In the US, the Department of Homeland Security (DHS) has confirmed that a public utility’s security was compromised during cybersecurity monitoring between January and April 2014.
The DHS‘ Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT has released its Q1 2014 report stating that “a public utility was recently compromised when a sophisticated threat actor gained unauthorized access to its control system network”.
The report confirmed that the breach to the software occurred through “internet-facing hosts” or a web-connected desktop PC, which will be used by nearly every utility with a smart grid-enabled control system.
The utility did have some “simple” password protections, but “the authentication method was susceptible to compromise via standard brute forcing techniques,” the report stated.
The report defines ‘brute forcing’ as “flooding a password portal with password attempts until the right one is found”.
Beyond this one successful intrusion, ICS-CERT discovered that the utility’s “systems were likely exposed to numerous security threats, and previous intrusion activity was also identified”.
ICS-CERT reported that another unprotected, internet-connected control system operating a “mechanical device” had been breached, in a way that opened its SCADA network to access and possible control.
This utility had no firewall or password protections at all.
In both cases, the unknown intruders didn’t do anything with their access once it was gained, according to the report, but the news comes as pressure mounts in the US to shore up cybersecurity for critical infrastructure such as energy companies.
Energy sector targets made up 53 percent of all industrial control security incidents that ICS-CERT reported between October 2012 and May 2013, up from 40 percent in the previous reporting period.
For the full ICS-Cert report, click here
US cybersecurity monitor confirms utility attacks in Q1
Smart grid: Brazil launches advanced pilot for metering and automation
Landis+Gyr plans buying spree of metering companies