Information Security Blog

US Department of Energy Hacked as Obama Signs Cybersecurity Order

These Energy IT Security links are part of a weekly series, Ethical Hacker Roundup, featuring the information security and cyber security related articles that we’ve read over and thought worth sharing from the past week.

These articles were emailed to us, shared on Twitter @pivotpointsec and our Google+ page, and read in RSS subscriptions this week.

US Department of Energy Hacked

The US Department of Energy has become the latest federal agency to fall victim to cybercrime. Hackers infiltrated 14 servers and 20 workstations at the DOE’s Washington headquarters and made off with the personally identifiable information of several hundred employees and contractors. Official reports stated that no classified data was compromised. However, the stolen data could be used to support further cyber espionage.

Chinese hackers are among “the usual suspects” because of their history of attempts to steal classified energy data and technology, and also because of the sophistication of the hack. The DOE’s National Nuclear Security Administration is responsible for the US nuclear weapons program, which Chinese espionage has compromised multiple times. A hacker group calling itself Parastoo claimed responsibility for the attack, but their claim has been deemed spurious.

According to reports in The Washington Free Beacon and other sources, insiders call the DOE “negligent” about security despite managing “the most sophisticated military and intelligence technology the country owns.” The FBI and others are investigating the advanced penetration attack, which may have set the stage for future attacks to gain access to sensitive information. Understanding and addressing risk, rather than simply remediating known security gaps, is the key to reducing the likelihood of further successful attacks.

President Obama Signs Cybersecurity Executive Order

In his State of the Union Address, President Obama called out the growing intensity and looming threat of cyberattacks on America’s utilities and other critical infrastructure, stating “…our enemies are also seeking the ability to sabotage our power grid…” As a long-anticipated step towards strengthening the country’s energy IT security, President Obama also issued a cybersecurity executive order earlier on the day of his speech.

It is hoped that the executive order will strengthen cybersecurity defenses by increasing information sharing between government and industry, and by accelerating the development of standards for IT security across critical infrastructure.

But while the executive order is a positive step, Congress must likewise pass comprehensive legislation that can “… give our government a greater capacity to secure our networks and deter attacks.” While the specific steps involved in this process have yet to be clarified, utilities can act now to develop coherent policies and procedures to mitigate and manage risk to information assets.

Hacker Shows How Smart Grid Communications Can Be Infiltrated

Wearing a fake beard and sunglasses, a hacker calling himself Atlas illustrated at a recent computer security conference how to intercept radio communications between smart grid vendor Silver Spring Networks and its clients, which include some the largest utilities in the US.

The systems involved connect electric meters across a digital grid. Atlas figured out how to intercept their signals by examining publically available patents and user manuals. Understanding how these systems communicate is a first step towards hacking them, potentially leading ultimately to a power failure or equipment malfunction.

Securing the Grid

Your Energy IT Security concerns can and should be addressed by an independent and objective Information Assurance firm. Pivot Point Security can enable your energy company to align its key initiatives with security best practices to ensure the integrity of the grid. See how we can help.


Is ISO 27001 Right for (Y)our Organization?


Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

About the Author:

Marketing at Pivot Point Security

Add a Comment

Share This