Telvent client alerted feds to hack at energy company, documents suggest

[Erica Absetz <erica () riskbasedsecurity com>]

http://o.canada.com/2013/04/22/telvent-client-alerted-feds-to-hack-at-energy-company-documents-suggest/

OTTAWA — A Canadian energy technology company, whose systems help run
pipelines around North America, acted “in an extremely responsible
manner” after it was hacked over the summer, even though it didn’t
tell Canadian authorities about the intrusion.

Instead, a client of Telvent alerted Canadian officials about the
successful cyber intrusion about two weeks after the company’s clients
were first notified.

In briefing material prepared for Public Safety Minister Vic Toews,
the government was ready to argue this point if pressed by opposition
parties in the Commons, with a prepared response for Toews reading
that the federal response to the Telvent hack was an example of the
system working as it should.

The Canadian Cyber Incident Response Centre didn’t learn of the
intrusion at Telvent until Sept. 26. The company first notified its
clients on Sept. 10 of the hack.

CCIRC, which tracks, warns and advises on dealing with cyber attacks,
didn’t learn of the hack from Telvent itself, but rather had one of
the company’s clients notify it, according to a Feb. 22 question
period briefing note to Toews, a copy of which was released to
Postmedia News under the access to information law.

Reports in late September were critical of the federal agency’s
response — or lack thereof — to the attack. The level of critique was
ratcheted up in late February when the CBC reported that it took 10
days before CCIRC learned of the incident and that the company had
initially reported the intrusion to American authorities.

But the seemingly slow response was a function of the government’s
inability to enforce cyber security standards in the private sector,
or force companies to publicly report when an intrusion has taken
place, according to a briefing note to Public Safety Minister Vic
Toews.

“The [CBC] report infers that CCIRC was negligent in detecting this
threat. It is illegal for the government to monitor the private
communications of Canadians and Canadian businesses. As such, CCIRC
relies on voluntary reporting,” reads background notes prepared for
Toews.

“Telvent behaved in an extremely responsible manner by notifying its
clients of the intrusion, so that they too could begin acting to
protect themselves. Companies are often wary of admitting they have
been victimized, due to fears over liability or loss of investor
confidence.”

The notes also says this: “CCIRC has no authority to ensure that
private sector companies act on the information it provides.”

The hack at Telvent, which the company and Canadian authorities
confirmed in late September, only penetrated its systems and not those
of its clients. According to the briefing note, the company became
aware of the hack in the summer of 2012 that was targeted at
extracting files “related to a specific project, principally a
software system used  in smart grid technologies.” According to
reports, the hack was allegedly traced back to China.

The company’s technology is used to help energy companies remotely
control systems overseeing energy infrastructure, including pipelines.
Telvent’s systems are in place in more than half of North American
pipelines.

In its quarterly report for the period of July to September, CCIRC
references a hack at a Canadian manufacturer of industrial control
systems, noting that “CCIRC continues to work collaboratively with its
domestic and international partners.”

In late February,  Toews was not asked in the Commons about the
reported delay in CCIRC becoming aware of the Telvent breach. Had he
been asked, the department prepared responses.

“The government provides threat and warning information, along with
mitigation advice, to industry. Private sector operators are
ultimately responsible for acting on this information, and for seeking
help and advice from government during an incident,” one proposed
response reads.

“In this case, the system worked as it should. The Canadian Cyber
Incident Response Centre was in touch with its allies, victims and
other partners within hours of becoming aware of this incident in
order to ensure industry had the information and advice needed to
protect vital systems.”
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.