ICS-CERT warns on the rise in attacks on online ICS

Pierluigi Paganini June 09, 2014

A reading of the data issued by the ISC-CERT in its Monthly Monitor (ICS-MM201404) on the attacks against ICS (industrial control systems) exposed on line.

Do you have exposed your Industrial control system (ICS) on the Internet?

“If ICS is connected to the Internet, it comes with an almost 100% guarantee of its being hacked on the first day” E. Kaspersky

I used the reply of the Founder of security firm Kaspersky Lab to give you an idea of the concrete risks for the numerous ICS exposed on the Internet. Hackers, cyber criminals, state-sponsored hackers and other bad actors can hit any industrial system without specific knowledge.

In 2013 ICS-CERT received 181 vulnerability reports from researchers and ICS vendors, 177 were true vulnerabilities, 87 percent were exploitable remotely while the other 13 percent required local access to exploit the flaws.

ICS flaw 2013 ICE-CERT

A search engine like Shodan, a specific exploit easily available on an underground forum and an anonymizing tool to avoid detection could be sufficient to compromise a system in a critical infrastructure.

In many cases  control systems have to be accessible directly from the Internet, this means that they are exposed to risk of cyber attacks, probes, brute force attacks, attempts and unauthorized access and scanning are the events most frequent events.

“Internet facing devices have become a serious concern over the past few years with  remote access demands giving way to insecure or vulnerable configurations. Tools, such as SHODAN, Google and other search engines, enable researchers and adversaries to easily discover and identify a variety of ICS devices that were not intended to be Internet facing.” reports the last ICS-CERT Monitor (Jan-Apr 2014)

According ICS-CERT, in many cases devices are not adequately configured, adversary with increasing capabilities could benefit by poor security design of targeted architectures.

“Most recently, ICS-CERT received reports of three new cyber incidents that resulted from weak network configuration and/or lack of perimeter security. Two of those incidents involved intrusions by unauthorized parties, and the other was identified as vulnerable
by a researcher. In the majority of these cases, the system owners are unaware of the nonsecure configurations or the associated risk.” states the last ICS-CERT Monitor

The ICS-CERT reported that a public utility was recently compromised, a threat actor gained unauthorized access to its control system network, the investigation demonstrated that the system was exposed on the Internet without a strong authentication mechanism. After notification of the incident, forensics experts discovered that the system was already compromised in the past.

The document proposes other cases, including a Sochi Arena HVAc system exposed to the Internet discovered by Billy Rios, a researcher at Qualys, which has provided information related to HVAC and Energy Management System (EMS) associated with the Olympics Games in Russia.

This system was reported to lack authentication requirements to access the control system. The researcher worked with the system integrator to reconfigure the system prior to the Olympics and opening ceremonies.

How to protect ICS?

ICS-CERT recommends adopting defensive action to secure ICSs by using defense-in-depth principles, below the principal suggestions to minimize the risk of exploitation:

  • Minimize network exposure for all control system devices. In general, locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  • Remove, disable or rename any default system accounts wherever possible. 
  • Implement account lockout policies to reduce the risk from brute forcing attempts.
  • Establish and implement policies requiring the use of strong passwords.
  • Monitor the creation of administrator level accounts by third-party vendors.
  • Apply patches in the ICS environment, when possible, to mitigate known vulnerabilities

Pierluigi Paganini

(Security Affairs –  ICS, critical infrastructure)

you might also like

leave a comment