Heartbleed may have dominated the vulnerability landscape of late, but the latest Quarterly Monitor newsletter from ICS-CERT details three new cyber-incidents in the first quarter that resulted from weak network configuration and/or lack of perimeter security. Two of those incidents involved intrusions by unauthorized parties, and the other, an issue that arose ahead of the Winter Olympics in Sochi, was identified as vulnerable by a researcher. The system owners were unaware of the non-secure configurations or the associated risk.
Most critically, a public utility was recently compromised when a sophisticated threat actor gained unauthorized access to its control system network. After notification of the incident, ICS-CERT validated that the software used to administer the control system assets was accessible via internet-facing hosts. The systems were configured with a remote access capability, utilizing a simple password mechanism; however, the authentication method was susceptible to compromise via standard brute-forcing techniques.
The incident highlights the need to evaluate security controls employed at the perimeter and ensure that potential intrusion vectors (ex: remote access) are configured with appropriate security controls, monitoring, and detection capabilities.
“The public utility network compromise example from the ICS-CERT report is just another shot across the bow for organizations supporting the U.S.’s critical infrastructure,” said Mike Ellis, CEO at ForgeRock, in a statement to Infosecurity. “By all accounts, what was implemented by this public utility would be considered failing from a best practices perspective.”
He added, “The unfortunate truth is that it’s a technology, people and processes problem. More and more, we see that organizations are stretched to authenticate and authorize the voluminous number of identities connecting to the network, struggling to decipher between good and bad while security compromises continue to plague this sector.
In the utility’s case, ICS-CERT provided analytical assistance, including host-based forensic analysis and a comprehensive review of available network logs. It was determined that the systems were likely exposed to numerous security threats and previous intrusion activity was also identified.
ICS-CERT went on to conduct an onsite cybersecurity assessment in response to the incident to assist the asset owners with evaluating the overall security posture of their infrastructure. In addition, ICS-CERT made practical recommendations for re-architecting and securing the control network.
The second example involved an unprotected, internet-connected control system operating a mechanical device. Upon investigation, ICS-CERT determined that a sophisticated threat actor had accessed the control system server (connected via a cellular modem) through a SCADA protocol. The device was directly Internet accessible and was not protected by a firewall or authentication access controls.
At the time of compromise, the control system was mechanically disconnected from the device for scheduled maintenance. ICS-CERT provided analytic assistance and determined that the actor had access to the system over an extended period of time and had connected via both HTTP and the SCADA protocol. However, further analysis determined that no attempts were made by the threat actor to manipulate the system or inject unauthorized control actions.
After the incident was resolved, ICS-CERT conducted an onsite cybersecurity assessment of its larger control environment to evaluate its security posture and make recommendations for further securing its remote access to its control network. This incident highlights the need for perimeter security and monitoring capabilities to prevent adversaries from discovering vulnerable ICSs and using them as targets of opportunity.
And finally, Billy Rios, a researcher at Qualys, provided information to ICS-CERT concerning an internet facing HVAC and Energy Management System (EMS) associated with an arena at the Sochi Olympics in Russia. This system was reported to lack authentication requirements to access the control system. The researcher worked with the system integrator to reconfigure the system prior to the Olympics and opening ceremonies.
“Security should be elevated to a business-critical function as it has serious impact on the bottom line, reputation and customer trust, requiring C-level discussion,” Ellis said. “Organizations must also modernize, legacy systems were simply not designed to handle the complexity and volume of internet-based relationships and connections.”