The control systems of a US utility have been hacked and compromised, according to the Department of Homeland Security (DoHS). However, it adds that there is no evidence that the utility's operations were affected.
The revelation follows a report from the agency's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The DoHS has refused to name the utility.
"While unauthorised access was identified, ICS-CERT was able to work with the affected entity to put in place mitigation strategies and ensure the security of their control systems before there was any impact to operations," a DoHS official told Reuters.
Such attacks are rarely publicly disclosed, but ICS-CERT said it was likely that the utility had been hit before, although it did not disclose further details.
The agency said that the probable entry point for the hackers was an internet portal that enabled workers to access the utility's control systems. The system was protected by just a "simple" password that could easily be cracked with standard brute-force tools.
Justin W. Clarke, an industrial control security consultant with security firm Cylance, told Reuters that it is rare for such breaches to be identified by utilities and even more rare for the government to disclose them.
"In most cases, systems that are so antiquated as to be susceptible to such brute forcing technologies would not have the detailed logging required to aid in an investigation like this," he said.
Last year ICS-CERT responded to 256 online security reports, more than half of them in the energy sector.
Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes
Focus on cost efficiency, simplicity, performance, scalability and future-readiness when architecting your data protection strategy