In what the Department of Homeland Security calls a “sophisticated hack” someone hit a public utility and compromised its control system network.
The DHS said that there was no evidence that the utility’s operations were affected but it must put the fear of Jehovah into many utilities who operate ancient computers.
The DHS did not identify the utility in a report that was issued this week by the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT.
ICS-CERT was able to work with the affected entity to put in place mitigation strategies and ensure the security of their control systems before there was any impact to operations, a DHS official said in a statement.
Normally such attacks are not disclosed by ICS-CERT, partly because companies are reluctant to go public about attacks to avoid potentially negative publicity. In fact in this case ICS-CERT said that investigators had determined the utility had likely been the victim of previous intrusions. It did not go into more details.
The hackers appear to have launched the latest attack through an Internet portal that enabled workers to access the utility’s control systems. The passwords were attacked with a “brute force” method.
Systems in the US utilities are often so old that they are susceptible to such brute forcing technologies would not have the detailed logging required to aid in an investigation.
Last year ICS-CERT responded to 256 cyber incident reports, more than half of them in the energy sector. While that is nearly double the agency’s 2012 caseload, there was not a single incident that caused a major disruption.