So… Revolution has just been cancelled by NBC and now I will never know what the nanos had planned for us humans, or whether the electricity will ever come back on, or whether or not Monroe will ever get his republic back.
While the premise of this science fiction show was that tiny electricity absorbing nanoprobes caused the power outages that cause the apocalypse it appears that its not far from the truth when you look at some of the recent reports coming out that hackers got into an undisclosed US public utility and gained access to the control systems which manage its infrastructure.
Think about that… The very systems which regulate whatever the utility produces or distributes – how much electricity, whether or not the water flows, maybe it was sewage controls. All of the modern conveniences we take for granted could be shut off, destroyed or otherwise rendered inoperable and the hackers not only had access to their controls once but apparently several times.
Now the question becomes… What did they do once they were in? To date, there have been no major disruptions in the United States in power or otherwise attributed to hackers, but that is of little solace.
Hackers will range from your average 12 year old who might get his thrill from turning off the power to his school, to your more advanced persistent nation-state actor who takes the longer view and plants his malware and waits for an opportune time to activate the payload.
Password policies aside (the hackers were able to brute force their way in), what other security measures were in place? Did they have logging enabled? Was there a SIEM in place to correlate large volumes of security events? Do they continuously scan for vulnerabilities or perform configuration assessments (which by the way would have revealed the weak password policies)?
What did the hackers leave behind? Do they have effective change control and release management processes so they can distinguish good change from bad change? Do they even detect changes?
Essentially what tools do their ninjas in security have to fight off the barbarians at the gate? The Cyber Security Council provides a great starting point with its Top 20 controls for utilities to get a handle on improving their security posture. It even ranks them from most important to least important although I would argue that Pen Testing is still important and even fun to a certain extent.
Now, in full disclosure, Tripwire as a company does have products that cover the first four controls in the Top 20 (Inventory and secure software, inventory and secure hardware, secure configuration management, and vulnerability management) and can largely address large swaths of the rest as well but there is still plenty for a ninja to do even if they have the first four controls covered.
I would rather the premise that massive, apocalypse causing power outages remain in the realm of science fiction than manifest self in the real world because some idiot uses “drowssap” as their login…
- DHS Confirms U.S. Public Utility’s Control System Was Hacked
- Locating ICS and SCADA Systems on .EDU Networks with SHODAN
- Fred Cohen on Simplifying Security Assessments for Critical Infrastructure
- Where Do You Stand with NERC CIP v5?
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock