智能電網(wǎng)的安全性：電網(wǎng)的最大威脅來自你的員工

盡管電力行業(yè)可能會擔(dān)心復(fù)雜的網(wǎng)絡(luò)攻擊，但其最大的威脅來自于它的員工。公用事業(yè)單位的員工極易受到技術(shù)含量相對較低的“網(wǎng)絡(luò)釣魚”攻擊，這些攻擊基于“社會工程學(xué)”，能夠誘騙人們泄露敏感信息。

維基百科將“網(wǎng)絡(luò)釣魚”定義為“試圖偽裝成可信的組織機構(gòu)，通過電子郵件的形式騙取信息，如用戶名，密碼和信用卡信息的行為”。毫無戒心的用戶經(jīng)常被這些聲稱來自流行網(wǎng)站的郵件誘騙。這些郵件可能含有已被感染的網(wǎng)站鏈接，或者可能說服讀者他們面對的是一個可靠的信息源而使讀者泄露敏感信息。

反釣魚培訓(xùn)公司首席執(zhí)行官兼共同創(chuàng)始人貝拉尼如是說道：“你給人們發(fā)送郵件......里面包含看似可靠的信息...人們于是相應(yīng)地點擊鏈接或打開附件，然后，攻擊者就會獲得他們想要找到的最初漏洞。”

貝拉尼講述了一位監(jiān)控SCADA系統(tǒng)的員工所遭遇的攻擊。攻擊者通過互聯(lián)網(wǎng)上發(fā)現(xiàn)，該位員工有四個孩子。于是他精心偽造了一封電子郵件，以公司人力資源部門名義向其提供了一份特殊報價的健康保險。該員工打開了這封電子郵件，整個公司的網(wǎng)絡(luò)都遭到了感染。

緊急情報研究員泰勒˙克林格聲稱工程師都是易受攻擊的對象。他舉證了一個實驗，在該實驗中，針對工程師的網(wǎng)絡(luò)釣魚攻擊成功率達到了百分之二十六。

大理石安全公司的董事長兼首席技術(shù)官戴夫則警告說，大部分的SCADA系統(tǒng)沒有真正的安防功能，所以它們避免直接連接到Internet，但有時聯(lián)網(wǎng)是不可避免的。（國網(wǎng)電科院國電通公司 劉伊萍 編譯）

【原文】Smart grid security: The grid's biggest threat - your people

Although the electric power industry may fear sophisticated cyberattacks, its biggest vulnerability is its people. Utility employees are vulnerable to relatively low-tech "phishing" attacks that rely on "social engineering" to trick people into revealing sensitive information.

Wikipedia defines phishing as "the act of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity" in an email. Unsuspecting users are lured by emails purporting to be from popular web sites. Those emails may contain links to infected web sites. Or they may convince the readers to give out sensitive information because they think they are dealing with a trusted source.

"You send them something... that contains a believable story... and people will act on it by clicking a link or opening a file attached to it," said Rohyt Belani, CEO and co-founder of the anti-phishing training firm PhishMe to PC World. "Then, boom, the attackers get that initial foothold they're looking for."

Belani described an attack on an employee monitoring a SCADA system. The attacker discovered on the Internet that the worker had four children. He then crafted a bogus email from the company's human resources department with a special health insurance offer. The employee clicked a link in the email and infected his company's network.

Researcher Tyler Klinger of Critical Intelligence claims engineers are vulnerable to such attacks. He cites an experiment that determined that 26% of phishing attacks on engineers were successful.

Dave Jevans, chairman and CTO of Marble Security, warns that most SCADA systems have no real security. They rely on not being directly connected to the Internet, "but there's always some Internet connection somewhere."