Hacked Power Utility Controls Overwhelmed

Everyone is talking about the connected world, Internet of Things, Smart-metering, and Smart-buildings. The ironic part is we have totally failed to use proper safeguards to prevent theft, hacking – resulting in a dumb- grid, dumb-building and dumb-connected world.

Unauthorized Access

In May of 2014, The Department of Homeland Security confirmed a “sophisticated threat actor” (i.e. hacker) gained unauthorized access to a power utility’s control network (the computers that help operate the electrical grid and power plants). They did this simply by trying lots of different password combinations – one of the oldest tricks in the book.

The power control system software was connected to a desktop PC, which was connected to the Web. Apparently the passwords were not very complex and there were no other protections in place. These other protections might have included:

  • Denial of access after “x” number of attempts
  • Tracking software that alerts System Administrators to the attacks
  • A firewall
  • isolation techniques, such as tiered levels of access to critical systems

The government agency Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT) found that this was not the first incursion, including another control system with SCADA controlled mechanical devices (no detail provided). Fortunately the intruders did not do anything once they gained access.

According to ICS-CERT, 53% of all industrial control security incidents were energy-sector related (Oct 2012 through May 2013.)

Brute-force hacking attacks are not the only type of cyber threat to guard against. Threats can be delivered on thumb-drives plugged into laptops and desktop PCs, or in malware hidden inside software or attached to emails.

In 2013, there were an estimated 40 to 50 million connected, addressable devices discovered on the Internet through the SHODAN search engine. Of these the researchers found that 45% had poor security protocols, used the factory default settings or could be easily by-passed as they had out of date firmware or software. These devices include many commonly used in industrial automation systems, Temperature and ventilation controls and safety devices, such as:

  • Remotely Managed Server Platforms:
  • Intelligent Platform Management Interface (IPMI) protocol Baseboard Management Controllers (BMC)
  • Programmable logic controllers (PLCs)
  • Remote terminal units (RTUs)
  • Temp & Humidity, Light, Motion sensors
  • SCADA human machine interface (HMI) servers
  • Certain medical devices
  • Traffic management systems
  • Automotive control systems
  • Traffic light control systems
  • HVAC systems
  • CCTV and webcams
  • Serial port servers
  • Data radios

Given that manufacturing and power utilities are not going to give up the benefits of “big data”, security then needs to be managed like a core business operation. Utilities like Alliant Energy and Pepco are re-organizing their corporate structures to bring cyber-security to the forefront.

Action Steps:

Check out the link below to ICS-CERT, consider sending someone to the training or at least signing up for their alerts and advisories.

Source:

http://www.darkreading.com/vulnerabilities—threats/project-shine-illuminates-sad-state-of-scada-ics-security-on-the-net/d/d-id/1140691

http://www.darkreading.com/new-gaping-security-holes-found-exposing-servers/d/d-id/1140063

https://ics-cert.us-cert.gov

Do you have personal experience with any security breach?

Leave a Reply

Your email address will not be published. Required fields are marked *

Popular Articles

Contributed Content Disclaimer

Readers should be informed that the content and opinions expressed here are exclusively those of the author and do not necessarily represent Factory of the Future, LLC or its staff. The author is fully responsible for all statements made herein, including any and all factual and grammatical errors. Please see our Community GuidelinesPrivacy Policy and Terms Agreement.

Advertising Disclaimer

Member may advertise by purchasing 1. Display Ads, 2. Paid Articles (identifiable by an orange border saying “Paid Advertisement”,) 3. Listings in the Resources section, 4. Classified Ads on this Site. Advertisements for products or services do not constitute an endorsement by FactoryoftheFuture.org, does not imply any partnership and we do not make any representation of these parties. Listing here does not constitute a warranty or guarantee of performance, durability or safety. It is the User’s responsibility to verify through samples, tests and inquiry to Advertisers that performance criteria are met. The information within these Advertisements is considered a member benefit and is provided as goodwill and correct to the best of Factory of the Future, LLC’s information, knowledge and belief.