Infosec experts speak out on natural gas pipeline attacks

Not long after I wrote about the cyberattacks against natural gas pipelines in the U.S., three infosec experts shared their thoughts on the matter. Here's what they had to say:

Eric Chiu, president and founder of HyTrust, a cloud infrastructure control company: “Attacking critical commercial and public infrastructure is nothing new, unfortunately, and seeing attempts to gain access into critical national infrastructure highlights the need to secure access with technologies and processes that will prevent undesirable incidents. The need for this is compounded as organizations move critical infrastructure and applications to the cloud, whre -- in the wrong hands -- cloud and/or virtualized data can be copied, deleted, and/or moved from anywhere on the globe virtually undetected. Individual identity can be secured with today's technologies to allow fine-grained control around access, privilege, and policy enforcement, not to mention after-the-fact logging and reporting. The use of third-party solutions for virtualization security is also critical because it provides an additional layer of protection. In the event that a hypervisor is compromised, external tools can still enforce access controls.”

Kapil Raina, director of product marketing at Zscaler: “Most likely these attacks have been launched via a vulnerability of a SCADA system. SCADA system attacks have been seen in the wild for quite some time now with the most prominent being the Stuxnet attack. Since SCADA includes support for TCP/IP protocols and remote operations, this can open them up for a wide range of attacks originated from anywhere. The most effective attacks would target the controller of the programmable logic controller (PLC) layer as they are programmed to directly monitor and control physical plant operations. In addition, most of the PLC activities are run in a supervisory level, allowing them full access to plant functions. The biggest fear would be a coordinated attack on several facilities which would trigger automatic responses at other facilities, potentially causing a chained effect – similar to an electrical blackout but with more severe consequences. Given that natural gas prices are near a record floor, the attack could have other affects including driving up the price of natural gas dramatically and creating financial market turmoil – above and beyond the immediate infrastructure failure/destruction.”

Brian Contos, senior director and customer security strategist at McAfee: “Gleaning intelligence to ascertain empirical information regarding actors, attacks, and even motives is increasingly common. Organizations have been doing this for years with honeypots and related investigative controls. Many organizations within the public sector have been engaging in what is called cyber readiness, which boils down to having holistic operational visibility  for more rapid threat acquisition and response.  For this to be effective a heightened level of intelligence is required. What we thought kept us secure the last 20 years won't keep us secure the next; as the enemy matures and adapts so must we.”

A reminder of what has happened:

The latest incident response report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) -- part of DHS -- warns of an ongoing cyberattack against the computer networks of US natural gas pipeline companies. ICS-CERT says it first identified an active series of cyber intrusions targeting natural gas pipeline sector companies in March. Various sources provided information to ICS-CERT describing targeted attempts and intrusions into multiple natural gas pipeline sector organizations, the report says. Analysis of the malware and characteristics of the attacks link it back to a single campaign, ICS-CERT added.

Here's the rest of the alert:

The campaign appears to have started in late December 2011 and is active today. Analysis shows that the spear-phishing attempts have targeted a variety of personnel within these organizations; however, the number of persons targeted appears to be tightly focused. In addition, the e-mails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization.

ICS-CERT has issued an alert (and one update) to the US-CERT Control Systems Center secure portal library and also disseminated them to sector organizations and agencies to ensure broad distribution to asset owners and operators. While ICS-CERT strives to make as much information publicly available as possible, the indicators in these alerts are considered sensitive and cannot be disseminated through public or unsecure channels.

ICS-CERT is currently engaged with multiple organizations to identify the scope of infection and provide recommendations for mitigating it and eradicating it from networks. ICSCERT has conducted a series of briefings across the country to share information related to the intrusion activity with asset owners/operators. ICS-CERT will continue to work with private sector and government partners to respond to this and other cyber threats.

Asset owners/operators who would like access to the portal or to the alerts can contact ICS-CERT at ics-cert@hq.dhs.gov. Alternatively, they can work with their sector Information Sharing and Analysis Center (IS AC) or sector source for cyber alerts and information sharing to obtain the ICS-CERT Alerts.

Copyright © 2012 IDG Communications, Inc.

8 pitfalls that undermine security program success