(Source: Orion Pictures)
Intruders appeared to simply watch and observe, made no attempt at sabotage

The U.S. Department of Homeland Security (DHS) this weekend disclosed in a newsletter aimed at security professionals that a "sophisticated threat actor" had penetrated a public utility's (water, sewer, power, gas, etc.) control network in recent months.
I. Two Major Breaches Detailed
The agency's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) writes in its tri-annual (Jan.-April) newsletter [PDF]:

A public utility was recently compromised when a sophisticated threat actor gained unauthorized access to its control system network. After notification of the incident, ICS-CERT validated that the software used to administer the control system assets was accessible via Internet facing hosts. The systems were configured with a remote access capability, utilizing a simple password mechanism; however, the authentication method was susceptible to compromise via standard brute forcing techniques.

Power Grid
[Image Source:]

A second incident is also described, involving an internet-connected "device" -- likely a control mechanism with a utility.  ICS-CERT reports: 

The second example involved an unprotected, Internet-connected, control system operating a mechanical device. Upon investigation,
ICS-CERT determined that a sophisticated threat actor had accessed the control system server (connected via a cellular modem) through a supervisory control and data acquisition (SCADA) protocol. The device was directly Internet accessible and
was not protected by a firewall or authentication access controls.

At the time of compromise, the control system was mechanically disconnected from the device for scheduled maintenance. ICS-CERT provided analytic assistance and determined that the actor had access to the system over an extended period of time and had connected via both HTTP and the SCADA protocol. However, further analysis determined that no attempts were made by the threat actor to manipulate the system or inject unauthorized control actions.

After the incident was resolved, ICS-CERT conducted an onsite cybersecurity assessment of its larger control environment to evaluate its security posture and make recommendations for further securing its remote access to its control network. This incident highlights the need for perimeter security and monitoring capabilities to prevent adversaries from discovering vulnerable ICSs and using them as targets of opportunity.

In the case of both intrusions, the infiltrating party did no damage, merely seemed to snoop on the systems, perhaps as a test for more damaging future attacks.  China's People's Liberation Army (PLA) is, of course, a top suspect, despite its repeated denials of hacking U.S. networks.

Such intrusions are believed to be increasingly common, but are often not discussed in such explicit detail.
ICS-CERT typically only posts a boilerplate notice of intrusions, which list the sector, but not the specific company involved or details about the level of intrusion.  Last year, 256 such incidents were reported. ICS-CERT's report states that it dealt with security intrusion issues at 20 power plants and public utilities.  Among these was a pair of breaches at nuclear facilities.
It is rather rare for the federal government to offer such a detailed account of a breach in the wild, as it hurts consumer confidence in utilities, and in turn discourages utilities from sharing information about these kinds of intrusions with the government.
As Reuters reports:

Such cyber attacks are rarely disclosed by ICS-CERT, which typically keeps details about its investigations secret to encourage businesses to share information with the government. Companies are often reluctant to go public about attacks to avoid potentially negative publicity.

But the ICS-CERT appears to feel it is necessary to discuss this pair of breaches in more detail to highlight the growing threat to American infrastructure.
II. SCADA: Ticking Timebomb?
SCADA is a serial communications protocol commonly used in the power industry to remotely control and monitor mechanisms, such as pipeline valves.  It is also sometimes used to monitor and control heating, ventilation, and air-conditioning (HVAC) systems at large facilities such as airports.  The described incident hints that the breach occurred at yet another common use of SCADA connected devices -- manufacturing and fabrication.
Typically such applications are governed by the North American Electric Reliability Corp. (NERC), a nonprofit trade group responsible for setting standards for internet connected devices.  But in early February at the DISTRIBUTECH conference in San Antonio, Texas, security researchers Adam Crain and Chris Sistrunk reminded the audience that the NERC had not set strict security standards for SCADA.
The pair showed that the DNP3 master protocol stack had several vulnerabilities that would allow a remote attacker to seize control of a connected device.  Such a breach could allow an attacker to not only cut the device off from communication with the rest of the network, but also to gain full command and control capabilities.

SCADA power network
A diagam of a SCADA-controlled water treatment network. [Image Source: Remote Pump Solutions]
A part of the presentation's tongue-in-cheek title -- "Serial Killer" -- alludes to the fact that such an intrusion could be used to turn plant robots against workers in a deadly sabotage plot.  Alternatively it could be used to black out a nation's power grid and fuel pipelines in a time of war. 

Mr. Crain stated to the blog ThreatPost:

What’s different about our research is that most have focused on actual field devices—devices in substations or devices on poles—and 50 percent of our testing was on the master systems, things that communicate to all of the field devices and bring that data back to the operations center.  The difference is, if you had access, here you could knock out visibility to a whole system, hundreds of substations, by affecting one or two servers that are monitoring all of that.

[That said] we have not found anything that would suggest there is anything [inherently] wrong with the specification.  These are all bugs in implementations from various vendors. There were two vendors we tested out of the 30 products where we didn’t find any detectable vulnerabilities. So at this point, it’s possible to implement the standard without a security or robustness defect.

It's highly likely that the attackers in the breach used one of the vulnerabilities; especially since security researchers have published open source tools to "study" them with penetration testing.
III. FERC Wants More Power; Pentagon's Fuel Chain is Vulnerable
NERC is under pressure to implement new security guidelines for SCADA.  It will be up to NERC's supervisor agency -- the Federal Energy Regulatory Commission (FERC) -- to push action on the issue.
But currently FERC's attention is divided between regulatory actions and bureaucratic negotiations.  In mid-February FERC's acting chairman, Cheryl LaFleur, called on Congress to grant it "clear and direct authority" to take action to protect the nation's infrastructure against cyberattacks.  Currently that responsibility is divided between FERC, DHS, and a variety of other government agencies.
She stated:
This authority should include the ability to require action before a physical or cyber national security incident has occurred.
She also commented that granting the authority would not impact the current work to draft grid reliability standards, a process that takes "several months" to complete.  It is probable those standards include work to address vulnerabilities in the SCADA protocol.
Lastly, the ICS-CERT report cites a study from the U.S. Army War College's Strategic Studies Institute, which characterizes the Pentagon's supply networks as weak and vulnerable.  The report -- "Hacks on Gas: Energy, Cybersecurity and U.S.
Defense" -- was written by Christopher Bronk, a fellow in IT policy at Rice University’s Baker Institute, and details the 2012 attacks on Saudi Arabian Oil Comp. (Aramco), the world's largest oil producer and privately held company.  
That attack successfully compromised 30,000 systems using what experts believe was possibly a modified version of the "Flame" malware.  Iran has accused the U.S. of using Flame in an attempt to infect and digitally "cripple" its oil industry.  Mr. Bronk's report suggests the Pentagon needs to beef up security for its fuel supply chain, or it could find itself crippled by the enemy during a war.

Sources: ICS-CERT newsletter [PDF], Digital Bond, Reuters, Threat Post

"I modded down, down, down, and the flames went higher." -- Sven Olsen

Latest Blog Posts
Xiaomi Mi 6 Smartphone.
Nenfort Golit - Aug 8, 2017, 6:00 AM

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki