Home » Inside SafeNet » Claimed Compromise of Wind Turbine System: Fact? Hoax? Does it Matter?
Claimed Compromise of Wind Turbine System: Fact? Hoax? Does it Matter?
April 18, 2011, 01:30 pm EDT
Over the weekend, a disgruntled former employee of NextEra Energy Resources, a subsidiary of Florida Power & Light, claimed he discovered a vulnerability in the Cisco security management software, and was able to hack into the SCADA (supervisory control and data acquisition) systems used to control the turbines. The company has since investigated this claim and stated that they have found no such evidence of a system compromise. But the question remains, does it really matter?
For years, the energy infrastructure has remained untouched, until recently. Utility and energy players are now making strides towards creating more advanced systems—from new regulatory mandates and guidelines, to SCADA networks for the management and flow of electricity, gas, and water, to advanced metering infrastructures for tracking energy usage. But for all their promise, emerging paradigms like the smart grid, which opens utility companies to new sources of power beyond traditional means to include renewable and consumer-generated power, have a significant Achilles heel—security. These emerging infrastructures promise a host of benefits, but they also create significant vulnerabilities.
In the article, “Anonymous hacker claims he broke into wind turbine systems,” featured in IDG News Services, John Cusimano, director at the Security Incidents Organization, claims that insider hacks are responsible for about 10-15% of all industrial security computer incidents. This isn’t a new issue. In fact, for years now, insider hacks have been one of the leading causes of data compromise and should not be taken lightly. What are some key points utility companies, among others, should consider to thwart this threat?
1) Develop a strong authentication protocol for both employees and partners accessing the system. It is imperative that the authentication protocol go beyond usernames and passwords, which are often shared among employees or so simple they can be guessed within a few attempts. Thinking beyond username and password, software or token-based authentication can provide the added layer of security necessary to ensure that only authorized users are accessing sensitive company information.
2) Establish a strong policy that provides separation of duties and information control. At the back-end of the system, set controls in place that regulate who can gain access to what information, databases, applications, and systems. With the proper technology and setup, you can ensure that only approved users, with the right credentials, can access information and systems in the clear. Users with restricted access can still have use of the information needed to perform their job functions, without the ability to view or alter sensitive information. In addition, within the system itself, establish policies that will limit the hours during which employees can access certain information and applications. This will decrease your risk significantly.
3) In a public key infrastructure environment, make sure something is in place to secure your PKI. Companies spend millions designing and deploying a PKI system to set up their networks and applications but, often times, they overlook how their PKI is secured. Don’t forget this crucial step, and hidden weakness—make sure the sensitive keys for your PKI infrastructure are kept secured in a hardware platform, and cannot be tampered or altered.
4) Ensure that, internally, different departments are communicating among one another. Have a proper policy in place for new and terminated employees, cutting off access as soon as an employee is terminated. In addition, have a system in place that will monitor your employees’ activities, such as frequency of accessing certain networks. Conduct internal audits on a routine basis; this may be your only way to recognize red flags quickly.
It shouldn’t take a news headline of a hack or a regulation for us to think about security. Being proactive and having a proper security posture is the only way to stay ahead of the hackers and the headlines.
This entry was posted in Authentication, Compliance, Data Center, Digital Signatures, Endpoint Protection, Energy, Financial Services, Healthcare, Key Management, Manufacturing, Retail by Trisha Paine. Bookmark the permalink.
SafeNet October 6, 2011, 11:35 am UTC
SafeNet October 4, 2011, 03:03 pm UTC
SafeNet September 13, 2011, 04:40 pm UTC
SafeNet October 6, 2011, 11:35 am UTC