These Energy IT Security links are part of a weekly series, Ethical Hacker Roundup, featuring the information security and cyber security related articles that we’ve read over and thought worth sharing from the past week.
The US Department of Homeland Security just issued an alert detailing cybersecurity vulnerabilities in a control system for solar electric systems, sold by the Italian systems integrator Sinapsi. While no hacks on live systems have been reported, according to the alert’s summary, “ICS-CERT is aware of a public report of multiple vulnerabilities with proof-of-concept (PoC) exploit code affecting the Sinapsi eSolar Light Photovoltaic System monitor, a supervisory control and data acquisition (SCADA) monitoring product.
Researchers say the vulnerabilities are exploitable remotely by authenticating to the service using hard-coded credentials whose predefined passwords cannot be changed or removed. Hackers could then remotely connect to the server and execute malicious code. The researchers also found that management web pages in device firmware were vulnerable to SQL injection, allowing access without even the need for authentication.
This same server is used in a number of SCADA products for solar power systems from different manufacturers. Experts say the alert is a reminder of how important it is to incorporate a level of cybersecurity in alignment with emerging standards into today’s increasingly complex and interactive power grids.
In a further illustration of the Obama Administration’s efforts to highlight US cybersecurity vulnerabilities, Homeland Security Secretary Janet Napolitano warned that a cyberattack on the electricity grid could produce the same sort of widespread power outages caused by Hurricane Sandy. “If you think a contro-system attack that takes down a utility even for a few hours is not serious, just look at what is happening now that Mother Nature has taken out those utilities,” Napolitano said.
President Obama and other leaders have repeatedly emphasized the need to strengthen cyberdefenses across America’s critical infrastructure, especially utilities. The Senate is slated to work on new legislation next month, but insiders are skeptical that consensus can be achieved.
A potential executive order from the newly re-elected President could be more effective at moving cybersecurity reforms forward. However, Napolitano points out that “There are some things only legislation can provide.”
Researchers at the University of South Carolina recently found that simple gear and a couple of online “tutorials” is all it takes to reverse-engineer transmissions and eavesdrop on the wireless signals broadcast by automated meter reading (AMR) units. Using this information, which is updated and rebroadcast every 30 seconds, burglars or others can determine from hundreds of yards away when electricity usage drops, indicating that no one is home.
About a third of utility meters in the US, more than 40 million, use this technology. The researchers said they found no security or privacy protections in the AMR systems they tested. With a laptop and an inexpensive antenna they were able to monitor hundreds of signals – telling them when people woke up, went to work and got home. Signals can be matched to individual homes or apartments because the transmitted packets of data contained an identification number that was stamped on the meter.
While concern is justifiably focused on new Smart Grid technology, this research illustrates that vulnerabilities exist in existing systems as well, and network penetration testing and other due diligence are the best ways to reveal them in advance of being hacked.
Securing the Grid
Your Energy IT Security concerns can and should be addressed by an independent and objective Information Assurance firm. Pivot Point Security can enable your energy company to align its key initiatives with security best practices to ensure the integrity of the grid. See how we can help.