BreachExchange mailing list archives
Telvent client alerted feds to hack at energy company, documents suggest
From: Erica Absetz <erica () riskbasedsecurity com>
Date: Tue, 23 Apr 2013 15:23:06 -0400
http://o.canada.com/2013/04/22/telvent-client-alerted-feds-to-hack-at-energy-company-documents-suggest/ OTTAWA — A Canadian energy technology company, whose systems help run pipelines around North America, acted “in an extremely responsible manner” after it was hacked over the summer, even though it didn’t tell Canadian authorities about the intrusion. Instead, a client of Telvent alerted Canadian officials about the successful cyber intrusion about two weeks after the company’s clients were first notified. In briefing material prepared for Public Safety Minister Vic Toews, the government was ready to argue this point if pressed by opposition parties in the Commons, with a prepared response for Toews reading that the federal response to the Telvent hack was an example of the system working as it should. The Canadian Cyber Incident Response Centre didn’t learn of the intrusion at Telvent until Sept. 26. The company first notified its clients on Sept. 10 of the hack. CCIRC, which tracks, warns and advises on dealing with cyber attacks, didn’t learn of the hack from Telvent itself, but rather had one of the company’s clients notify it, according to a Feb. 22 question period briefing note to Toews, a copy of which was released to Postmedia News under the access to information law. Reports in late September were critical of the federal agency’s response — or lack thereof — to the attack. The level of critique was ratcheted up in late February when the CBC reported that it took 10 days before CCIRC learned of the incident and that the company had initially reported the intrusion to American authorities. But the seemingly slow response was a function of the government’s inability to enforce cyber security standards in the private sector, or force companies to publicly report when an intrusion has taken place, according to a briefing note to Public Safety Minister Vic Toews. “The [CBC] report infers that CCIRC was negligent in detecting this threat. It is illegal for the government to monitor the private communications of Canadians and Canadian businesses. As such, CCIRC relies on voluntary reporting,” reads background notes prepared for Toews. “Telvent behaved in an extremely responsible manner by notifying its clients of the intrusion, so that they too could begin acting to protect themselves. Companies are often wary of admitting they have been victimized, due to fears over liability or loss of investor confidence.” The notes also says this: “CCIRC has no authority to ensure that private sector companies act on the information it provides.” The hack at Telvent, which the company and Canadian authorities confirmed in late September, only penetrated its systems and not those of its clients. According to the briefing note, the company became aware of the hack in the summer of 2012 that was targeted at extracting files “related to a specific project, principally a software system used in smart grid technologies.” According to reports, the hack was allegedly traced back to China. The company’s technology is used to help energy companies remotely control systems overseeing energy infrastructure, including pipelines. Telvent’s systems are in place in more than half of North American pipelines. In its quarterly report for the period of July to September, CCIRC references a hack at a Canadian manufacturer of industrial control systems, noting that “CCIRC continues to work collaboratively with its domestic and international partners.” In late February, Toews was not asked in the Commons about the reported delay in CCIRC becoming aware of the Telvent breach. Had he been asked, the department prepared responses. “The government provides threat and warning information, along with mitigation advice, to industry. Private sector operators are ultimately responsible for acting on this information, and for seeking help and advice from government during an incident,” one proposed response reads. “In this case, the system worked as it should. The Canadian Cyber Incident Response Centre was in touch with its allies, victims and other partners within hours of becoming aware of this incident in order to ensure industry had the information and advice needed to protect vital systems.” _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges.
Current thread:
- Telvent client alerted feds to hack at energy company, documents suggest Erica Absetz (Apr 23)