In an incredibly ironic piece of news, Telvent, the company behind a control system designed to be used in concert with the so-called “smart grid,” recently announced that their network had been breached by hackers who “accessed project files related to a control system used in portions of the electrical grid,”according to Threat Level.
The smart grid system, which companies like Telvent (which is owned by Schneider Electric) are involved in, is currently being pushed by corporate-sponsored studies as well as major legislative efforts.
In a letter written to their customers, Telvent revealed that they realized their network had been breached on September 10, 2012.
The network wasn’t only breached; the hackers also were able to install malicious software on the company’s network.
According to KrebsOnSecurity, which first reported the breach and implicated Chinese hackers in the attack, the attacker(s) were able to steal “project files related to one of its core offerings — OASyS SCADA [Supervisory Control and Data Acquisition] — a product that helps energy firms mesh older IT assets with more advanced ‘smart grid’ technologies.
KrebsOnSecurity stated that Telvent is still investigating the attack but in a precautionary move they disconnected their data links between the affected parts of their networks and clients.
“In order to be able to continue to provide remote support services to our customers in a secure manner, we have established new procedures to be followed until such time as we are sure that there are not further intrusions into the Telvent network and that all virus or malware files have been eliminated,” stated the company in their letter to customers obtained by KrebsOnSecurity.
“Although we do not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system or that any of the compromised computers have been connected to a customer system, as a further precautionary measure, we indefinitely terminated any customer system access by Telvent,” the letter added.
Telvent’s OASyS DNA system is supposed to integrate the corporate network of a utility company with the networks of control systems that manage the actual distribution of electricity. Such a breach is no minor issue, especially since this is the type of technology legislators and corporations are pushing towards.
Telvent claims that their system is “the hub of a real-time telemetry and control network for the utility grid,” and they claim the system “plays a central role in Smart Grid self-healing network architecture and improves overall grid safety and security.”
One must wonder if they will continue to claim it “improves overall grid safety and security” after such a major breach.
This is also quite serious because Telvent’s OASyS DNA system is also used in oil and gas pipeline systems in North America along with some water system networks according to Dale Peterson, the founder and CEO of Digital Bond, a security firm specializing in securing industrial control systems.
“The breach raises concerns that hackers could embed malware in project files to infect the machines of program developers or other key people involved in a project,” explains Threat Level.
This fact is quite noteworthy because we now know that the now-infamous Stuxnet spread itself by infecting project files in an industrial control system made by Siemens.
According to Peterson, this method is quite a powerful way to infect the systems of customers since the project files are passed from vendor to customer with full rights to modify anything and everything in the customer’s system through those project files.
In addition an attacker could leverage the infected project files to get insight into the operations of a target. This could enable them to identify vulnerabilities so they can design more devastating attacks on critical infrastructure systems on the future.
“We are aware of a security breach of our corporate network that has affected some customer files,” said Telvent spokesman Martin Hannah in a telephone call with Wired.
“We’re working directly with our customers, and they are taking recommended actions with the support of our Telvent teams,” said Hannah. “And Telvent is actively working with law enforcement, with security specialists and with customers to ensure that this breach has been contained.”
However, Hannah would not delve into if hackers had actually downloaded project files or altered them in any way.
This is hardly surprising since Patrick Miller, the president and CEO of EnergySec, a non-profit group focused on improving the security of energy companies, pointed out that project files reveal highly sensitive information about a specific customer’s network and operations.
“Almost all of them will give you some details about the architecture and, depending on the nature of the project, it may go deeper,” Miller said to Threat Level.
To make matters even worse, project files can enable hackers to identify the key players in a given project and thus conduct additional highly-targeted attacks in the future.
Miller also stated that project files could be manipulated in order to sabotage entire systems.
“If you’re going to do a sophisticated attack, you get the project file and study it and decide how you want to modify the pieces of the operation,” said Peterson. “Then you modify the project file and load it, and they’re not running what they think they’re running.”
Peterson said that companies with good security should have a system already in place to log access to project files and track changes made to project files but most companies simply don’t.
Interestingly, a mere two days after Telvent discovered the hack, they announced a newly formed partnership with U.S.-based computer security firm Industrial Defender.
The partnership is reportedly aimed at integrating Industrial Defender’s Automated Systems Manager (ASM) with their own system in order to “expand its cybersecurity capabilities” for critical infrastructure. Honestly, it would be hard to make this whole situation more ironic if you tried.
Unsurprisingly, Industrial Defender did not responds to any of the questions posed about the breach at Telvent or the odd timing of their partnership announcement.
According to Miller, copycat hackers will likely now recognize the potential value of targeting industrial control system vendors and thus increase their focus on other vendors in the future if they’re not already doing so.
“If I were a vendor and knew this had happened to Telvent, I should be concerned, ‘Am I next?’” asked Miller.
It will be interesting to see how the dialogue around smart grids continues now that we have a clear case showing just how dangerous and vulnerable a centralized smart grid would be.
UPDATE: A reader kindly forwarded me a joint statement from Telvent and Industrial Defender. Read it below.
“As recently announced, Telvent has partnered with Industrial Defender as a technology and services partner committed to enhancing the security of a broad range of Telvent solutions. Industrial Defender was in no way involved in the recent breach Telvent has announced as its technology was not deployed on Telvent’s corporate network where the breach occurred. There is also no relationship between this breach and the partnership announcement, which has been in the works for over 12 months. In addition to law enforcement and other security specialists, Telvent recognizes the security knowledge and experience possessed by Industrial Defender and will be engaging their support as required while this incident is addressed. Telvent looks forward to Industrial Defender solutions being available to its customers, supporting the already robust security of Telvent’s products.”
Did I forget anything or miss any errors? Would you like to make me aware of a story or subject to cover? Or perhaps you want to bring your writing to a wider audience? Feel free to contact me at admin@EndtheLie.com with your concerns, tips, questions, original writings, insults or just about anything that may strike your fancy.