Critical Infrastructure Finally Getting the Attention it Deserves
There’s no question that Critical Infrastructure (CI) was a popular topic in IT security media outlets throughout 2011. Everything from Duqu speculation to Black Hat PLC hacking, this past year was a wake-up call for the energy & utilities industry confirming that CI security is more than just a 15-foot high brick wall.
If you recall, at Black Hat 2011, a researcher was able to hack into a Siemens device because it had SCADA authentication holes. According to a recent article over at Dark Reading, the Siemens team is pushing to release a major security fix this month. While it’s still early January, we haven’t heard of the fix being pushed out yet, so if you have please let us know in the comments.
Quote from Siemens Industrial Security News about the vulnerabilities:
Siemens was notified by IT experts (Billy Rios and Terry McCorke) about vulnerabilities in some of its automation products. These are the WinCC flexible RT versions from 2004 to 2008 SP2 and WinCC Runtime Advanced V11 and multiple Simatic panels (TP, OP, MP, Comfort). We are aware of the reported vulnerabilities, first reported in May 2011. Our development had immediately taken action and addressed these issues. The vulnerabilities will be fixed by security updates, first is planned to be issued in January 2012. In December 2011 further vulnerabilities have been reported which are currently under investigation. We thank Billy Rios and Terry McCorke for reporting the vulnerabilities.
While Siemens is investigating their issues, various government agencies have aligned with leadership in the private sector to try and find a solution to the security woes in the energy and utilities industry.
The “Electric Sector Cybersecurity Risk Management Maturity” project is now in place to help establish a holistic security approach for the nation’s energy infrastructure. The project leaders are of varied backgrounds, which makes this all the better. It’s made up of representatives from the Department of Energy (leading agency), the White House, and DHS, with participants from the private energy and utilities sector. Odds are this project will eventually turn into a single government agency to handle all cyber security concerns, as Massachusetts Institute of Technology (MIT) has already suggested.
What can energy providers do while the aforementioned “maturity model” is put into place? Learn about Security Intelligence and how it can help mitigate many of the IT security concerns in the smart grid and for energy control systems in general.