Slashdot Mirror

← Back to Stories (view on slashdot.org)

Smart-Grid Control Software Maker Hacked

Posted by timothy on from the 21-scadoo dept.

tsu doh nimh writes "Telvent, a multinational company whose software and services are used to remotely administer and monitor large sections of the energy and gas industries, began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Brian Krebs reports that the attacker(s) installed malicious software and stole project files related to one of Telvent's core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced 'smart grid' technologies. A follow-up story from Wired.com got confirmation from Telvent, and includes speculation from experts that the 'project files' could be used to sabotage systems. 'Some project files contain the "recipe" for the operations of a customer, describing calculations and frequencies at which systems run or when they should be turned on or off. If you're going to do a sophisticated attack, you get the project file and study it and decide how you want to modify the pieces of the operation. Then you modify the project file and load it, and they're not running what they think they're running.'"

5 of 96 comments (clear)

  1. Re:Are 'smart' meters mandatory? by Dunbal · · Score: 3, Insightful

    Tell me how efficient they are when the whole grid goes down.

    --
    Seven puppies were harmed during the making of this post.
  2. Re:Are 'smart' meters mandatory? by TWX · · Score: 3, Insightful

    Computers only make things more efficient when the systems architects know how to do their jobs effectively and don't rely on vendors and consultants to do it for them. It's not in the interests of vendors or consultants to save their customer money. It's in their interests to make as much money from the customer as practical, and that can mean everything from selling them equipment that's overspec to selling far more equipment than necessary to excessive costs for setup and configuration that are difficult to determine at the outset of the project.

    As problematic as our telephone system has been at times, at least from a bureaucracy standpoint, that Bell did basic research and development in-house and for a long time owned almost everything internally, advances were made and the system functioned very well. The Baby Bells have inherited this legacy, and the biggest cracks have only manifested as they've each independently implemented technologies post-Ma-Bell, like DSL.

    If you've had to work with vendors extensively you'd realize what a bane it can be to actually achieving, especially when non-technical persons have the ultimate decision in your organization.

    --
    Do not look into laser with remaining eye.
  3. This is a Good Example by chill · · Score: 4, Insightful

    This is a good example of why the gov't is worried about cyber security for critical infrastructure. Just like there are minimum standards for building and fire safety there needs to be minimum standards for IT infrastructure security.

    --
    Learning HOW to think is more important than learning WHAT to think.
  4. smart grid, stupid access and control sw by swschrad · · Score: 4, Insightful

    YOU. DO. NOT. CONNECT. VITAL. INFRASTRUCTURE. TO. THE. INTERNET.

    fucking idiots.

    guess we better learn to live in the dark again, because these fools and the power companies they blather money out of will put us there yet.

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
    1. Re:smart grid, stupid access and control sw by Shoten · · Score: 3, Insightful

      Actually, it does require the Internet.

      Balancing Authority interconnectivity, for example...that's a whole other organization. You think people run dedicated lines that are, in some cases, hundreds of miles long? When you're talking about the really big ones, like WECC, you could be talking about a thousand miles of distance between the ADMS/EMS systems and the Balancing Authority. And the link needs to be reliable. So nope, not an option. If the utility is in a market that permits energy trading, then you also need other interconnections..again, over long distances, and that means the Internet all over again. I do security in the power industry for a living...these systems are never put just on the Internet at a power company, but it's always just a couple of hops away. And nation-state attackers have little trouble hopscotching their way through to the target. The problem isn't the connectivity, it's the lack of good patch management/antimalware/security monitoring systems and processes. And that's pretty much what the problem is when it comes to most breaches.

      Look into the following acronyms, and keep digging. After a week of it, you might understand this better.

      NERC
      ERCOT
      PJM
      WECC
      ERO
      NERC-BAL
      NERC-CIP
      NERC-PRC
      NERC-EOP
      ISA99

      --

      For your security, this post has been encrypted with ROT-13, twice.