A lot has been reported in the media around a variety of companies and the effect the Heartbleed vulnerability has had on these enterprises’ ability to secure their websites. Not that much, however, has been reported on the potential impact on utilities.
Consider this scenario: Utility ABC has a certificate issued by a Certification Authority and uses this secured, authenticated means of communication to verify communications via its website with its customers.
This certificate is stolen by John Doe and used to replicate communications from Utility ABC.
John Doe then sends a digital communication to all users within Utility ABC’s distribution area, asking them to change passwords, verify information or update banking details. As customers do so, John Doe is able to monitor all communications between the Utility ABC and its customers, bleeding off information, banking details and passwords for later use.
All very interesting, and a bit scary, but really – what does this have to do with Heartbleed vulnerabilities? And why should you as a utility be concerned? No one has access to your passwords and internet keys.