Tech
A cyber security analyst works in a watch and warning center at a Department of Homeland Security cyber security defense lab at the Idaho National Laboratory, September 30, 2011, in Idaho Falls, Idaho. REUTERS/Jim Urquhart  (UNITED STATES - Tags: POLITICS SOCIETY SCIENCE TECHNOLOGY) FOR BEST QUALITY IMAGE: ALSO SEE GM1E7CR0V6M01 - RTR2S20O A cyber security analyst works in a watch and warning center at a Department of Homeland Security cyber security defense lab at the Idaho National Laboratory, September 30, 2011, in Idaho Falls, Idaho. REUTERS/Jim Urquhart  (UNITED STATES - Tags: POLITICS SOCIETY SCIENCE TECHNOLOGY) FOR BEST QUALITY IMAGE: ALSO SEE GM1E7CR0V6M01 - RTR2S20O  

Homeland Security Reports American Utility Company Hacked

Giuseppe Macri
Tech Editor

The Department of Homeland Security confirmed late Tuesday that an American utility provider was hacked by a “sophisticated” hacker or group of hackers, whom successfully accessed the company’s control system network.

A DHS official told Reuters the department was able to close the security breach before attackers had a chance to affect the company’s operations, but the initial success of the attempt illustrates the growing challenge of securing the U.S.’s increasingly tech-reliant infrastructure against equally growing advances in cyber attacks.

The Web-based exploit hackers used to gain access to the control system was originally designed to give operators remote access, which attackers logged into after using a “brute force” hacking method to discover the password.

“In many cases, these devices have not been configured with adequate authentication mechanisms, thereby further increasing the chances of both opportunistic and targeted attempts to directly access these components,” the department wrote in its report.

“As tools and adversary capabilities advance, we expect that exposed systems will be more effectively discovered and targeted by adversaries.”

Homeland Security reports it wasn’t the first such attack against the company, which was not named, and that it was likely exposed to multiple threats.

The agency’s Industrial Control Systems Cyber Emergency Response Team does not publicly report attacks in order to encourage companies to come forward without fear of business repercussions, but did so in this case to highlight the need for companies to adopt stricter security measures over utility control systems — especially those with heavy public reliance.

Follow Giuseppe on Twitter and Facebook.