.webp)
How a USB Stick Plugged In During a Penetration Test Discovery Meeting Owned the Central Energy Plant in Minutes
Mike MacMahon of Newcomb & Boyd has conducted numerous security penetration tests, and at NexusCon 2025, he shared how easy some of them have been. At a central energy plant, MacMahon walked into an office for a meeting, leaned over the desk to make small talk, and quietly unplugged the network cable from the tower beside him. He swapped in a Land Turtle — a USB-powered Linux device that introduces itself to Windows as a network adapter. Windows held the connection. The device sat on the desk with a small label saying "don't touch - IT," giving it enough credibility that no one would touch it.
Once plugged in, the Land Turtle reached out to the internet and opened a remote tunnel. From his car in the parking lot, he opened his laptop, tunneled into the device, and ran network discovery in the background. The central energy plant's control equipment was on the same flat network as the office machines. Every control device was at its default password. A small USB stick had given him virtually full control of the central plant.
MacMahon's larger point was that commercial buildings are full of simple, unaddressed vulnerabilities like these: default passwords, flat networks, and a willingness to leave an unknown USB in a server. Securing our buildings starts with a cultural shift toward constant security consideration. His framing for the room was that cybersecurity in buildings is the thing everyone assumes someone else owns, so nobody owns it. It moves forward when someone is willing to bring it up, ask the awkward question, and hesitate before saying yes, regardless of where they sit on the org chart.
Register for the next Nexus Labs event.
Sign up for the newsletter to get 5 stories like this per week:
Mike MacMahon of Newcomb & Boyd has conducted numerous security penetration tests, and at NexusCon 2025, he shared how easy some of them have been. At a central energy plant, MacMahon walked into an office for a meeting, leaned over the desk to make small talk, and quietly unplugged the network cable from the tower beside him. He swapped in a Land Turtle — a USB-powered Linux device that introduces itself to Windows as a network adapter. Windows held the connection. The device sat on the desk with a small label saying "don't touch - IT," giving it enough credibility that no one would touch it.
Once plugged in, the Land Turtle reached out to the internet and opened a remote tunnel. From his car in the parking lot, he opened his laptop, tunneled into the device, and ran network discovery in the background. The central energy plant's control equipment was on the same flat network as the office machines. Every control device was at its default password. A small USB stick had given him virtually full control of the central plant.
MacMahon's larger point was that commercial buildings are full of simple, unaddressed vulnerabilities like these: default passwords, flat networks, and a willingness to leave an unknown USB in a server. Securing our buildings starts with a cultural shift toward constant security consideration. His framing for the room was that cybersecurity in buildings is the thing everyone assumes someone else owns, so nobody owns it. It moves forward when someone is willing to bring it up, ask the awkward question, and hesitate before saying yes, regardless of where they sit on the org chart.
Register for the next Nexus Labs event.
Sign up for the newsletter to get 5 stories like this per week:
This is a great piece!
I agree.