These Energy IT Security links are part of a weekly series, Ethical Hacker Roundup, featuring the information security and cyber security related articles that we’ve read over and thought worth sharing from the past week.
The US Department of Energy has become the latest federal agency to fall victim to cybercrime. Hackers infiltrated 14 servers and 20 workstations at the DOE’s Washington headquarters and made off with the personally identifiable information of several hundred employees and contractors. Official reports stated that no classified data was compromised. However, the stolen data could be used to support further cyber espionage.
Chinese hackers are among “the usual suspects” because of their history of attempts to steal classified energy data and technology, and also because of the sophistication of the hack. The DOE’s National Nuclear Security Administration is responsible for the US nuclear weapons program, which Chinese espionage has compromised multiple times. A hacker group calling itself Parastoo claimed responsibility for the attack, but their claim has been deemed spurious.
According to reports in The Washington Free Beacon and other sources, insiders call the DOE “negligent” about security despite managing “the most sophisticated military and intelligence technology the country owns.” The FBI and others are investigating the advanced penetration attack, which may have set the stage for future attacks to gain access to sensitive information. Understanding and addressing risk, rather than simply remediating known security gaps, is the key to reducing the likelihood of further successful attacks.
In his State of the Union Address, President Obama called out the growing intensity and looming threat of cyberattacks on America’s utilities and other critical infrastructure, stating “…our enemies are also seeking the ability to sabotage our power grid…” As a long-anticipated step towards strengthening the country’s energy IT security, President Obama also issued a cybersecurity executive order earlier on the day of his speech.
It is hoped that the executive order will strengthen cybersecurity defenses by increasing information sharing between government and industry, and by accelerating the development of standards for IT security across critical infrastructure.
But while the executive order is a positive step, Congress must likewise pass comprehensive legislation that can “… give our government a greater capacity to secure our networks and deter attacks.” While the specific steps involved in this process have yet to be clarified, utilities can act now to develop coherent policies and procedures to mitigate and manage risk to information assets.
Wearing a fake beard and sunglasses, a hacker calling himself Atlas illustrated at a recent computer security conference how to intercept radio communications between smart grid vendor Silver Spring Networks and its clients, which include some the largest utilities in the US.
The systems involved connect electric meters across a digital grid. Atlas figured out how to intercept their signals by examining publically available patents and user manuals. Understanding how these systems communicate is a first step towards hacking them, potentially leading ultimately to a power failure or equipment malfunction.
Securing the Grid
Your Energy IT Security concerns can and should be addressed by an independent and objective Information Assurance firm. Pivot Point Security can enable your energy company to align its key initiatives with security best practices to ensure the integrity of the grid. See how we can help.