The FBI has acknowledged the hacking, and subsequent takeover, of an industrial control system in New Jersey. While the target in question was merely an HVAC system belonging to an air conditioning company, the announcement underscores the opportunity for hackers to penetrate SCADA systems, many of which were designed before security to defend them had emerged as an issue.

While the memorandum from the FBI's Newark division is dated July 23 and reflects an attack that was made between February and March of this year, the case became public this week when it was posted on a public intelligence website.

According to the FBI memorandum, during January of this year, an unknown individual issued a post on a website calling for an increase in attacks against SCADA systems. The bureau believes that the individual is a member of a group that is supposed to publicizing software vulnerabilities out of a belief that such disclosures are made in order to increase sales of IT security products.

[Related: Report: Security Budgets Trending Upwards For 2013]

The FBI memo goes on to say that the "intruders were able to access a backdoor into the ICS system that allowed access to the main control mechanism for the company's internal heating, ventilation, and air conditioning (HVAC) units." The company "was using the Tridium Niagara ICS system, which has been widely reported in the media to contain multiple vulnerabilities that could allow an attacker to remotely control the system."

The control interface for the system was apparently connected to the Internet with password protection, but without protection by a firewall. The backdoor, however was not password-protected. Logs indicate that multiple unauthorized IP addresses from both within the United States and from international locations illegally accessed the infrastructure.

According to the Tridium website, there are more than 245,000 instances of the Niagara framework deployed worldwide. The company says that the software platform integrates diverse multivendor, multiprotocol systems in a unified platform manageable via Web browser.

PUBLISHED DEC. 14, 2012