Dire warnings don’t yield better critical infrastructure security

The warnings of possible catastrophic cyberattacks on critical infrastructure in the U.S. have been issued for more than a decade. They were frequent and insistent in 2012, from high-ranking government officials and others.

Outgoing U.S. Secretary of Defense Leon Panetta warned in a speech in New York last October that cyberattacks by a hostile nation-state on critical infrastructure like transportation, water supply or the electric grid could amount to a “cyber Pearl Harbor.” He also said the U.S. was at “a pre-9/11 moment.”

It wasn’t just patriotic American officials either. A video obtained by the FBI in 2011, purportedly from al Qaeda, exhorted al Qaeda followers – the “covert Mujahidin” – who have the skill to commit “electronic jihad” — to launch cyberattacks on U.S. and other Western targets. 

But the Department of Homeland Security (DHS) says that despite  those warnings, the peril remains — thousands of domestic industrial control systems (ICS) remain vulnerable.

Some security experts have said that Panetta and others are going overboard with comparisons to acts of war or terror that leave thousands dead. Bruce Schneier, an author and chief security technology officer at BT, has said more than once that, “throughout history, the definition of a ‘major war’ has involved casualties in the hundreds of thousands. That means dead people.”

[See also: Best defense against cyberattacks is good offense, says former DHS official]

However, Schneier and others agree that there are real risks. And the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which operates within DHS, said operators of ICS many times don’t even know if their systems are infected, don’t have effective security barriers in place and don’t have backups for critical systems.

The agency’s Monthly Monitor, covering October-December 2012, also reported that two researchers, “using only their wits, an extensive list of control systems related search terms, a paper clip, and the Internet-facing device search engine SHODAN,” compiled a list of about 500,000 devices with predicted control systems impact.

Bob Radvanovsky and Jake Brodsky of InfraCritical began what they called Project SHINE (SHodan INtelligence Extraction) last April, and presented their findings in October at the ICS Cyber Security Conference in Norfolk, Virginia.

ICS-CERT said it was able to prune that list down to about 98,000 IP addresses in the U.S., and cut it further to about 7,200 across the nation that it said were directly connected to critical control devices.

But the significance of the project was clear: Using freely available tools, the researchers exposed a significant attack surface — an average of 144 entry points per state — reachable from the public Internet.

The report also profiled a couple of unnamed utility operators that were not following even the most basic security protocols. In one case, an employee at a power generation facility had infected several workstations, two of the critical to the operation, with malware from a USB drive.

“Detailed analysis was conducted as these workstations had no backups, and an ineffective or failed cleanup would have significantly impaired their operations,” the report said. “The organization also … had no backups for the two engineering workstations. Those workstations were vital to the facility operation and, if lost, damaged, or inoperable, could have a significant operational impact.”

A USB drive was also the problem in the second case, involving a power company’s turbine control system. “Unknown to the technician, the USB-drive was infected with crimeware. The infection resulted in downtime for the impacted systems and delayed the plant restart by approximately 3 weeks,” the report said.

Scott Greaux, vice president, product management and services at PhishMe, said those anecdotes are evidence that some continue to think they’re not at risk, giving way to easier compromises. “This mentality is creating even more vulnerability,” he said. “Companies can’t remain complacent about their controls or training.”

ICS-CERT, included a list of recommended best practices in its report that amount to what most security experts call “Security 101,” designed to “maintain a minimal Internet-facing footprint.”

They include: Don’t let control system devices directly face the Internet; put firewalls in front of control system networks and devices, and isolate them from the business network; use Virtual Private Networks (VPNs) for remote access; remove, disable, or rename any default system accounts wherever possible; require strong passwords; monitor the creation of administrator level accounts by third-party vendors and; make sure the most recent security updates are installed.

Greaux said if devices do need to face the Internet, additional controls on their network to identify suspicious behavior is key. “Tracking is also key… lots of organization don’t track and revalue,” he said. “There also needs to be periodic revaluation.”

“Criminals are constantly updating their attack methods, so companies and government agencies must do the same,” he said.