The maker of an industrial control system designed to be used with so-called smart grid networks disclosed to customers last week that hackers had breached its network and accessed project files related to a control system used in portions of the electrical grid.<\/p>\n
Telvent, which is owned by Schneider Electric, told customers in a letter that on Sept. 10 it learned of the breach into its network. The attackers installed malicious software on the network and also accessed project files for its OASyS SCADA system, according to KrebsOnSecurity, which first reported the breach.<\/p>\n
According to Telvent, its\u00a0OASyS DNA system\u00a0is designed to integrate a utility\u2019s corporate network with the network of control systems that manage the distribution of electricity and to allow legacy systems and applications to communicate with new smart grid technologies.<\/p>\n
Telvent calls OASyS \u201cthe hub of a real-time telemetry and control network for the utility grid,\u201d and says on its website that the system \u201cplays a central role in Smart Grid self-healing network architecture and improves overall grid safety and security.\u201d<\/p>\n
But according to Dale Peterson, founder and CEO of Digital Bond, a security firm that specializes in industrial control system security, the OASyS DNA system is also heavily used in oil and gas pipeline systems in North America, as well as in some water system networks.<\/p>\n
The breach raises concerns that hackers could embed malware in project files to infect the machines of program developers or other key people involved in a project. One of the ways that Stuxnet spread \u2014 the worm that was designed to target Iran\u2019s uranium enrichment program \u2014 was to infect project files in an industrial control system made by Siemens, with the aim of passing the malware to the computers of developers.<\/p>\n
Peterson says this would also be a good way to infect customers, since vendors pass project files to customers and have full rights to modify anything in a customer\u2019s system through the project files.<\/p>\n
An attacker could also use the project files to study a customer\u2019s operations for vulnerabilities in order to design further attacks on critical infrastructure systems. Or they could use Telvent\u2019s remote access into customer networks to infiltrate customer control systems.<\/p>\n
To prevent the latter from occurring, Telvent said in a second letter mailed to customers this week that it had temporarily disconnected its remote access to customer systems, which it uses to provide customer support, while it investigates the breach further.<\/p>\n
\u201cAlthough we do not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system or that any of the compromised computers have been connected to a customer system, as a further precautionary measure, we indefinitely terminated any customer system access by Telvent,\u201d the company said in the letter, obtained by KrebsOnSecurity.<\/p>\n
The company said it had established \u201cnew procedures to be followed until such time as we are sure that there are not further intrusions into the Telvent network and that all virus or malware files have been eliminated.\u201d<\/p>\n
A hack via a vendor\u2019s remote access to a customer\u2019s network is one of the primary ways that attackers get into systems. Often, intrusions occur because the vendor has placed a hardcoded password into its software that gives them access to customer systems through a backdoor \u2014 such passwords can be deciphered by attackers who examine the software. Attackers have also hacked customer systems by first breaching a vendor\u2019s network and using its direct remote access to breach customers.<\/p>\n
A Telvent spokesman confirmed the breach of its own network to Wired on Tuesday.<\/p>\n
\u201cWe are aware of a security breach of our corporate network that has affected some customer files,\u201d spokesman Martin Hannah told Wired in a phone call. \u201cWe\u2019re working directly with our customers, and they are taking recommended actions with the support of our Telvent teams. And Telvent is actively working with law enforcement, with security specialists and with customers to ensure that this breach has been contained.\u201d<\/p>\n
Hannah wouldn\u2019t say whether attackers had downloaded the project files or altered them.<\/p>\n
Project files contain a wealth of customized information about a specific customer\u2019s network and operations, says Patrick Miller, president and CEO of EnergySec, a nonprofit consortium that works with energy companies to improve security.<\/p>\n
\u201cAlmost all of them will give you some details about the architecture and, depending on the nature of the project, it may go deeper,\u201d he says. Project files can also identify key players in a project, in order to allow hackers to conduct additional targeted attacks, he said.<\/p>\n
Additionally, project files could be altered to sabotage systems, he says. Some project files contain the \u201crecipe\u201d for the operations of a customer, describing calculations and frequencies at which systems run or when they should be turned on or off.<\/p>\n
\u201cIf you\u2019re going to do a sophisticated attack, you get the project file and study it and decide how you want to modify the pieces of the operation,\u201d Peterson says. \u201cThen you modify the project file and load it, and they\u2019re not running what they think they\u2019re running.\u201d<\/p>\n
A vendor with good security would have a system in place to log who accesses project files and track any changes made to them. But, Peterson, noted, companies don\u2019t always do what they should do, with regard to security.<\/p>\n
Two days after Telvent says it discovered the breach in its network, the company announced a new partnership with Industrial Defender<\/a>, a U.S.-based computer security firm, to integrate that company\u2019s Automation Systems Manager with its own system to \u201cexpand its cybersecurity capabilities\u201d for critical infrastructure.<\/p>\n
The ASM system, Telvent said, would give critical infrastructure operators \u201cthe ability to determine changes to the system, who made them and why\u201d as well as detect new devices when they\u2019re connected to the network, \u201callowing for faster decision-making as to whether a change is planned or potentially malicious.\u201d<\/p>\n
Industrial Defender did not respond to questions about the Telvent breach or the timing of its partnership with the company.<\/p>\n
Miller said he expects that copycat attacks will now recognize the value of attacking industrial control system vendors and begin to attack other vendors after this, if they haven\u2019t already done so.<\/p>\n
\u201cIf I were a vendor and knew this had happened to Telvent, I should be concerned, \u2018Am I next?\u2019\u201d<\/p>\n
<\/p>\n