"Serial Killer?" DHS Reports Penetration of Utility, Manufacturing Networks
May 21, 2014 7:58 AM
(Source: Orion Pictures)
Intruders appeared to simply watch and observe, made no attempt at sabotage
The U.S. Department of Homeland Security
(DHS) this weekend disclosed in a newsletter aimed at security professionals that a "
sophisticated threat actor
" had penetrated a public utility's (water, sewer, power, gas, etc.) control network in recent months.
I. Two Major Breaches Detailed
Industrial Control Systems Cyber Emergency Response Team
(ICS-CERT) writes in its tri-annual (Jan.-April)
A public utility was recently compromised when a sophisticated threat actor gained unauthorized access to its control system network. After notification of the incident, ICS-CERT validated that the software used to administer the control system assets was accessible via Internet facing hosts. The systems were configured with a remote access capability, utilizing a simple password mechanism; however, the authentication method was susceptible to compromise via standard brute forcing techniques.
[Image Source: energia-online.eu]
A second incident is also described, involving an internet-connected "device" -- likely a control mechanism with a utility. ICS-CERT reports:
The second example involved an unprotected, Internet-connected, control system operating a mechanical device. Upon investigation,
ICS-CERT determined that a sophisticated threat actor had accessed the control system server (connected via a cellular modem) through a supervisory control and data acquisition (SCADA) protocol. The device was directly Internet accessible and
was not protected by a firewall or authentication access controls.
At the time of compromise, the control system was mechanically disconnected from the device for scheduled maintenance. ICS-CERT provided analytic assistance and determined that the actor had access to the system over an extended period of time and had connected via both HTTP and the SCADA protocol. However, further analysis determined that no attempts were made by the threat actor to manipulate the system or inject unauthorized control actions.
After the incident was resolved, ICS-CERT conducted an onsite cybersecurity assessment of its larger control environment to evaluate its security posture and make recommendations for further securing its remote access to its control network. This incident highlights the need for perimeter security and monitoring capabilities to prevent adversaries from discovering vulnerable ICSs and using them as targets of opportunity.
In the case of both intrusions, the infiltrating party did no damage, merely seemed to snoop on the systems, perhaps as a test for
more damaging future attacks
. China's People's Liberation Army (PLA) is, of course, a top suspect, despite its
repeated denials of hacking U.S. networks
Such intrusions are believed to be increasingly common, but are often not discussed in such explicit detail.
ICS-CERT typically only posts a boilerplate notice of intrusions, which list the sector, but not the specific company involved or details about the level of intrusion. Last year, 256 such incidents were reported. ICS-CERT's report states that it dealt with security intrusion issues at 20 power plants and public utilities. Among these was a pair of breaches at nuclear facilities.
It is rather rare for the federal government to offer such a detailed account of a breach in the wild, as it hurts consumer confidence in utilities, and in turn
discourages utilities from sharing information
about these kinds of intrusions with the government.
Such cyber attacks are rarely disclosed by ICS-CERT, which typically keeps details about its investigations secret to encourage businesses to share information with the government. Companies are often reluctant to go public about attacks to avoid potentially negative publicity.
But the ICS-CERT appears to feel it is necessary to discuss this pair of breaches in more detail to highlight
the growing threat to American infrastructure
II. SCADA: Ticking Timebomb?
is a serial communications protocol commonly
used in the power industry
to remotely control and monitor mechanisms, such as pipeline valves. It is also sometimes
used to monitor and control heating, ventilation, and air-conditioning (HVAC) systems
at large facilities such as airports. The described incident hints that the breach occurred at yet another common use of SCADA connected devices -- manufacturing and fabrication.
Typically such applications are governed by the
North American Electric Reliability Corp.
(NERC), a nonprofit trade group responsible for setting standards for internet connected devices. But in early February at the
in San Antonio, Texas, security researchers Adam Crain and Chris Sistrunk reminded the audience that the NERC had not set strict security standards for SCADA.
The pair showed that the DNP3 master protocol stack had several vulnerabilities that would allow a remote attacker to seize control of a connected device. Such a breach could allow an attacker to not only cut the device off from communication with the rest of the network, but also to gain full command and control capabilities.
A diagam of a SCADA-controlled water treatment network. [Image Source: Remote Pump Solutions]
A part of the presentation's tongue-in-cheek title -- "Serial Killer" -- alludes to the fact that such an intrusion could be used to turn plant robots against workers in a deadly sabotage plot. Alternatively it could be used to black out a nation's power grid and fuel pipelines in a time of war.
stated to the blog
What’s different about our research is that most have focused on actual field devices—devices in substations or devices on poles—and 50 percent of our testing was on the master systems, things that communicate to all of the field devices and bring that data back to the operations center. The difference is, if you had access, here you could knock out visibility to a whole system, hundreds of substations, by affecting one or two servers that are monitoring all of that.
[That said] we have not found anything that would suggest there is anything [inherently] wrong with the specification. These are all bugs in implementations from various vendors. There were two vendors we tested out of the 30 products where we didn’t find any detectable vulnerabilities. So at this point, it’s possible to implement the standard without a security or robustness defect.
It's highly likely that the attackers in the breach used one of the vulnerabilities; especially since security researchers have published open source tools to "study" them with penetration testing.
III. FERC Wants More Power; Pentagon's Fuel Chain is Vulnerable
NERC is under pressure to implement new security guidelines for SCADA. It will be up to NERC's supervisor agency -- the
Federal Energy Regulatory Commission
(FERC) -- to push action on the issue.
But currently FERC's attention is divided between regulatory actions and bureaucratic negotiations. In mid-February FERC's acting chairman, Cheryl LaFleur, called on Congress to grant it "clear and direct authority" to take action to protect the nation's infrastructure against cyberattacks. Currently that responsibility is divided between FERC, DHS, and a variety of other government agencies.
This authority should include the ability to require action before a physical or cyber national security incident has occurred.
She also commented that granting the authority would not impact the current work to draft grid reliability standards, a process that takes "several months" to complete. It is probable those standards include work to address vulnerabilities in the SCADA protocol.
Lastly, the ICS-CERT report cites a study from the
U.S. Army War College
Strategic Studies Institute
, which characterizes the Pentagon's supply networks as weak and vulnerable. The report -- "
Hacks on Gas: Energy, Cybersecurity and U.S.
" -- was written by
, a fellow in IT policy at
, and details the 2012 attacks on Saudi Arabian Oil Comp. (Aramco), the world's largest oil producer and privately held company.
That attack successfully compromised 30,000 systems using what experts believe was possibly a modified version of the "Flame" malware. Iran has accused the U.S. of using Flame in an attempt to infect and digitally "cripple" its oil industry. Mr. Bronk's report suggests the Pentagon
needs to beef up security for its fuel supply chain
, or it could find itself crippled by the enemy during a war.
ICS-CERT newsletter [PDF]
"DailyTech is the best kept secret on the Internet." -- Larry Barber
HVAC Firm at Center of Target Data Breach Also Counts Wal-Mart, Costco as Customers
February 5, 2014, 9:35 PM
Congress Looks to Force Extra Protection on Utilities to Combat Cyberattacks
May 22, 2013, 2:24 PM
"Secret" Chinese Military Unit May Be Behind Series of Hacks on U.S. Since 2006
February 19, 2013, 11:41 AM
DOD Worries Cyber Workers Are Undertrained, Unprepared
February 18, 2013, 1:26 PM
Lockheed Martin Says "Smart Grid" Will Allow China to Hack U.S. Power
October 5, 2010, 8:20 AM
Google plans ultra-fast wireless Internet for Research Triangle Park, N.C.
August 12, 2016, 6:30 AM
Twitter Senior VP: "Diversity is Important, But We Can’t Lower the Bar"
November 9, 2015, 9:59 AM
CNN Resorts to Internet Censorship to Promote Clinton Over Senator Sanders
October 15, 2015, 2:47 PM
Breaking Bad: How to Crash Google's Chrome Browser With Just 8 Characters
September 23, 2015, 11:08 AM
Quick Note: Amazon UK Offers £10 Back on Any Order £50 or Over
August 3, 2015, 12:05 PM
Editorial: Reddit Allows Itself to be Hijacked as a Hate Platform For Racist Bigots
July 21, 2015, 6:32 PM
Most Popular Articles
Problems with Windows 10 – Update Now
October 15, 2016, 7:30 AM
Is Razer Blade Stealth Laptop For You?
October 16, 2016, 5:00 AM
Bluetooth Saves Lives
October 16, 2016, 7:05 AM
Innovative Neurotechnology in Sound Therapy Reduces High Blood Pressure and Migraines
October 16, 2016, 5:00 AM
Car Insurance - The Hidden Discriminatory Practise
October 18, 2016, 5:00 AM
Latest Blog Posts
Tips to Prevent Smartphones From Overheating:
Oct 22, 2016, 5:00 AM
Nasa Flies Drones at Nevada Airport
Oct 21, 2016, 8:21 AM
T-Mobile Data Problems
Oct 20, 2016, 10:17 AM
Annoying Apple Watch Problems and How to Fix Them
Oct 20, 2016, 5:00 AM
Your Mail May Soon Be Delivered By Robot
Oct 19, 2016, 9:34 AM
2018 Jeep Wrangler Prototype Sells At Junkyard
Oct 18, 2016, 5:00 AM
Samsung Shines with Gold Edition Tablet
Oct 17, 2016, 9:24 AM
Tesla Hints Mysterious Product Debut for October 17th
Oct 16, 2016, 10:14 AM
Samsung Galaxy Note 7 Phones on US flights
Oct 15, 2016, 5:00 AM
Comcast Fined $2.3 Million For Unconfirmed Services Charged To Customers
Oct 14, 2016, 5:00 AM
“American singer / songwriter “Bob Dylan is awarded 2016 Nobel Prize in Literature.
Oct 13, 2016, 10:33 AM
Battery Defect in Medical Device
Oct 12, 2016, 5:00 AM
IBM Bolsters Social Services Sector With Technology Grants
Oct 11, 2016, 5:00 AM
Scientists Sound Alarm on Climate but US Still Toys With Skepticism
Oct 10, 2016, 5:00 AM
IMEX America Trade Show
Oct 9, 2016, 10:00 AM
Phone Wars – Google VS Samsung Free Gifts on Purchase
Oct 6, 2016, 5:00 AM
Member of Parliament’s opposition car exploded in Tbilist capital of Georgia
Oct 5, 2016, 2:52 PM
US Government Cuts Cord On Internet Oversight
Oct 3, 2016, 10:34 AM
More Blog Posts
Copyright 2016 DailyTech LLC. -
Terms, Conditions & Privacy Information