Orlando's electric utility fights cyberwar

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://technews.tmcnet.com/news/2014/09/29/8041339.htm

Security staffers at Orlando's utility have been watching for more than a
year now as the digital tentacles of hackers reach through the World Wide
Web and caress the power provider's computerized operations -- not a few
times, or thousands, but millions of times a day.

A fear at Orlando Utilities Commission and utilities across the U.S. is
that a cyberstrike by "bad guys" in Russia, China or even a small American
town will put out lights for a long time.

Confident for now in their digital armor, OUC executives have noted
audacious assaults on Target and Home Depot and worry that small businesses
and ordinary people are not nearly wary enough of cyberspace perils.

"Up until about a year or a year and a half ago, we all toddled along doing
our websites, ftps and our B2B [business-to-business] stuff, and there was
fairly low risk," OUC's computer-security officer said.

"Then, ways to automate attacks came along, and all of us, and I mean
everybody who has an Internet port, if you keep your machine up on the
Internet at home, it's vulnerable, and people are scanning it all day,
every day." No U.S. power plant has been fried by an Internet strike, or no
such act has been disclosed, but utilities are spending heavily on
protection. Florida Power & Light Co. drills "cross-functional" teams to
counter threats.

The OUC expert asked not to be named to avoid becoming known to hackers.
This summer, however, the utility gave its commissioners a security
briefing with a narrative that could have been from a cyberthriller novel.

"Attacks are daily, they are unrelenting and they are evolving," said Jerry
Sullivan, chief information officer, directing attention to a slide
presentation.

"It describes a bunch of rogue nations that are attacking our system on a
daily basis in what used to be in the neighborhood of 30,000 probes into
our firewalls and now has gone into the millions," Sullivan said.

"We actually have logs that show where China has used email addresses for
our senior staff and tried to guess their passwords," he said.

Sullivan mentioned vendors that safeguard sensitive customer data.
Afterward, OUC lawyer Christopher Browder moved aggressively to censor
their identities, explaining that names alone would give enemies a critical
edge.

The Sentinel obtained the vendor identities but agreed not to disclose them.

Not well-addressed by Sullivan was why utilities are so targeted when
celebrities and credit cards seem prime for cybercrime.

Other experts suggested utilities detect more hits because they watch very
carefully as a matter of national security; a few daily probes may be
gathering intelligence for a terror attack on a power plant.

"We have to assume there is somebody out there trying to do it," said Joy
Ditto, an American Public Power Association vice president.

"Many of these 'attacks' start out as reconnaissance," said Duncan Earl,
chief technology officer at San Diego-based Qubitekk Inc., which recently
won a $3 million federal grant to improve utility encryption. "Then the
attacker can work to implement a virus." University of Central Florida
professor Cliff Zou said hackers are downloading increasingly potent
software to automatically and randomly troll for unsecured computers.

"You can think of the Internet as a big ocean," Zou said. "So attackers,
whether entry-level or sophisticated, most of the time, they are just
fishing in the ocean. Whether the fish belongs to this brand or that brand
does not matter much." Said Nathan Mitchell, American Public Power
Association director of reliability standards: "The better the tools that
the bad guys are getting, the more they are reaching out to anything to see
what they can access." Hackers compromise computers by obtaining passwords,
leveraging software weakness and planting viruses. They also secretly
enslave computers into botnets, a term joining robot and network, for a
"distributed denial-of-service attack" that buries a website with activity.

Jacksonville's utility, JEA, temporarily lost its website and Internet
access for three days last year to a denial-of-service attack motivated by
social or political reasons.

"When you hear about data breaches and leaks of account credentials, that
would be like a sniper attack," said David Fernandez, director of security
engineering for Prolexic Technologies in Hollywood, Fla.

A denial-of-service attack, he said, "is not on that level of
sophistication. This is the big, brute weapon." His company shields clients
from such attacks.

OUC's Sullivan regards denial-of-service attacks as noisy distractions for
stealthier strikes on servers and data storage.

"I think the landscape across the United States is filled with companies
that don't know they have been subject to a successful attack," Sullivan
said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!