DOE: Common Security Holes Leave Energy Grid Vulnerable
Martin LaMonica writes on C|Net News:
The U.S. is leaving its energy infrastructure open to cyberattacks by not performing basic security measures, such as regular patching and secure coding practices, according to a report prepared by the Department of Energy.More here.
Researchers at the Idaho National Laboratory tested 24 industrial control systems (ICSs) between 2003 and 2009 and published the results in a report [.pdf] completed in May and publicly released last month. Steven Aftergood, secrecy expert at the Federation of American Scientists, blogged about the report on Monday.
The report comes on the heels of a discovery of malware written specifically for systems used for controlling industrial manufacturing and utility systems. That worm, written for a Siemens Windows application, has been a wake-up call to the security community that focuses on industrial control systems because it marked a shift from theory to reality, according to experts.
Although the national labs researchers tested actual control systems used in running the energy infrastructure, such as the electricity grid, they did not disclose the names of any companies. By publishing the results, the DOE hopes energy companies can better assess and secure their computer systems.
The government-funded tests confirm that there are security holes in the energy infrastructure that are due in part by industry's growing reliance on the public Internet. Improving the security of these systems can be accomplished through well-understood security practices, but requires more work on the part of energy professionals and software providers, according to the report.