Chinese Hackers Blamed for Breach of Telvent’s SCADA-Related Network

Cyber attacks on the utility industry are no longer theoretical. According to multiple sources, smart grid technology vendor Telvent told U.S., Canadian, and Spanish customers on Sept. 10 that hackers had broken through its firewall and accessed “project files” related to its OASyS SCADA system. On Wednesday, reports surfaced that, based on the perpetrators’ “digital fingerprints,” the attack appears to be the work of a well-known Chinese hacker group. 

Known as Comment Group, this team has been tied to multiple cyber-espionage attacks on Western interests, according to KrebsOnSecurity. As reporter Brian Krebs reported, “Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced ‘smart grid’ technologies.” The company has, as a precautionary measure, disconnected links between its network and clients and says it has established new measures for remote support services.

Patrick Miller, president and CEO of EnergySec, a nonprofit consortium that works with energy companies to improve security told the Wired Threat Level blog that project files contain a wealth of customized information about a specific customer’s network and operations. “Almost all of them will give you some details about the architecture and, depending on the nature of the project, it may go deeper,” he was quoted as saying. Project files can also provide information allowing hackers to engage in additional, targeted attacks.

To date, Telvent, which is owned by Schneider Electric, has been communicating just with its clients and law enforcement about the situation.

Telvent isn’t the only company to face recent unwanted attention for cybersecurity concerns. RuggedCom, which designs and manufactures rugged communications equipment, was acquired by Siemens last year. On Aug. 31, the Department of Homeland Security issued an alert regarding RuggedCom’s Rugged Operating System. In summary, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Control Systems Security Program “is aware of a public report of a hard-coded RSA SSL private key within RuggedCom’s Rugged Operating System (ROS). The vulnerability with proof-of-concept (PoC) exploit code was publicly presented by security researcher Justin W. Clarke of Cylance Inc. According to this report, the vulnerability can be used to decrypt SSL traffic between an end user and a RuggedCom network device.” Similar vulnerabilities were found in other RuggedCom firmware. RuggedCom provided details about the vulnerabilities and recommended solutions in an Aug. 31 notice.

Siemens’ SCADA system was the target of the Stuxnet attacks, designed to sabotage industrial controls systems. Though it first surfaced at the Iranian Bushehr nuclear power plant, it was also detected a year ago in European computer systems.

Greentech Media’s Jeff St. John notes that this is also not the first time Telvent’s equipment has been a source of cybersecurity concerns: “In December, ICS-CERT notified the industry of vulnerabilities in remote terminal units (RTUs) built by Schneider Electric’s Telvent, which one security expert told us may have cost utilities dearly in replaced equipment.”

Although there has been lots of chatter among politicians and industry experts about a theoretical cyberattack on power infrastructure, and though technology vulnerabilities have been identified, and bills to strengthen grid cybersecurity have been proposed—and defeated, this month’s Telvent attack appears to be the first actual hack that could have done damage.

Earlier this month, Joseph McClelland, director of the Federal Energy Regulatory Commission (FERC) Office of Electric Reliability, testified before a congressional subcommittee about the ways in which the U.S. regulatory system is ill-equipped to deal with time-sensitive threats to physical and cyber assets of its power system.

For more on what the U.S. electric power industry has been doing to address cybersecurity concerns, see these articles in the June issue of POWER: “Guidance on Cybersecurity for the Electricity Sector” and “Ensuring the Cybersecurity of Plant Industrial Control Systems.”

Sources: POWERnews, Wired, KrebsonSecurity, Telvent, Greentech Media, Department of Homeland Security

—Gail Reitenbach, PhD is POWER’s managing editor (@GailReit and @POWERmagazine)