Utility's Control System Was Hacked, Says Homeland Security
Send a link to a friend
[May 21, 2014]
By Jim Finkle
BOSTON (Reuters) - A sophisticated hacking
group recently attacked a U.S. public utility and compromised its
control system network, but there was no evidence that the utility's
operations were affected, according to the Department of Homeland
DHS did not identify the utility in a report that was issued this
week by the agency's Industrial Control Systems Cyber Emergency
Response Team, or ICS-CERT.
"While unauthorized access was identified, ICS-CERT was able to work
with the affected entity to put in place mitigation strategies and
ensure the security of their control systems before there was any
impact to operations," a DHS official told Reuters on Tuesday.
Such cyber attacks are rarely disclosed by ICS-CERT, which typically
keeps details about its investigations secret to encourage
businesses to share information with the government. Companies are
often reluctant to go public about attacks to avoid potentially
ICS-CERT said in the report posted on its website that investigators
had determined the utility had likely been the victim of previous
intrusions. It did not elaborate.
The agency said the hackers may have launched the latest attack
through an Internet portal that enabled workers to access the
utility's control systems. It said the system used a simple password
mechanism that could be compromised using a technique known as
"brute forcing," where hackers digitally force their way in by
trying various password combinations.
Justin W. Clarke, an industrial control security consultant with
security firm Cylance Inc, said it is rare for such breaches to be
identified by utilities and even more rare for the government to
"In most cases, systems that are so antiquated to be susceptible to
such brute forcing technologies would not have the detailed logging
required to aid in an investigation like this," Clarke said.
[to top of second column]
DHS also reported another hacking incident involving a control
system server connected to "a mechanical device." The agency
provided few details about that case, except to say the attacker had
access over an extended period of time, though no attempts were made
to manipulate the system.
"Internet facing devices have become a serious concern over the past
few years," the agency said in the report.
Last year ICS-CERT responded to 256 cyber incident reports, more
than half of them in the energy sector. While that is nearly double
the agency's 2012 case load, there was not a single incident that
caused a major disruption.
Those incidents include hacking into systems through Internet
portals exposed over the Web, injecting malicious software through
thumb drives, and exploitation of software vulnerabilities.
(Reporting by Jim Finkle; Editing by Tiffany Wu)
[© 2014 Thomson Reuters. All rights
Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.