In a rare gesture of transparency, the US Department of Homeland Security just announced that hackers recently targeted and compromised a public utility’s control system. It didn’t say exactly where, but it happened inside United States borders. And it doesn’t sound like it was even that hard.
Specific details about the breach are scant. However, DHS did say that it thinks the hackers broke into the utility’s control system by accessing an internet portal that employees use to sign on remotely. It didn’t even require hacking really. The intruders just mounted a “brute force” attack, guessing every possible password combination until they found one that worked. It’s a more advanced, probably computer-aided version of the technique when trying to log on to your neighbour’s Wi-Fi. It’s also more than unsettling that the DHS doesn’t know for sure how the hackers did it.
While DHS says that the utility’s operations weren’t affected, this is all very scary. A hacker breaking into a city’s infrastructure is exactly the kind of cyber attack President Obama warned Americans about a couple years ago, when he was beefing up our cyber security capabilities. But when a terrorist is only one password away from accessing a cyber control center, it’s clear that we still have a long ways to go. It’s also clear that these kinds of attacks can happen virtually, though hackers have mounted physical attacks on urban infrastructure.
Now that everyone’s good and frightened, we have to figure out what to do. The scary news itself almost reads like a call to arms — a real life example of the time the White House simulated an attack on New York City’s power grid to teach the Senate a lesson. The very fact that DHS disclosed the details of this most recent attack is evidence that they want the rest of the government to know how real the threat is. And you know the need for better cyber security is serious when the FBI starts considering hiring pothead hackers to fight the good fight.