Maker of Smart-Grid Control Software Hacked

Photo: Matti.Frisk / Flickr

The maker of an industrial control system designed to be used with so-called smart grid networks disclosed to customers last week that hackers had breached its network and accessed project files related to a control system used in portions of the electrical grid.

Telvent, which is owned by Schneider Electric, told customers in a letter that on Sept. 10 it learned of the breach into its network. The attackers installed malicious software on the network and also accessed project files for its OASyS SCADA system, according to KrebsOnSecurity, which first reported the breach.

According to Telvent, its OASyS DNA system is designed to integrate a utility’s corporate network with the network of control systems that manage the distribution of electricity and to allow legacy systems and applications to communicate with new smart grid technologies.

Telvent calls OASyS “the hub of a real-time telemetry and control network for the utility grid,” and says on its website that the system “plays a central role in Smart Grid self-healing network architecture and improves overall grid safety and security.”

But according to Dale Peterson, founder and CEO of Digital Bond, a security firm that specializes in industrial control system security, the OASyS DNA system is also heavily used in oil and gas pipeline systems in North America, as well as in some water system networks.

The breach raises concerns that hackers could embed malware in project files to infect the machines of program developers or other key people involved in a project. One of the ways that Stuxnet spread — the worm that was designed to target Iran’s uranium enrichment program — was to infect project files in an industrial control system made by Siemens, with the aim of passing the malware to the computers of developers.

Peterson says this would also be a good way to infect customers, since vendors pass project files to customers and have full rights to modify anything in a customer’s system through the project files.

An attacker could also use the project files to study a customer’s operations for vulnerabilities in order to design further attacks on critical infrastructure systems. Or they could use Telvent’s remote access into customer networks to infiltrate customer control systems.

To prevent the latter from occurring, Telvent said in a second letter mailed to customers this week that it had temporarily disconnected its remote access to customer systems, which it uses to provide customer support, while it investigates the breach further.

“Although we do not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system or that any of the compromised computers have been connected to a customer system, as a further precautionary measure, we indefinitely terminated any customer system access by Telvent,” the company said in the letter, obtained by KrebsOnSecurity.

The company said it had established “new procedures to be followed until such time as we are sure that there are not further intrusions into the Telvent network and that all virus or malware files have been eliminated.”

A hack via a vendor’s remote access to a customer’s network is one of the primary ways that attackers get into systems. Often, intrusions occur because the vendor has placed a hardcoded password into its software that gives them access to customer systems through a backdoor — such passwords can be deciphered by attackers who examine the software. Attackers have also hacked customer systems by first breaching a vendor’s network and using its direct remote access to breach customers.

A Telvent spokesman confirmed the breach of its own network to Wired on Tuesday.

“We are aware of a security breach of our corporate network that has affected some customer files,” spokesman Martin Hannah told Wired in a phone call. “We’re working directly with our customers, and they are taking recommended actions with the support of our Telvent teams. And Telvent is actively working with law enforcement, with security specialists and with customers to ensure that this breach has been contained.”

Hannah wouldn’t say whether attackers had downloaded the project files or altered them.

Project files contain a wealth of customized information about a specific customer’s network and operations, says Patrick Miller, president and CEO of EnergySec, a nonprofit consortium that works with energy companies to improve security.

“Almost all of them will give you some details about the architecture and, depending on the nature of the project, it may go deeper,” he says. Project files can also identify key players in a project, in order to allow hackers to conduct additional targeted attacks, he said.

Additionally, project files could be altered to sabotage systems, says Digital Bond’s Peterson. Some project files contain the “recipe” for the operations of a customer, describing calculations and frequencies at which systems run or when they should be turned on or off.

“If you’re going to do a sophisticated attack, you get the project file and study it and decide how you want to modify the pieces of the operation,” Peterson says. “Then you modify the project file and load it, and they’re not running what they think they’re running.”

A vendor with good security would have a system in place to log who accesses project files and track any changes made to them. But, Peterson, noted, companies don’t always do what they should do, with regard to security.

Two days after Telvent says it discovered the breach in its network, the company announced a new partnership with Industrial Defender, a U.S.-based computer security firm, to integrate that company’s Automation Systems Manager with its own system to “expand its cybersecurity capabilities” for critical infrastructure.

The ASM system, Telvent said, would give critical infrastructure operators “the ability to determine changes to the system, who made them and why” as well as detect new devices when they’re connected to the network, “allowing for faster decision-making as to whether a change is planned or potentially malicious.”

Industrial Defender did not respond to questions about the Telvent breach or the timing of its partnership with the company.

Miller said he expects that copycat attacks will now recognize the value of attacking industrial control system vendors and begin to attack other vendors after this, if they haven’t already done so.

“If I were a vendor and knew this had happened to Telvent, I should be concerned, ‘Am I next?’”