Utility SCADA System Attacked

Event Year: 2001 Reliability: Likely But Unconfirmed
Country: United States
Industry Type: Power and Utilities
Description:

An electric power utility allowed a contracted vendor to establish a VPN connection. Neither took adequate steps to ensure proper access protection thinking that the other had.  The connection was originally intended to have miminal exposure to the internet when in fact it had significant exposure.  A threat agent exploited this vunerability allowing penetration of the SCADA system. (#2)

Impact:

The attack resulted in significant financial impact to the utility even though they did not lose electric power and their customers were not physically affected. The utility lost use of its SCADA system for 2 weeks until the SCADA system could be completely reprogrammed and made a “trusted” system. The cost was 4 person-months of effort. The utility did not report the incident - there was no requirement, since no electric power was lost. (#2)