Skip to main content

US utility company’s control system was hacked by brute force attack

It has emerged that a public utility over in the US had its control system breached by hackers via its Internet portal, according to the Department of Homeland Security.

This fact was highlighted in a report issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), and while the breach was made, it wasn't actually used to negatively impact on the utility in question's service (the utility company was not named, incidentally).

Reuters spoke to a Homeland Security official, who said: "While unauthorised access was identified, ICS-CERT was able to work with the affected entity to put in place mitigation strategies and ensure the security of their control systems before there was any impact to operations."

It's thought that the comprise occurred via the company's web portal, which allows employees remote access, but in this case was brute-forced by the hackers (an attack in which combinations of passwords are repeatedly tried until the right one is eventually hit). The utility had also been subject to previous intrusions, worryingly – obviously there's a great deal of potential damage a malicious intruder could do with access and control over power infrastructure, for example.

It's not usual practice for Homeland Security to discuss breaches in this way, but evidently it felt that this was something that needed to be highlighted, to make other firms think about security and Internet-facing devices.

The report began with the following statement: "Is your control system accessible directly from the Internet? Do you use remote access features to log into your control system network? Are you unsure of the security measures that protect your remote access services? If your answer was yes to any or all these questions, you are at increased risk of cyber-attacks including scanning, probes, brute force attempts and unauthorised access to your control environment."

A further incident was also mentioned, whereby hackers gained access to a control system which pertained to some manner of unspecified machine.