Telvent, makers of OASYS SCADA software, discovered on September 10, 2012 that it had suffered a breach into its network – a sophisticated hacker attack spanning its operations in the United States, Canada, and Spain. Two days later, they announced a new partnership with Industrial Defender, a U.S. base security firm, to integrate the company’s Automation Systems Manager with its own system “to expand its cybersecurity capabilities” for critical infrastructure. Finally, over a week after Telvent first learned of the attack, they notified customer, via letters, that a breach into their systems had occurred.
The attack
Telvent said the hackers installed malicious software (we’re assuming a rootkit) and stole critical “project files” related to their OASYS SCADA product. Telvent has not confirmed whether or not project files were modified (they probably don’t know yet). Project files are used to compile the core software product. They are closely guarded by their owners because they can be modified to inject malicious code (malware) and uploaded back to the server giving attackers the ability to control the compiled systems. The attacks are particularly dangerous when compromised project files reach developer’s systems, users on the network that typically have much higher level of security.
Project files also can contain detailed architectural design documents that map the most intimate pieces of the software system, giving owners of those design documents a roadmap to the system’s operation – and inherent vulnerabilities. A deep understanding of the project files gives hackers a distinct advantage in subsequent hack attempts.
OASYS SCADA software
Telvent’s OASYS SCADA software is used to remotely administer and monitor large sections of the energy industry’s infrastructure, particularly electrical company’s’ transmission and distribution systems. The software monitors distributions systems and maintains operational integrity for those systems. It also provides a detailed roadmap of the electrical grid and critical points located within the infrastructure. Note that although designed for electrical utilities, the software can also be used to control gas and oil routing systems as well as some waster system networks.
Fingerprints point to Chinese hacker group
Digital fingerprints, such as domain IDs and malware left behind by the attackers, suggests ties to a Chinese hacking team, “Comment Group, that is related to previous cyber-espionage campaigns against Western interests. Comment Group is suspected in several sophisticated attacks where they attempted to harvest intellectual property and trade secrets from energy companies, patent law firms, and investment banks.
There have been additional reports of Comment Group sending spear phishing email to other energy sector companies in recent weeks. If so, Comment Group may be making a concentrated effort to attack the ICS (Industrial Control Systems) energy sector.
Telvent is keeping relatively quiet about the breach while they work with law enforcement and a task force from its parent firm, Schneider Electric.
Our take
Our take, SCADA systems are critical components of the nation’s electrical grid. They are the software systems that control and regulate the flow of electricity across the wires. These automated systems contain overrides that allow anyone who has access to the control software, the ability to shutdown or disrupt the integrity of the grid. Telvent should have disclosed this attack much sooner than they did. Attacks against critical infrastructures, ones that affect millions of people, should be disclosed quickly. We’re not suggesting that they should release details of the attack, but they should have notified the public and other utility institutions as soon as they realized a breach had occurred. Also note that signs point towards a coordinated attack against not just Telvent, but likely other vendors and customers. They should audit their systems immediately.