clueless Sanjay, Marnie steepled her fingers and plotted her next move. “This is so easy, it’s somewhat scary,” she thought.
Training Day
“This simulator room is a duplicate of the main control room,” Phil told the tour group. “We can train operators by having them shadow current operations or even replay past events—like turbine trips—to test our trainees. We can also run the whole plant from here if something goes wrong in our main control room.” He led the group into the simulator room to let them look around. Seeing Maya standing with her hand raised, he said, “Yes, Ms. Sharma.”
“Sir, your facility is very impressive! Can you show me an example of a past simulation?” Maya asked eagerly.
“Sure, let me just log into the system,” Phil replied with equal eagerness. As Phil sat at the nearest operator station, Maya stood closer than necessary, her sharp, dark eyes noting Phil’s username and password.
The Setup
“Mr. Goodman, I’m calling from information security. How are you doing today?” Being a familiar voice to the helpful plant receptionist, Marnie was now talking to James Goodman, one of the site security staff. “Say, I’ve been working with Martha Kolacia and Sanjay Wilson about an issue with the plant alert system, specifically the RA-Rolling Alert System,” she said. The voice on the other end of the phone was being as helpful as possible.
“Yeah, the RARAS—you have been trained in the system, yes?” Marnie asked. James responded affirmatively. “Great! It’s vital a man in your position is fully up to date on our plant alert system. We’re counting on you to help make sure that everyone at the plant is engaged in our safety and security culture,” said Marnie.
Somewhat overwhelmed by Marnie’s convincing corporate speech and name dropping, James just replied, “Of course, ma’am. Now how can I help support you today?” he asked.
“I adore that can-do attitude, James,” Marnie replied, spinning in her hotel room chair as she sensed victory was near. “It’s really easy, I just need you to go onto the intranet to our standard emergency alert message folder—it’s under a folder named ‘Security’—and update the automated plant emergency alerts with the latest files.”
James frowned as his web browser refused to open the intranet, instead responding with a message saying, “You appear to be offline.” He informed Marnie of the situation.
“What? Let me check … it’s working fine for me, James. OK, I’ll just e-mail it to you,” she said, to which James noted that his e-mail was down too. “All your data access is GONE!?! OK, James, DON’T PANIC—just hold the line while I check with headquarters. STAY CALM, James, together, we’ll get through this!”
Marnie placed James on hold, then sent a text: “Holly: Operation Bob Ross is go.”
She poured herself another coffee, and continued a crossword puzzle she had started on the flight. “An eight-letter word for ‘easily misled’, starts with g … gullible! Oh, how perfect!” Marnie thought.
Special Delivery
The phone rang at the guard station—it was a direct call, but from an outside number. Mildly curious, the older guard answered to hear an urgent voice with an odd accent.
“Hello? Hi, you know that VIP tour we’re doing? Well, we got a whole heap of catered food supposed to be here. Is it here?” the voice asked, to which the guard responded negatively. “Rats! Send the caterers up as soon as they get here! These are VIPs and they’re hungry!”
The phone disconnected, and before the older guard could say one word to the younger one, their hut was invaded by a cacophonous crowd of contractors wearing identical brown jumpsuits carrying tools, ladders, and large plastic sheets. An older gentleman who seemed to be in charge passed out business cards and announced “How-DY! We’re from ‘As Best As Possible Asbestos Abatement,’ and we’re supposed to start working here to scan every surface for asbestos,” he said. “Now, if you wouldn’t mind grabbing your personal items and exiting this shack for a couple hours, we can get out of your way in a jiffy!”
Flabbergasted, the guard started asking questions, then paused upon seeing a line of cars pulling up to the plant entrance. As the pizza delivery drivers arrived, each walked up to the guard hut carrying leaning towers of pizza. Overwhelmed by the noise from the asbestos contractors and questions from the pizza delivery drivers, the guards had no chance of noticing that one of the contractors, a small Chinese-American woman, slipped past the security gate and into the main building.
Sound Check
Checking the time and nodding to herself, Marnie took James off hold (Figure 2).
 |
|
2. Don’t let your guard down on the phone. Security breaches often begin with a seemingly innocent call from a stranger. Source: POWER |
“Did you get the files from the intranet? No? Oh wow, this is bad. Do you have a cell phone with an internet connection? You do. Whew!” Marnie exclaimed. “OK, here’s what you need to do to save the day. I need you to go to this external intranet address I’ll read out.” Marnie waited, until James said, “I’m there.”
“Great, we’re almost done,” she continued. “There’s a single audio file linked on that page I sent you to, that says, ‘Security Message Update 1.2.’ DON’T click it yet. Since the plant alert systems are offline, I need you to get on the plant PA system, change to the channel for addressing the entire plant, and in just two minutes from now, at 12:00 high noon, you need to click that link and hold your phone up to the PA microphone. Play it loud and don’t stop until the message is done,” Marnie directed. We’re all depending on you, James!”
Rick Astley Delivers a Message
“Ladies and gents, it’s about lunch time, and I got a text from the guards saying a whole lot of pizzas are here for us…” Phil paused, interrupted by a loud message over the plant PA system, echoing across the entire plant site.
“Never gonna give you up, never gonna let you down, never gonna run around and desert you…”
Maya laughed until her cheeks hurt.
Painting the Picture
The Greenleaf board of directors was silent with thoughtful concern after Marnie and Maya finished the presentation accompanying their final report. Both women worried they had gone too far in their security audit, until the room echoed with a guffaw of laughter from Greenleaf CEO Tom Sullivan.
“You ladies take the cake! Maya stole hardware and a high-level password, planted spy cameras, and distracted everyone with a ton of pizza. And Marnie, you systematically tricked our staff into Rickrolling the entire power plant!” he exclaimed.
Marnie put her hand to her head. “Dang it, I forgot—you have a new employee, Holly Chin. She snuck in during the asbestos and pizza flash mob. She’s an improv comedienne who’s been doing ‘landscape audits’ for the past two weeks,” she noted.
Frowning deeply, Tom made a quick call to the plant. After hanging up, he sat down heavily and said, “She’s been painting the power plant—on canvas, with oil paints. Everyone just assumed she should be there, because she was there,” he reported.
“Told you it would work,” Marnie said to Maya, who replied, “Pizza and asbestos are powerful distractions.”
“We’ve seen your report, but you’ve left out the recommendations,” one board member said. “How do we keep this from happening again?”
“Your greatest weakness was from human factors,” Maya replied. “Stealing USB drives and installing secret cameras aside, how did I acquire two visitor badges? How did I acquire the guard shack phone number, and the control system password? Better policies must be implemented, which are always obeyed.”
“My tool was false familiarity complex—my gaining the trust of the first person,” Marnie added. “After that, I could keep referencing names, numbers, policies, until for everyone’s knowledge I had worked there 25 years. If a manager calls a subordinate and says someone is from IT security and they should do what they say, most of the time the subordinate will do just that.”
“Policies and protocols must be crafted to have more joint discussion—in many cases, the employees acted without asking a third party for confirmation,” added Maya. “Had the first link in the chain of Ms. Surfaceblow’s deceit contacted their real IT department, her scheme would have quickly unraveled. Develop a program of challenging and testing your staff, physical security, and policies.”
“Note that hiring outsiders can be highly effective,” Marnie added, “especially those adept at adaptation, because it can be almost impossible to predict how intruders will try to bypass your security. For example, consider hiring Holly to keep painting your plant—she has a sharp eye for detail and will easily notice things that change suddenly or are out of place.” After thinking for a second, Marnie added, “She could be the Bob Ross of the power industry, painting ‘relaxing stack plumes’ and ‘happy little biomass conveyors’!”
—Una Nowling, PE is an international power and energy operations consultant.
