Information Security Blog

US Department of Energy Hacked as Obama Signs Cybersecurity Order


9 Flares

9 Flares


×

These Energy IT Security links are part of a weekly series, Ethical Hacker Roundup, featuring the information security and cyber security related articles that we’ve read over and thought worth sharing from the past week.

These articles were emailed to us, shared on Twitter @pivotpointsec and our Google+ page, and read in RSS subscriptions this week.

US Department of Energy Hacked

The US Department of Energy has become the latest federal agency to fall victim to cybercrime. Hackers infiltrated 14 servers and 20 workstations at the DOE’s Washington headquarters and made off with the personally identifiable information of several hundred employees and contractors. Official reports stated that no classified data was compromised. However, the stolen data could be used to support further cyber espionage.

Chinese hackers are among “the usual suspects” because of their history of attempts to steal classified energy data and technology, and also because of the sophistication of the hack. The DOE’s National Nuclear Security Administration is responsible for the US nuclear weapons program, which Chinese espionage has compromised multiple times. A hacker group calling itself Parastoo claimed responsibility for the attack, but their claim has been deemed spurious.

According to reports in The Washington Free Beacon and other sources, insiders call the DOE “negligent” about security despite managing “the most sophisticated military and intelligence technology the country owns.” The FBI and others are investigating the advanced penetration attack, which may have set the stage for future attacks to gain access to sensitive information. Understanding and addressing risk, rather than simply remediating known security gaps, is the key to reducing the likelihood of further successful attacks.

President Obama Signs Cybersecurity Executive Order

In his State of the Union Address, President Obama called out the growing intensity and looming threat of cyberattacks on America’s utilities and other critical infrastructure, stating “…our enemies are also seeking the ability to sabotage our power grid…” As a long-anticipated step towards strengthening the country’s energy IT security, President Obama also issued a cybersecurity executive order earlier on the day of his speech.

It is hoped that the executive order will strengthen cybersecurity defenses by increasing information sharing between government and industry, and by accelerating the development of standards for IT security across critical infrastructure.

But while the executive order is a positive step, Congress must likewise pass comprehensive legislation that can “… give our government a greater capacity to secure our networks and deter attacks.” While the specific steps involved in this process have yet to be clarified, utilities can act now to develop coherent policies and procedures to mitigate and manage risk to information assets.

Hacker Shows How Smart Grid Communications Can Be Infiltrated

Wearing a fake beard and sunglasses, a hacker calling himself Atlas illustrated at a recent computer security conference how to intercept radio communications between smart grid vendor Silver Spring Networks and its clients, which include some the largest utilities in the US.

The systems involved connect electric meters across a digital grid. Atlas figured out how to intercept their signals by examining publically available patents and user manuals. Understanding how these systems communicate is a first step towards hacking them, potentially leading ultimately to a power failure or equipment malfunction.

Securing the Grid

Your Energy IT Security concerns can and should be addressed by an independent and objective Information Assurance firm. Pivot Point Security can enable your energy company to align its key initiatives with security best practices to ensure the integrity of the grid. See how we can help.

0


Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Download: A Best Practices Guide to Database Security

database security roadmap

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Whitepaper: Five Best Practices for SIEM

siem-whitepaper

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

Free Whitepaper: Stop Wasting Money on Penetration Testing

penetration-testing-whitepaper

Penetration Testing is most frequently performed to:

  • Substantiate the net effectiveness of a mature control environment
  • Prove to a third party that an environment is secure/trustworthy
  • Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
  • To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

Is ISO 27001 Right for (Y)our Organization?

iso-27001-webinar

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Best Practices for Firing A Network Security Administrator

Firing A Network Security AdministratorWant to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

About the Author:

Marketing at Pivot Point Security

Add a Comment

9 Flares Twitter 5 Facebook 1 Google+ 2 LinkedIn 0 Reddit 0 StumbleUpon 0 Email -- 9 Flares ×