Telvent Compromised!

Comment CrewBrian Krebs breaks a big story in the ICS security world — Telvent has been informing customers they have been compromised by the Comment Group.

Over the past two decades Telvent has dominated the oil and gas pipeline SCADA market. In recent years they have moved aggressively into the smart grid market and were acquired by Schneider Electric.

According to the Krebs reporting, “Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA.” This is Telvent’s flagship SCADA product. There are at least three potentially serious consequences of this compromise:

  1. The attackers used their presence on the Telvent network to pivot and compromise the Telvent customer SCADA systems that were connected to the Telvent network. Vendors typically connect to their customers for weeks during deployment and periodically for maintenance and support after deployment. Krebs reports that Telvent has terminated the usual method of connecting to customers and deployed a new method.
  2. The attackers used their presence on the Telvent network to modify project files that were in the deployment phase. The system would be compromised before it was commissioned.
  3. The attackers used their presence on the Telvent network to download the customer project files for a future attack — think future Stuxnet. If an attacker were going to attack a process in a sophisticated manner they would need time and talent to study the project files and essentially reverse engineer the process

If this Comment Group is the same as Comment Crew, then this is likely the same people that sent spear phishing email to Digital Bond and EnergySec. They are going after the ICS energy sector, and Telvent is almost certainly not the only vendor being targeted or compromised. In fact, I would be worried if a large asset owner or vendor in the energy sector is not detecting these attacks. Little Digital Bond and non-profit EnergySec must be rather low on the list of energy sector ICS targets.

Telvent does deserve some credit for addressing this head on rather than trying to bury it. Recent events have shown IT security vendors do much more to hide compromise. Telvent has a good reputation in implementing security controls and responding to reported vulnerabilities, but no one is immune to compromise.

This reported compromise points to two security principles that deserve their own articles. First, owner/operators should not allow full time vendor remote access. It should be emergency remote access only and completely under the owner/operator control. And second, vendors and all other organizations should segment their internal networks. Assume the corporate network will be compromised and focus security resources on the key information resources.

(Full disclosure – Telvent has participated in Digital Bond’s Bandolier Project)

 

3 comments to Telvent Compromised!

  • SCADA Admin on a Telvent System

    Upon the initial notification, Telvent verbally notified customers and requested that customers disable all Telvent users. Furthermore, they strongly suggested that we monitor for any unusual outbound traffic. They have kept us informed as more information is available.

    They are fully cooperating wiht law enforemcent officials.

  • Though this hack is frightening, I am actually encouraged by Telvent’s reaction. I really can’t find fault with them on anything they’ve done since they discovered the problem.

    The more I hear from people in the field, the more I appreciate what the Telvent managers are doing. Customers like me are taking notes.

  • There are innovative solutions that will stop these types of penetrations from happening but the industry is following old technology solutions and they just do not work. Until the experts start to deploy disruptive solution technology to the problem this activity will continue. There is such a solution but because it is not from a “Big Boy” solution provider it falls on deaf ears.

Leave a Reply