FBI Memo Discloses Industrial Control Hack

By Ken Presti
December 14, 2012 2:24 PM ET

The FBI has acknowledged the hacking, and subsequent takeover, of an industrial control system in New Jersey. While the target in question was merely an HVAC system belonging to an air conditioning company, the announcement underscores the opportunity for hackers to penetrate SCADA systems, many of which were designed before security to defend them had emerged as an issue.

While the memorandum from the FBI's Newark division is dated July 23 and reflects an attack that was made between February and March of this year, the case became public this week when it was posted on a public intelligence website.

According to the FBI memorandum, during January of this year, an unknown individual issued a post on a website calling for an increase in attacks against SCADA systems. The bureau believes that the individual is a member of a group that is supposed to publicizing software vulnerabilities out of a belief that such disclosures are made in order to increase sales of IT security products.

The FBI memo goes on to say that the "intruders were able to access a backdoor into the ICS system that allowed access to the main control mechanism for the company's internal heating, ventilation, and air conditioning (HVAC) units." The company "was using the Tridium Niagara ICS system, which has been widely reported in the media to contain multiple vulnerabilities that could allow an attacker to remotely control the system."

The control interface for the system was apparently connected to the Internet with password protection, but without protection by a firewall. The backdoor, however was not password-protected. Logs indicate that multiple unauthorized IP addresses from both within the United States and from international locations illegally accessed the infrastructure.

According to the Tridium website, there are more than 245,000 instances of the Niagara framework deployed worldwide. The company says that the software platform integrates diverse multivendor, multiprotocol systems in a unified platform manageable via Web browser.

PUBLISHED DEC. 14, 2012

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	10 Emerging Security Technologies Gaining Interest, Adoption Despite some security defenses being only in their infancy, they are attracting interest for addressing BYOD issues, cloud security concerns and stolen account credentials. Here's a look at some of the top new security areas gaining industry interest.
	5 Government Intelligence Facilities You've Never Heard Of One facility has been around since the dawn of space exploration, while other buildings are still in construction. But, they all have serious data analysis and surveillance support activities associated with them.
	Data Breach Costs: 10 Ways You're Making It Worse A little planning and avoiding these 10 costly missteps can help mitigate the impact of a data security breach, according to the Ponemon Institute's latest research.
	More Slide Shows