The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) advised in its quarterly report that an unnamed public utility was compromised after attackers took advantage of a weak password security system by using brute force techniques by trying on various passwords until they hit the right one.
This may come as no surprise to some as the vulnerability of the U.S. power grid to electronic attack has been known since the 1990’s. Factors contributing to this increasing danger include the shift from mainframe-based computer control systems to distributed systems using open protocols and standards, pressures within the industry to automate and cut costs, regulations that require that utilities provide open access to transmission system information, and increasing incidents of terrorism.
It’s been reported that the government rarely discloses breaches of public utilities and that they can rarely even identify the breach.
Despite these vulnerabilities, public utilities are lagging in adopting the practices and technologies of established IT companies. Unfortunately, the market itself, while presently rushing to implement best security practices, is unlikely to affect public utilities until legislation occurs.