Everyone is talking about the connected world, Internet of Things, Smart-metering, and Smart-buildings. The ironic part is we have totally failed to use proper safeguards to prevent theft, hacking – resulting in a dumb- grid, dumb-building and dumb-connected world.
In May of 2014, The Department of Homeland Security confirmed a “sophisticated threat actor” (i.e. hacker) gained unauthorized access to a power utility’s control network (the computers that help operate the electrical grid and power plants). They did this simply by trying lots of different password combinations – one of the oldest tricks in the book.
The power control system software was connected to a desktop PC, which was connected to the Web. Apparently the passwords were not very complex and there were no other protections in place. These other protections might have included:
- Denial of access after “x” number of attempts
- Tracking software that alerts System Administrators to the attacks
- A firewall
- isolation techniques, such as tiered levels of access to critical systems
The government agency Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT) found that this was not the first incursion, including another control system with SCADA controlled mechanical devices (no detail provided). Fortunately the intruders did not do anything once they gained access.
According to ICS-CERT, 53% of all industrial control security incidents were energy-sector related (Oct 2012 through May 2013.)
Brute-force hacking attacks are not the only type of cyber threat to guard against. Threats can be delivered on thumb-drives plugged into laptops and desktop PCs, or in malware hidden inside software or attached to emails.
In 2013, there were an estimated 40 to 50 million connected, addressable devices discovered on the Internet through the SHODAN search engine. Of these the researchers found that 45% had poor security protocols, used the factory default settings or could be easily by-passed as they had out of date firmware or software. These devices include many commonly used in industrial automation systems, Temperature and ventilation controls and safety devices, such as:
- Remotely Managed Server Platforms:
- Intelligent Platform Management Interface (IPMI) protocol Baseboard Management Controllers (BMC)
- Programmable logic controllers (PLCs)
- Remote terminal units (RTUs)
- Temp & Humidity, Light, Motion sensors
- SCADA human machine interface (HMI) servers
- Certain medical devices
- Traffic management systems
- Automotive control systems
- Traffic light control systems
- HVAC systems
- CCTV and webcams
- Serial port servers
- Data radios
Given that manufacturing and power utilities are not going to give up the benefits of “big data”, security then needs to be managed like a core business operation. Utilities like Alliant Energy and Pepco are re-organizing their corporate structures to bring cyber-security to the forefront.
Check out the link below to ICS-CERT, consider sending someone to the training or at least signing up for their alerts and advisories.