
The U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, otherwise known as ICS-CERT, recently released a security bulletin that detailed a vulnerability contained in technology used to control the systems used by power plants. If exploited, cybercriminals could gain control of such facilities, effectively crippling the national infrastructure.
According to ICS-CERT, the vulnerability is contained in an Ethernet add-on for the Schneider Electric Quantum programmable logic controller (PLC). The organization's alert stated that numerous hardcoded credentials are contained in the Schneider Electric Quantum Ethernet Module that could allow a hacker to bypass the system's authentication mechanism and access its functions.
"On December 12, 2011, independent security researcher Rubén Santamarta publicly announced details of multiple vulnerabilities affecting the Schneider Electric Quantum Ethernet Module," the bulletin from ICS-CERT stated. "ICS-CERT is coordinating mitigations with Mr. Santamarta and Schneider Electric."
This news is significant given the recent attention that has been paid to data security issues and cyberattacks against the utility infrastructure lately. In November, it was reported that a hack of a Supervisory Control And Data Acquisition (SCADA) solutions provider had breached usernames and passwords that could be used to access the systems at various facilities.
However, DHS and FBI officials then announced they had no evidence that the event was connected to issues faced by the Curran-Gardner Public Water District in Springfield, Illinois.
"In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported," the DHS released in a statement. "Analysis of the incident is ongoing and additional relevant information will be released as it becomes available."
But fuel was added to the fire earlier this month following remarks made by FBI deputy assistant director Michael Welch, who is involved with the law enforcement agency's cyber division, according to a report from the BBC. At the Flemings Cyber Security conference, Welch said that hackers had infiltrated the utility infrastructures of three U.S. cities.
"Essentially it was an ego trip for the hacker because he had control of that city's system and he could dump raw sewage into the lake, he could shut down the power plant at the mall – a wide array of things," Welch said, according to the BBC.
According to an interview he did with InformationWeek, Santamarta said he actually informed ICS-CERT about the vulnerability long before it came out with the security bulletin. However, he did praise the organization and Schneider Electric for taking the issue seriously and working to resolve the vulnerability.
The country's continued march forward with the implementation of a smart grid has also added to data security concerns surrounding utilities. Given the connected nature of smart meters and the grid itself, there is an overriding fear that a hacker will be able to breach the system and essentially shut off the electricity supply to the country.
CIO Update included smart grid security on its recent list of the top 13 data security trends for 2012. According to the report, the standards for smart grid security developed by public utility organizations and the National Institute of Standards will continue to evolve.
"The government will increasingly require utilities to demonstrate that their smart grid and advanced metering infrastructure solutions protect not only the privacy of consumers and consumer usage data but also the security of the AMI infrastructure," the CIO Update report said.
Eventually, the report said, a federal mandate will become the law of the land on the issue and eliminate the need for individual state legislation.