DHS revealed that the hack occurred through an ICS-CERT newsletter.
DHS revealed that the hack occurred through an ICS-CERT newsletter.

In the second breach, announced in ICS-CERT's recent newsletter, the response team detailed how an attacker remotely accessed an unprotected, internet-connected control system operating a mechanical device. Upon looking into the incident, ICS-CERT found concerning evidence that the intruder had access to the system “over an extended period of time.”

The attacker accessed the system through a supervisory control and data acquisition (SCADA) protocol, when the system was mechanically disconnected from the device for scheduled maintenance, the newsletter said.

“The device was directly internet accessible and was not protected by a firewall or authentication access controls,” ICS-CERT revealed.

The team determined, however, that no attempts by the intruder had been made to “manipulate the system or inject unauthorized control actions."

In Wednesday email correspondence to SCMagazine.com, Mike Ellis, CEO of ForgeRock, an identity relationship management (IRM) solutions provider, said that the utility company hack sheds light on challenges many organizations struggle with.

“The public utility network compromise example from the ICS-CERT report is just another shot across the bow for organizations supporting the U.S.'s critical infrastructure,” Ellis wrote. “By all accounts, what was implemented by this public utility would be considered failing from a best practices perspective. The unfortunate truth is that it's a technology, people and processes problem. More and more, we see that organizations are stretched to authenticate and authorize the voluminous number of identities connecting to the network, struggling to decipher between good and bad while security compromises continue to plague this sector,” he continued.

“Security should be elevated to a business-critical function as it has serious impact on the bottom line, reputation and customer trust, requiring C-level discussion. Organizations must also modernize, [as] legacy systems were simply not designed to handle the complexity and volume of Internet-based relationships and connections," Ellis said.