Dive Brief:
- A new report by the Industrial Control Systems Cyber Emergency Response Team for the Department of Homeland Security has revealed that an unnamed public utility was subjected to multiple cyber attacks and infiltration from January to March 2014.
- The utility was hit with an Internet-based "standard brute forcing" attack, which is when a password-protected site is bombarded with password attempts until a correct one is found. Also, an Internet-accessible control system for a mechanical device, such as a turbine, switch or generator, with no protection in place was breached in such a way that gave the hacker access to its remote control system.
- In both incidents, neither system was altered in any way. In the case of the second incident, the device had actually been disconnected from the system for pre-scheduled maintenance.
Dive Insight:
Of all cybersecurity breaches reported between late 2012 and May 2013, 53% of industrial control system hacks hit the energy sector, an increase of 13% since the last report period.
Earlier this year, the Department of Energy released updated cybersecurity guidelines for utilities, which placed a renewed focus on the security of power delivery systems. The guidelines came after a sniper attack on a California substation brought grid security back into the spotlight.
Part of the problem has been a blinkered approach by utilities to grid improvements and upgrades, such as smart energy efficiency and demand response technologies, which are ultimately vulnerable to these kinds of attacks, according to Eric Byres, security expert at grid communications and IT vendor Belden. “What matters to the power industry is availability, availability, availability -- mixed in with a lot of safety,” he said.
The new report from Homeland Security recommends utilities "take immediate defensive action" and follow these guidelines to help protect themselves:
- Audit their systems for Internet-connected devices, poor authentication strategies, and obvious vulnerabilities.
- Install firewalls on remote-control devices.
- Isolate devices from the business network.
- If remote online access is necessary, put Virtual Private Networks in place.
- Remove or replace any default system accounts (in other words, don't keep the manufacturer's default password).
- Implement account lock-out protocols to protect against brute forcing.
- Ensure strong passwords are used throughout the company hierarchy.
- Monitor third-party vendors' accounts and capabilities.
- Quickly apply patches to reduce the impact of any discovered vulnerabilities.
Although the benefits of cybersecurity investment are hard to quantify -- if successful, nothing will happen -- the issue "is absolutely a board-level risk discussion today,” Bynes said. “I do believe that DHS has information that would make your hair stand on end -- but we don’t hear it.”