Yikes, ICS-CERT reminds public utilities about dangers of remote access without firewall

The Industrial Control Systems Cyber Emergency Response Team, a mouthful better known as ICS-CERT, released ICS-CERT Monitor covering January through April 2014. If the people running critical infrastructure actually need to be asked the series of questions that start the report (pdf), then that’s alarming.

Is your control system accessible directly from the Internet? Do you use remote access features to log into your control system network? Are you unsure of the security measures that protect your remote access services? If your answer was yes to any or all these questions, you are at increased risk of cyber attacks including scanning, probes, brute force attempts and unauthorized access to your control environment.

The web has plenty of how-to’s about finding Internet-facing control systems via SHODAN, Google, and lists of devices vulnerable to Heartbleed or other flaws. ICS-CERT mentions cyber incidents that were due to weak network configurations.

A public utility was compromised after a “sophisticated threat actor” brute-forced the password used for remote access authentication. Forensic analysis determined the public utility’s systems “were likely exposed to numerous security threats and previous intrusion activity.”

The second example involved an unprotected, Internet-connected, control system operating a mechanical device. Upon investigation, ICS-CERT determined that a sophisticated threat actor had accessed the control system server (connected via a cellular modem) through a supervisory control and data acquisition (SCADA) protocol. The device was directly Internet accessible and was not protected by a firewall or authentication access controls. At the time of compromise, the control system was mechanically disconnected from the device for scheduled maintenance.

ICS-CERT provided analytic assistance and determined that the actor had access to the system over an extended period of time and had connected via both HTTP and the SCADA protocol. However, further analysis determined that no attempts were made by the threat actor to manipulate the system or inject unauthorized control actions.

ICS-CERT rehashed the vulnerabilities found in 2013, including the fact that of 177 “true vulnerabilities,” 87% were exploitable remotely. Nearly 65% of the flaws were ranked as high-priority vulnerabilities. A “fundamental recommendation” for mitigation was to “configure ICSs behind firewalls” to eliminate exploitability, followed by the suggestion to keep patches updated. When you also consider that about 300 medical devices had hard-coded passwords, it’s another alarming reminder about the overall state of ICS security in 2013.

The report points out the obvious, “Most of us lock our front doors when we leave the house. It is a simple way to increase the security of our home. In the same way, there are basic steps that should be taken to secure control systems.” Then it lists vulnerabilities and weaknesses identified by the assessment team, such as weak passwords, poor patch management and nonexistent firewalls.

ICS-CERT decided to tackle network design weaknesses under “situational awareness” by specifically addressing how “segmenting and implementing a demilitarized zone (DMZ) adds security by limiting the communication paths on the network.” When configured properly with the “most restrictive communications paths,” DMZ can thwart attackers from accessing control systems even if the business network is compromised.

ICS-CERT plans to cover more defense-in-depth strategies for cybersecurity in the next Monitor.

The next segment of the report covers the Enhanced Cybersecurity Services (ECS) program in which participation is “voluntary and designed to protect government intelligence, corporate information security and the privacy of participants while enhancing the security of critical infrastructure.”

The next section is about how ICS-CERT is releasing actionable threat information through the DHS-sponsored STIX (Structured Threat Information eXpression) format.

Take out 9 substations and the U.S. grid goes dark for 18 months

In other critical infrastructure news…

There are over 55,000 electric transmission substations in the U.S., but a leaked internal Federal Energy Regulatory Commission (FERC) memo claimed, “Destroy nine interconnection substations and a transformer manufacturer and the entire United States grid would be down for at least 18 months, probably longer.” Former FERC Chairman Jon Wellinghoff told The Wall Street Journal, “There are probably less than 100 critical high voltage substations on our grid in this country that need to be protected from a physical attack. It is neither a monumental task, nor is it an inordinate sum of money that would be required to do so.”

This sparked a flurry of questions from lawmakers during a committee hearing in April, titled “Keeping the lights on – are we doing enough to ensure the reliability and security of the U.S. electric grid?” The Senate Energy and National Resources Committee released FERC’s replies on Friday. The eight documents with responses (located at the bottom of the page) deal more with the leak and WSJ sources than actually shoring up security to protect the grid.

Download the ICS-CERT Monitor Jan. – April 2014 here.

Like this? Here’s more posts:

• Hacking hotels, shells, cellphones, cars and more mischief coming to Black Hat
• Judge to Microsoft: Hand over cloud data no matter where in the world it is stored
• Targeted ads that track how and where you drive are coming to connected cars
• New NSA Chief expects attacks attempting to damage, destroy critical infrastructure
• Huge demand for NSA-proof email: ProtonMail uses a month’s server capacity in 3 days
• Smart toilet spying on health is a hoax, but is there privacy in a public potty?
• No reasonable expectation of privacy when third parties cross the creepy line?
• Over 70% of energy and financial firms say cyberattacks coming within 12 months
• Microsoft shares 2 cybersecurity papers to protect infrastructure and supply chain

Follow me on Twitter @PrivacyFanatic