Information Security Blog

Warnings of Smart Grid Threats in the Wake of Hurricane Sandy

These Energy IT Security links are part of a weekly series, Ethical Hacker Roundup, featuring the information security and cyber security related articles that we’ve read over and thought worth sharing from the past week.

These articles were emailed to us, shared on Twitter @pivotpointsec and our Google+ page, and read in RSS subscriptions this week.

Solar Power System Vulnerabilities Highlight Smart Grid Threats

The US Department of Homeland Security just issued an alert detailing cybersecurity vulnerabilities in a control system for solar electric systems, sold by the Italian systems integrator Sinapsi. While no hacks on live systems have been reported, according to the alert’s summary, “ICS-CERT is aware of a public report of multiple vulnerabilities with proof-of-concept (PoC) exploit code affecting the Sinapsi eSolar Light Photovoltaic System monitor, a supervisory control and data acquisition (SCADA) monitoring product.

Researchers say the vulnerabilities are exploitable remotely by authenticating to the service using hard-coded credentials whose predefined passwords cannot be changed or removed. Hackers could then remotely connect to the server and execute malicious code. The researchers also found that management web pages in device firmware were vulnerable to SQL injection, allowing access without even the need for authentication.

This same server is used in a number of SCADA products for solar power systems from different manufacturers. Experts say the alert is a reminder of how important it is to incorporate a level of cybersecurity in alignment with emerging standards into today’s increasingly complex and interactive power grids.

Homeland Security Secretary Heightens Awareness of Smart Grid Cyberthreats

In a further illustration of the Obama Administration’s efforts to highlight US cybersecurity vulnerabilities, Homeland Security Secretary Janet Napolitano warned that a cyberattack on the electricity grid could produce the same sort of widespread power outages caused by Hurricane Sandy. “If you think a contro-system attack that takes down a utility even for a few hours is not serious, just look at what is happening now that Mother Nature has taken out those utilities,” Napolitano said.

President Obama and other leaders have repeatedly emphasized the need to strengthen cyberdefenses across America’s critical infrastructure, especially utilities. The Senate is slated to work on new legislation next month, but insiders are skeptical that consensus can be achieved.

A potential executive order from the newly re-elected President could be more effective at moving cybersecurity reforms forward. However, Napolitano points out that “There are some things only legislation can provide.”

Are Wireless Meters A Household Security Threat?

Researchers at the University of South Carolina recently found that simple gear and a couple of online “tutorials” is all it takes to reverse-engineer transmissions and eavesdrop on the wireless signals broadcast by automated meter reading (AMR) units. Using this information, which is updated and rebroadcast every 30 seconds, burglars or others can determine from hundreds of yards away when electricity usage drops, indicating that no one is home.

About a third of utility meters in the US, more than 40 million, use this technology. The researchers said they found no security or privacy protections in the AMR systems they tested. With a laptop and an inexpensive antenna they were able to monitor hundreds of signals – telling them when people woke up, went to work and got home. Signals can be matched to individual homes or apartments because the transmitted packets of data contained an identification number that was stamped on the meter.

While concern is justifiably focused on new Smart Grid technology, this research illustrates that vulnerabilities exist in existing systems as well, and network penetration testing and other due diligence are the best ways to reveal them in advance of being hacked.

Securing the Grid

Your Energy IT Security concerns can and should be addressed by an independent and objective Information Assurance firm. Pivot Point Security can enable your energy company to align its key initiatives with security best practices to ensure the integrity of the grid. See how we can help.


Best Practices for Firing A Network Security Administrator

Firing A Network Security AdministratorWant to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Whitepaper: Five Best Practices for SIEM


The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

Free Download: A Best Practices Guide to Database Security

database security roadmap

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Is ISO 27001 Right for (Y)our Organization?


Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Whitepaper: Stop Wasting Money on Penetration Testing


Penetration Testing is most frequently performed to:

  • Substantiate the net effectiveness of a mature control environment
  • Prove to a third party that an environment is secure/trustworthy
  • Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
  • To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

About the Author:

Marketing at Pivot Point Security

Add a Comment

Share This