DHS revealed that the hack occurred through an ICS-CERT newsletter.
DHS revealed that the hack occurred through an ICS-CERT newsletter.

The Department of Homeland Security (DHS) alerted critical infrastructure operators to recent breaches within the sector – including the hack of a U.S. public utility that was vulnerable to brute-force attacks.

This week, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a subgroup of DHS, revealed information about the incidents in a newsletter (PDF).

According to ICS-CERT, industrial control systems were compromised in two, new incidents: one, involving the hack of an unnamed public utility, and another scenario where a control system server was remotely accessed by a “sophisticated threat actor.”

After investigating the public utility hack, ICS-CERT found that the system's authentication mechanism was susceptible to brute-force attacks – where saboteurs routinely run through a list of passwords or characters to gain access to targeted systems. The control system used a simple password mechanism, the newsletter revealed.

In addition, the security response team found that the public utility had experienced a previous intrusion.

"ICS-CERT provided analytical assistance [to the compromised utility], including host-based forensic analysis and a comprehensive review of available network logs,” the newsletter said. “It was determined that the systems were likely exposed to numerous security threats and previous intrusion activity was also identified.”

The response team later added that the incident “highlights the need to evaluate security controls employed at the perimeter and ensure that potential intrusion vectors (ex: remote access) are configured with appropriate security controls, monitoring, and detection capabilities.”

The news of the utility hack comes almost a year after ICS-CERT warned companies that the energy sector had increasingly been targeted by brute-force attacks. Last summer, DHS said that hackers using some 50 IP addresses attempted to infiltrate the process control networks belonging to natural gas companies, primarily in the Midwest and Great Plains regions. In those instances, the attacks were not successful.