In a report [PDF], DHS' Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) explained that the software used to mange the utility's control system was accessible via the Internet. "The systems were configured with a remote access capability, utilizing a simple password mechanism; however, the authentication method was susceptible to compromise via standard brute forcing techniques," the report states.
An ICS-CERT investigation found that the system had been breached previously, and worked with the utility's owners to evaluate the overall security of their infrastructure and to make practical recommendations for securing the control network.
"This incident highlights the need to evaluate security controls employed at the perimeter and ensure that potential intrusion vectors (ex: remote access) are configured with appropriate security controls, monitoring, and detection capabilities," the ICS-CERT report states.
Photo courtesy of Shutterstock.