Central body puts officials on notice over Heartbleed

In a potential cyber attack, hackers can control the power generation and they can stop power production remotely.

Update: 2017-04-19 20:29 GMT
The two-day energy ministers' conference scheduled for April 28-29 by the Union power ministry will discuss the cyber attack threat to power plants in India.

Hyderabad: Power plants across the country are threatened by cyber attacks that could disrupt their functioning in a big way. The National Security Council (NSC) has warned the energy department that the Heartbleed bug is one of the biggest internet security flaws ever unearthed.

This comes at a time when the Union energy department is adopting the latest digital technology to control the power system. The two-day energy ministers’ conference scheduled for April 28-29 by the Union power ministry will discuss the cyber attack threat to power plants in India.

There were 111 cyber incidents reported by the energy sector during the six months ending May 2013, compared to about 81 incidents reported in the preceding 12 months, according to the cyber emergency response team.

A three-pronged action plan has been proposed by the NSC to counter the threat and keep safe the power sector. It includes the migration of power plants to the next generation, and the introduction of smart cities.

The Indian power sector is currently migrating to the next generation IP-based industrial control systems, including Super-visory Control and Data Acquisition (SCDA) systems and smart metering solutions.

Experts say as the country migrates to the next generation systems it needs to put cyber security considerations at the forefront.

In a potential cyber attack, hackers can control the power generation and they can stop power production remotely.

Hackers are increasingly targeting critical infrastructure around the world the most targeted sector worldwide was energy, accounting for 41 per cent of reported events in 2013, followed by water at 15 per cent.

They said that India is in the early stages of introducing new technology and should adopt good processes and practices to ensure the cyber security of its next generation networks.

WHAT IS HEARTBLEED?

  • The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
  • SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

WHEN WAS IT DISCOVERED?

  • The bug was discovered by Neel Mehta of Google’s security team. He secretly reported Heartbleed on April 1, 2014.
  • A couple of days later, an engineer at Finnish cybersecurity company Codenomicon found the bug independently and named at Heartbleed and also created the bleeding heart logo.

HOW DOES IT WORK?

  • This flaw was found only in SSL. For accessing websites which use the SSL technology, the computer needs to communicate to the server by sending “heartbeats” — used to inform the server that the computer is online (alive). After receiving the heartbeat, the server dispatches data to the computer.
  • Heartbleed bug compromises the security of the information exchange, which happen between the computer and client, and allows cyber criminals to extract sensitive data from the server.
  • Using this bug, cyber attackers can obtain the private encryption key for an SSL/TLS certificate and could set up a fake website that passes the security verification.

WHAT DOES IT DO?

  • The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.
  • This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.
  • This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

HOW TO STOP THE LEAK?

  • As long as the vulnerable version of OpenSSL is in use, it can be abused. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

Similar News