"Serial Killer?" DHS Reports Penetration of Utility, Manufacturing Networks
May 21, 2014 7:58 AM
(Source: Orion Pictures)
Intruders appeared to simply watch and observe, made no attempt at sabotage
The U.S. Department of Homeland Security
(DHS) this weekend disclosed in a newsletter aimed at security professionals that a "
sophisticated threat actor
" had penetrated a public utility's (water, sewer, power, gas, etc.) control network in recent months.
I. Two Major Breaches Detailed
Industrial Control Systems Cyber Emergency Response Team
(ICS-CERT) writes in its tri-annual (Jan.-April)
A public utility was recently compromised when a sophisticated threat actor gained unauthorized access to its control system network. After notification of the incident, ICS-CERT validated that the software used to administer the control system assets was accessible via Internet facing hosts. The systems were configured with a remote access capability, utilizing a simple password mechanism; however, the authentication method was susceptible to compromise via standard brute forcing techniques.
[Image Source: energia-online.eu]
A second incident is also described, involving an internet-connected "device" -- likely a control mechanism with a utility. ICS-CERT reports:
The second example involved an unprotected, Internet-connected, control system operating a mechanical device. Upon investigation,
ICS-CERT determined that a sophisticated threat actor had accessed the control system server (connected via a cellular modem) through a supervisory control and data acquisition (SCADA) protocol. The device was directly Internet accessible and
was not protected by a firewall or authentication access controls.
At the time of compromise, the control system was mechanically disconnected from the device for scheduled maintenance. ICS-CERT provided analytic assistance and determined that the actor had access to the system over an extended period of time and had connected via both HTTP and the SCADA protocol. However, further analysis determined that no attempts were made by the threat actor to manipulate the system or inject unauthorized control actions.
After the incident was resolved, ICS-CERT conducted an onsite cybersecurity assessment of its larger control environment to evaluate its security posture and make recommendations for further securing its remote access to its control network. This incident highlights the need for perimeter security and monitoring capabilities to prevent adversaries from discovering vulnerable ICSs and using them as targets of opportunity.
In the case of both intrusions, the infiltrating party did no damage, merely seemed to snoop on the systems, perhaps as a test for
more damaging future attacks
. China's People's Liberation Army (PLA) is, of course, a top suspect, despite its
repeated denials of hacking U.S. networks
Such intrusions are believed to be increasingly common, but are often not discussed in such explicit detail.
ICS-CERT typically only posts a boilerplate notice of intrusions, which list the sector, but not the specific company involved or details about the level of intrusion. Last year, 256 such incidents were reported. ICS-CERT's report states that it dealt with security intrusion issues at 20 power plants and public utilities. Among these was a pair of breaches at nuclear facilities.
It is rather rare for the federal government to offer such a detailed account of a breach in the wild, as it hurts consumer confidence in utilities, and in turn
discourages utilities from sharing information
about these kinds of intrusions with the government.
Such cyber attacks are rarely disclosed by ICS-CERT, which typically keeps details about its investigations secret to encourage businesses to share information with the government. Companies are often reluctant to go public about attacks to avoid potentially negative publicity.
But the ICS-CERT appears to feel it is necessary to discuss this pair of breaches in more detail to highlight
the growing threat to American infrastructure
II. SCADA: Ticking Timebomb?
is a serial communications protocol commonly
used in the power industry
to remotely control and monitor mechanisms, such as pipeline valves. It is also sometimes
used to monitor and control heating, ventilation, and air-conditioning (HVAC) systems
at large facilities such as airports. The described incident hints that the breach occurred at yet another common use of SCADA connected devices -- manufacturing and fabrication.
Typically such applications are governed by the
North American Electric Reliability Corp.
(NERC), a nonprofit trade group responsible for setting standards for internet connected devices. But in early February at the
in San Antonio, Texas, security researchers Adam Crain and Chris Sistrunk reminded the audience that the NERC had not set strict security standards for SCADA.
The pair showed that the DNP3 master protocol stack had several vulnerabilities that would allow a remote attacker to seize control of a connected device. Such a breach could allow an attacker to not only cut the device off from communication with the rest of the network, but also to gain full command and control capabilities.
A diagam of a SCADA-controlled water treatment network. [Image Source: Remote Pump Solutions]
A part of the presentation's tongue-in-cheek title -- "Serial Killer" -- alludes to the fact that such an intrusion could be used to turn plant robots against workers in a deadly sabotage plot. Alternatively it could be used to black out a nation's power grid and fuel pipelines in a time of war.
stated to the blog
What’s different about our research is that most have focused on actual field devices—devices in substations or devices on poles—and 50 percent of our testing was on the master systems, things that communicate to all of the field devices and bring that data back to the operations center. The difference is, if you had access, here you could knock out visibility to a whole system, hundreds of substations, by affecting one or two servers that are monitoring all of that.
[That said] we have not found anything that would suggest there is anything [inherently] wrong with the specification. These are all bugs in implementations from various vendors. There were two vendors we tested out of the 30 products where we didn’t find any detectable vulnerabilities. So at this point, it’s possible to implement the standard without a security or robustness defect.
It's highly likely that the attackers in the breach used one of the vulnerabilities; especially since security researchers have published open source tools to "study" them with penetration testing.
III. FERC Wants More Power; Pentagon's Fuel Chain is Vulnerable
NERC is under pressure to implement new security guidelines for SCADA. It will be up to NERC's supervisor agency -- the
Federal Energy Regulatory Commission
(FERC) -- to push action on the issue.
But currently FERC's attention is divided between regulatory actions and bureaucratic negotiations. In mid-February FERC's acting chairman, Cheryl LaFleur, called on Congress to grant it "clear and direct authority" to take action to protect the nation's infrastructure against cyberattacks. Currently that responsibility is divided between FERC, DHS, and a variety of other government agencies.
This authority should include the ability to require action before a physical or cyber national security incident has occurred.
She also commented that granting the authority would not impact the current work to draft grid reliability standards, a process that takes "several months" to complete. It is probable those standards include work to address vulnerabilities in the SCADA protocol.
Lastly, the ICS-CERT report cites a study from the
U.S. Army War College
Strategic Studies Institute
, which characterizes the Pentagon's supply networks as weak and vulnerable. The report -- "
Hacks on Gas: Energy, Cybersecurity and U.S.
" -- was written by
, a fellow in IT policy at
, and details the 2012 attacks on Saudi Arabian Oil Comp. (Aramco), the world's largest oil producer and privately held company.
That attack successfully compromised 30,000 systems using what experts believe was possibly a modified version of the "Flame" malware. Iran has accused the U.S. of using Flame in an attempt to infect and digitally "cripple" its oil industry. Mr. Bronk's report suggests the Pentagon
needs to beef up security for its fuel supply chain
, or it could find itself crippled by the enemy during a war.
ICS-CERT newsletter [PDF]
"We are going to continue to work with them to make sure they understand the reality of the Internet. A lot of these people don't have Ph.Ds, and they don't have a degree in computer science." -- RIM co-CEO Michael Lazaridis
HVAC Firm at Center of Target Data Breach Also Counts Wal-Mart, Costco as Customers
February 5, 2014, 9:35 PM
Congress Looks to Force Extra Protection on Utilities to Combat Cyberattacks
May 22, 2013, 2:24 PM
"Secret" Chinese Military Unit May Be Behind Series of Hacks on U.S. Since 2006
February 19, 2013, 11:41 AM
DOD Worries Cyber Workers Are Undertrained, Unprepared
February 18, 2013, 1:26 PM
Lockheed Martin Says "Smart Grid" Will Allow China to Hack U.S. Power
October 5, 2010, 8:20 AM
Google plans ultra-fast wireless Internet for Research Triangle Park, N.C.
August 12, 2016, 6:30 AM
Twitter Senior VP: "Diversity is Important, But We Can’t Lower the Bar"
November 9, 2015, 9:59 AM
CNN Resorts to Internet Censorship to Promote Clinton Over Senator Sanders
October 15, 2015, 2:47 PM
Breaking Bad: How to Crash Google's Chrome Browser With Just 8 Characters
September 23, 2015, 11:08 AM
Quick Note: Amazon UK Offers £10 Back on Any Order £50 or Over
August 3, 2015, 12:05 PM
Editorial: Reddit Allows Itself to be Hijacked as a Hate Platform For Racist Bigots
July 21, 2015, 6:32 PM
Most Popular Articles
Sales Battle - Apple iPad Mini vs Samsung Galaxy Tab
November 29, 2016, 12:36 AM
Phillips 55’ 4K Smart TV – Is This Really a Deal? We Think So.
November 25, 2016, 9:44 AM
PlayStation 4 Pro – 4K Console for 4K TVs
November 28, 2016, 1:00 AM
Lenovo Yoga 900 and Lenovo Yogo 900S – Powerful Performance in an Ultra-Thin Packages
November 27, 2016, 5:00 AM
Best Phones of 2016 - Priced under $650.00
November 27, 2016, 5:00 AM
Latest Blog Posts
Dec 3, 2016, 5:00 AM
Dec 2, 2016, 5:00 AM
Surface Ergonomic Keyboard
Dec 1, 2016, 3:01 AM
Chapeconense plane crash: Football rallies around Brazilian Team
Nov 30, 2016, 1:00 AM
How to Extends Your iPhone’s Battery Life
Nov 29, 2016, 12:49 AM
Nov 28, 2016, 1:12 AM
News: Fidel Castro
Nov 27, 2016, 5:00 AM
Nov 26, 2016, 5:00 AM
Changes in Social status affect the way genes turn on and off within immune cells.
Nov 25, 2016, 5:12 AM
Austrian far–right hopeful Hofer may back EU vote.
Nov 24, 2016, 4:00 AM
Final Fantasy XV Leaked Before Nov 29 Launch Date
Nov 23, 2016, 1:00 AM
Nov 22, 2016, 2:26 AM
Nov 21, 2016, 1:00 AM
HTC Makes Big Moves in China
Nov 20, 2016, 2:00 AM
Do you know who is the number one company in the word?
Nov 19, 2016, 5:30 AM
Foldable Cardboard ”EcoHelmet” wins James Dyson Award’s Top Prize
Nov 18, 2016, 2:39 AM
Scientists Discover Roundest Object Ever Spotted in Universe
Nov 17, 2016, 1:00 AM
Smallest Device Lets You Print Almost from Anywhere
Nov 16, 2016, 9:32 AM
Cancer Screening in the Community Is there a link between Cancer and Poverty?
Nov 15, 2016, 8:00 AM
More Blog Posts
Copyright 2016 DailyTech LLC. -
Terms, Conditions & Privacy Information