Engineering firm exposes SCIF plans and power vulnerability reports

Misconfigured Rsync server fixed within hours after discovery

Chris Vickery, Director of Cyber Risk Research at UpGuard, Inc. says that a misconfigured Rsync server maintained by Power Quality Engineering, Inc. (PQE) exposed client information pertaining to critical infrastructure for the City of Austin, as well as other private entities including Dell, Oracle, Texas Instruments, and more.

"My initial thoughts [were]," Vickery explained, "especially in light of the recent coverage regarding malicious actors targeting electrical grid components, that this would be a gold mine for a malicious actor wanting to disrupt potential electrical network situations."

"I quickly hunted down the cellphone number from within the dataset of one of the executives of [PQE] and got approval to make the contact pretty fast. I knew that [the exposed files] shouldn't sit there for longer than necessary," he added.

PQE, based in Cedar Park, Texas, offers "mechanical, electrical and plumbing engineering, as well as planning, design and maintenance for all types of power systems and facilities."

On July 6, 2017, after scanning the internet for publicly available Rsync services, Vickery discovered the PQE data, including both internal and client records. The records were secured two days later after Vickery contacted PQE, but prior to that  anyone who connected to the IP and port directly could've downloaded the records for themselves.

power assessment example Chris Vickery

The files Vickery discovered included schematics that highlighted "potential weak points and trouble in customer electrical systems," a report from UpGuard shared with Salted Hash explains.

leaked SCIF details Chris Vickery

Moreover, the schematics revealed the specific locations and configurations of Sensitive Compartmented Information Facilities – or SCIFs. Vickery shared a number of screenshots of SCIF plans with Salted Hash including one that came from the client folder of Dell.

leaked SCIF details Chris Vickery

"The exposure of the location and configuration of a SCIF could have provided malicious actors with a target for stealing classified information," the UpGuard report said.

Salted Hash reached out to Dell for comment. In a statement, Dell explained that SCIFs are common for government contractors, but added: "Although a version of an outdated plan was exposed, Dell has no current plan for the construction of a SCIF."

According to the report from UpGuard, the City of Austin folder contained "schematics of solar fields, electrical gap analyses, proposals for future construction, inspection reports of aviation breakers at local airfields, maintenance reports for municipal fuel systems," and a report detailing risk characterizations tables and schematics for Austin Energy / Sand Hill Energy Center.

In addition to Dell, Salted Hash also reached out to PQE and Austin Energy for comment, since those were the entities that Vickery spoke to us about directly.

In a statement, Elaina Ball, Austin Energy Deputy General Manager and Chief Operating Officer, confirmed the PQE leak, noting that a supplier's IT system had "security issues and was accessed by a third party in some way."

"We are working with them closely to determine what information, if any, was obtained. Our conversations with the supplier indicate that no customer information was compromised. It’s important to note there was no breach of Austin Energy’s IT systems," the statement stated.

Among the clients listed by PQE on their website - SBC (AT&T), Oracle, National Semiconductor, Exodus, Applied Materials, Solectron, and Philips were all present in the screenshot of the PQE client folder shared by Vickery.

As for the internal PQE documents, the exposed folders contained a number of sensitive items including non-disclosure agreements, supplier qualification forms, purchase orders, and plaintext PQE passwords (computer stuff.docx).

One of the passwords was related to the GoDaddy web hosting used by PQE, exposing the possibility of an actor simply taking control over the firm's domain and using it however they pleased.

Lessons to learn:

Configuration errors are a problem, and while they are preventable, change management isn't always an easy process for organizations. But starting on the right foot can prevent a lot of headaches in the long-term, this includes making sure that Rsync isn't publicly available.

This can be done by using normal Rsync directives (auth users, strict mode, allow/deny), as well as ACLs on the firewall.

The big fear is that a malicious actor could have used the exposed data to launch an attack (physical, online, or both) directed at PQE's clients. This wouldn't be the first time a third-party was used in such a way either; the Target breach, one of the largest data breaches on record, started because a third-party HVAC vendor was compromised.

Earlier this year, Target said they will pay $18.5 million in a multistate settlement to resolve investigations in 47 states and the District of Columbia.

During the Black Hat conference in Las Vegas, CSO spoke with two experts about ICS threats, including locating sensitive information online due to misconfigurations and general OSINT research.

The data these two discovered is startling and could be used against organizations responsible for maintaining critical infrastructure in the U.S. The video below is that conversation in full.

Copyright © 2017 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations