These Energy IT Security links are part of a weekly series, Ethical Hacker Roundup, featuring the information security and cyber security related articles that we’ve read over and thought worth sharing from the past week.
During the five-month period from October 2011 to February 2012 there were 86 reported attacks on IT systems in the US that control critical infrastructure, according to the Department of Homeland Security – that’s up from 11 for the same period a year ago.
While none of the attacks succeeded in causing major damage, they reflect a tsunami of hacking attacks on all kinds of networks recently. Homeland Security has recorded over 50,000 incidents in the past six months, leading to increased awareness of hacking as a threat to national security.
Lawmakers are now looking to give the federal government greater authority to regulate the security used by organizations that manage America’s vital infrastructure – including proposed enforcement of minimum standards on key companies. Any such standards would likely be based on the NIST or ISO 27002 standards. Assessing current security measures will help ensure your organization is ready to address any new mandate.
Despite escalating concern about cyberattacks on the power grid, utilities continue to trail other industries in security preparedness, according to a newly published study by Carnegie Mellon University and RSA on how executive and board level management are addressing security risks. The report pegs utilities as among the least-prepared sectors with respect to risk management and executive knowledge of IT issues.
The study further highlights that, while some utilities are more advanced in their IT security than others, many are more well informed about physical outage risks than they are about cybersecurity risk management. Others remain challenged to cost-justify IT security, when budgets are stretched to deal with pressing issues around maintaining aging physical infrastructure.
Whatever a utility’s financial and management situation, prevention is far cheaper than remediation when it comes to being hacked. A holistic evaluation that addresses compliance, vendor management and IT security risk is the most cost-effective place to start.
The Christian Science Monitor just reported that a cyber security researcher found a gaping back-door security vulnerability in “hardened” industrial networking equipment used by US power grids (as well as transportation networks, major defense contractors and the Pentagon) – and it took him a year to get the manufacturer’s attention.
If exploited, the glitch could allow hackers to take undetected, full-on control of elements of whatever infrastructure used the equipment. In the course of testing the gear, the researcher found only an easily hacked password protecting the system’s back door. He reported the problem to the cyberwatchdog US-CERT (United States Computer Emergency Readiness Team) after seeing no meaningful action by the manufacturer (RuggedCom) almost a year after he first notified them.
This story underscores the good-practice guidance to change all default passwords, as well as the value of regular security assessments to proactively identify vulnerabilities before the hackers do.
Securing the Grid
Your Energy IT Security concerns can and should be addressed by an independent and objective Information Assurance firm. Pivot Point Security can help your Energy Company align its key initiatives with security best practices to ensure the integrity of the grid. See how we can help.