The US Department of Homeland Security and its Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, issued a report this week (PDF ) confirming several recent attacks.
Public Utility Compromised – Weak Password
The report on first quarter of 2014 incidents shared details on an unnamed public utility that was recently breached by a sophisticated threat actor who gained unauthorized access to its control system network. It was found that the software used by the utility to administer the control system assets were accessible through its Internet facing hosts.
These systems were configured with remote access capability, and a simple password mechanism, and its authentication method was susceptible to typical brute force techniques. ICS-CERT analyzed available network logs and host-based forensics to determine that:
- The systems were likely exposed to a number of security threats
- Previous intrusion activity was also identified
- Recommendations were to ensure that potential attack vectors such as remote access should be configured with appropriate security controls, monitoring, and detection capabilities.
Internet-accessible Control System Hacked
A second incident without details on the industry or company involved occurred when a sophisticated threat actor used a cellular modem to access the control system server through a supervisory control and data acquisition (SCADA) protocol, which is typically weak. There was no firewall or authentication access controls, therefore the device was directly Internet accessible.
Luckily it was found that the control system was mechanically disconnected from the device for scheduled maintenance, but apparently the hacker had access to the system for an extended period of time and had connected through both HTTP and SCADA protocols. ICS-CERT determined that no attempts had been made to manipulate the system or inject unauthorized control actions.
“This incident highlights the need for perimeter security and monitoring capabilities to prevent adversaries from discovering vulnerable ICSs and using them as targets of opportunity,” ICS-CERT’s report stated.
Are you very surprised? I’ve been surprised it’s taken this long to have news and analysis of a utility being hacked. Actually, it’s rare for such breaches to be identified by utilities and even rarer for the government to publicly disclose them. But then again it’s got to be going on everywhere given the state of security in the energy sector. Reuters reported that “Last year ICS-CERT responded to 256 cyber incident reports, more than half of them in the energy sector.”
Utility companies’ vulnerability to cyber threats has been a particular worry for the electric grid. Power companies use SCADA networks to control their systems. “SCADA networks are made to keep the grid completely efficient, but not necessarily secure, according to Daily Tech.
Utility Companies Particularly Vulnerable to Cyber Threat
The US government has warned for over a decade that critical infrastructure such as power, water, oil, and natural gas are at risk of cyber attack. Utility companies’ vulnerability to cyber threats has been a particular worry for the electric grid.
Power companies use SCADA networks to control their systems. “SCADA networks are made to keep the grid completely efficient, but not necessarily secure,” according to Daily Tech.
Among a variety of reasons (one of which is many SCADA systems were built before today’s cyber security concerns were even possible) many of these industries have not been rigorous about assessing their security risks. In the power and electricity sectors, they have one primary directive – the reliable delivery of energy.
Security and cyber risk have been recent additions to their priorities, and not all are equipped to assess and correct configuration mistakes and vulnerabilities.“ICS-CERT strongly encourages taking immediate defensive action to secure ICSs by using defense-in-depth principles. Audit your networks for Internet facing devices, weak authentication methods, and component vulnerabilities.”
ICS-CERT also recommends users take defensive measures to minimize risk of exploitation:
- Minimize network exposure for all control system devices. In general, locate control system networks and devices behind firewalls and isolate them from the business network
- When remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices
- Remove, disable or rename any default system accounts wherever possible
- Implement account lockout policies to reduce the risk from brute forcing attempts
- Establish and implement policies requiring the use of strong passwords
- Monitor the creation of administrator level accounts by third-party vendors
- Apply patches in the ICS environment, when possible, to mitigate known vulnerabilities
- Locating ICS and SCADA Systems on .EDU Networks with SHODAN
- Fred Cohen on Simplifying Security Assessments for Critical Infrastructure
- Where Do You Stand with NERC CIP v5?
- Building Trust Among Cyber Tribes
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock