Incident Response, TDR

DHS: Control system of U.S. utility company hacked

The Department of Homeland Security (DHS) alerted critical infrastructure operators to recent breaches within the sector – including the hack of a U.S. public utility that was vulnerable to brute-force attacks.

This week, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a subgroup of DHS, revealed information about the incidents in a newsletter (PDF).

According to ICS-CERT, industrial control systems were compromised in two, new incidents: one, involving the hack of an unnamed public utility, and another scenario where a control system server was remotely accessed by a “sophisticated threat actor.”

After investigating the public utility hack, ICS-CERT found that the system's authentication mechanism was susceptible to brute-force attacks – where saboteurs routinely run through a list of passwords or characters to gain access to targeted systems. The control system used a simple password mechanism, the newsletter revealed.

In addition, the security response team found that the public utility had experienced a previous intrusion.

"ICS-CERT provided analytical assistance [to the compromised utility], including host-based forensic analysis and a comprehensive review of available network logs,” the newsletter said. “It was determined that the systems were likely exposed to numerous security threats and previous intrusion activity was also identified.”

The response team later added that the incident “highlights the need to evaluate security controls employed at the perimeter and ensure that potential intrusion vectors (ex: remote access) are configured with appropriate security controls, monitoring, and detection capabilities.”

The news of the utility hack comes almost a year after ICS-CERT warned companies that the energy sector had increasingly been targeted by brute-force attacks. Last summer, DHS said that hackers using some 50 IP addresses attempted to infiltrate the process control networks belonging to natural gas companies, primarily in the Midwest and Great Plains regions. In those instances, the attacks were not successful.

In the second breach, announced in ICS-CERT's recent newsletter, the response team detailed how an attacker remotely accessed an unprotected, internet-connected control system operating a mechanical device. Upon looking into the incident, ICS-CERT found concerning evidence that the intruder had access to the system “over an extended period of time.”

The attacker accessed the system through a supervisory control and data acquisition (SCADA) protocol, when the system was mechanically disconnected from the device for scheduled maintenance, the newsletter said.

“The device was directly internet accessible and was not protected by a firewall or authentication access controls,” ICS-CERT revealed.

The team determined, however, that no attempts by the intruder had been made to “manipulate the system or inject unauthorized control actions."

In Wednesday email correspondence to, Mike Ellis, CEO of ForgeRock, an identity relationship management (IRM) solutions provider, said that the utility company hack sheds light on challenges many organizations struggle with.

“The public utility network compromise example from the ICS-CERT report is just another shot across the bow for organizations supporting the U.S.'s critical infrastructure,” Ellis wrote. “By all accounts, what was implemented by this public utility would be considered failing from a best practices perspective. The unfortunate truth is that it's a technology, people and processes problem. More and more, we see that organizations are stretched to authenticate and authorize the voluminous number of identities connecting to the network, struggling to decipher between good and bad while security compromises continue to plague this sector,” he continued.

“Security should be elevated to a business-critical function as it has serious impact on the bottom line, reputation and customer trust, requiring C-level discussion. Organizations must also modernize, [as] legacy systems were simply not designed to handle the complexity and volume of Internet-based relationships and connections," Ellis said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.