Just as a good novel has themes, so too do the security challenges facing industrial control systems.
In a report recently issued by the Department of Homeland Security’s ICS-CERT (Industrial Control System Cyber Emergency Response Team), those themes revealed themselves to be poor authentication and a failure to protect Internet-accessible devices.
The report mentions three incidents in particular without naming any names. The first involved a public utility that was recently compromised when an attacker gained access to its control system network. After ICS-CERT was notified, it was confirmed that software used to administer the control system assets could be accessed through Internet-facing hosts. The systems were configured for remote access and required a password, but ICS-CERT found the systems were susceptible to common brute forcing techniques.
In a separate example, ICS-CERT responded to an organization that was attacked due to an unprotected, Internet-connected control system that was being used to operate a mechanical device. The final example involved a researcher’s discovery that an Internet-facing HVAC and Energy Management System (EMS) did not require authentication to access the control system.
“Upon investigation, ICS-CERT determined that a sophisticated threat actor had accessed the control system server (connected via a cellular modem) through a supervisory control and data acquisition (SCADA) protocol,” according to the ICS-CERT report. “The device was directly Internet accessible and was not protected by a firewall or authentication access controls. At the time of compromise, the control system was mechanically disconnected from the device for scheduled maintenance. ICS-CERT provided analytic assistance and determined that the actor had access to the system over an extended period of time and had connected via both HTTP and the SCADA protocol. However, further analysis determined that no attempts were made by the threat actor to manipulate the system or inject unauthorized control actions. “
That no attempts were made to manipulate the system is fortunate. But the issues underlying both examples appear to be at the heart of many of the vulnerability reports ICS-CERT received last year. Authentication flaws were the most prevalent type of vulnerability the team coordinated disclosures of in 2013, which includes issues such as factory hard-coded credentials and weak authentication keys. Overall, ICS-CERT received 181 vulnerability reports from researchers and industrial control system vendors. Of those, 177 were determined to be true vulnerabilities that involved coordinating, testing and analysis. Eighty-seven percent of the vulnerabilities were exploitable remotely, while the remaining issues required local access to exploit.
“A fundamental recommendation for mitigating remotely exploitable vulnerabilities is to minimize network exposure and configure ICSs behind firewalls so they aren’t directly accessible and exploitable from the Internet,” according to the report. “Equally important is patching and updating ICS [industrial control system] devices as soon as practically possible, understanding that patches and upgrades must be properly tested by each asset owner/operator before being implemented in operational environments.”
“The public utility network compromise example from the ICS-CERT report is just another shot across the bow for organizations supporting the U.S.’s critical infrastructure,” said Mike Ellis, CEO of identity management vendor ForgeRock. “By all accounts, what was implemented by this public utility would be considered failing from a best practices perspective.”
“The unfortunate truth is that it’s a technology, people and processes problem,” he added. “More and more, we see that organizations are stretched to authenticate and authorize the voluminous number of identities connecting to the network, struggling to decipher between good and bad while security compromises continue to plague this sector.”
Air gaps help, but only if there are true air gaps, noted Jon Heimerl, senior security strategist at Solutionary. A network that allows wireless is not truly air-gapped, nor is a network that allows open use of thumb drives or other media.
“I worked in an environment [within the] U.S. intelligence community that included truly air-gapped environments, to the point where the wiring between the other network and the air-gapped network ran in different conduit and included different media, and different network gear – no virtual sharing of physical devices. Any media – CDs or thumb drives – is received from a vendor with that vendor’s guarantee of sterility, and the media is scanned on a standalone system which is only used to check media. If the air gap can be truly maintained, it is effective. However, they are hard to maintain, and rely on personnel to follow procedure.”
“The examples the ICS-CERT notice provides are pretty telling – externally facing systems providing unprotected remote access,” he added. “Most rational people would expect that to never happen, yet somehow, someone made a business decision that that was okay in these instances.”