Saturday, November 19, 2011

False Alarm? Russia Cyber Attack on Water System SCADA Reported
-Cybersecurity back in limelight, asserting more intrusion(s)

11/23/2011 Update - A False Alarm?
*** ANSWER: Yes ***
For the initial Nov14th report per DHS- with more "pr0f" (proof) hackery being demonstrated and investigated !

As the week of Nov 14th closed, a reportedly "confirmed" water system intrusion discovered after equipment damage prompted a sensitive fusion center advisory, quickly followed by more public coverage:

- Issue discovered Nov 8th after pump burned up due to power cycling.
- Believed credentials used stemmed from supplier/vendor breach (e.g. perhaps via phishing)
- May have been compromised for months with ongoing "instability glitches" dismissed
- Involved access from Russian Internet addresses.

A Nov 10th Illinois fusion center report serving as initial notice regarding this matter was obtained by Joe Weiss, crusader for critical infrastructure security, who then broke the story providing some particulars to major media. A statement released by DHS spokesman Peter Boogaard downplayed the matter “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

11/23/2011 Update
Illinois intelligence fusion center reported Tuesday 11/22 that earlier reports of a water utility hacked cannot be substantiated, according to a DHS announcement. Joe Weiss's quote to Wired.com - “This smells to high holy heaven, because when you look at the Illinois report, nowhere was the word preliminary ever used,” Weiss said, noting that the fusion center — which is composed of Illinois state police, as well as representatives from the FBI and DHS — distributed the report to other critical infrastructure facilities in that state. “It was just laying out facts. How do the facts all of a sudden all fall apart?”


Following the initial DHS statement, a PGP signed posting by "pr0f" asserted evidence of gaining unauthorized access a second water treatment facility SCADA with five screen shots and statement, excerpt: "I dislike, immensely, how the DHS tend to downplay how absolutely F*****D the state of national infrastructure is....I've also seen various people doubt the possibility an attack like this could be done. So, y'know. The city of South Houston has a really insecure system. Wanna see? I know ya do... "


11/23/2011 Update
Sophos's Chester Wisniewski was contacted by the hacker "pr0f" regarding the South Houston, Texas intrusion. The hacker gained access through several methods (VNC variant, web portal) claiming he still has access. He also commented "Don't worry, I use my powers for good and such." And also pointed out, ".. I am under no illusions about my level of skill. These are the least secure systems. .. I was furious at the lack of proper government response. The response they gave was nothing more than 'Nothing happened. Probably.' When clearly something did happen."

What should utilities do?


Mr. Weiss provided some constructive broader recommendations in his post "Water System Hack - The System is Broken" Here are some specific suggestions for near term critical infrastructure cyber risk mitigation, especially for industrial control system (ICS) settings where cyber security may be lapsing, not addressed in a robust manner:
  1. Identify all ICS systems and their organizational management owners.

  2. Audit key baseline IT security controls, identify any serious remote and local access issues
    - e.g. protected perimeter, all accounts have defined need, management approval/review, access activity logging for review, antivirus where feasible, patching.

  3. Consider how to assert stronger positive owner access control, especially for remote access
    -e.g. remote access normally disabled when not needed, logging all access events, multifactor token required/kept in house for vendor call in, protected jump box use instead of opening full throat network paths, segmentation when multiple vendor solutions are involved.
    Note: A good place to start is closely studying NERC's July 2011 "Guidance for Secure Interactive Remote Access"

  4. Implemented initial improvement options based on risk informed priority.
    - proceed based on management engaged approval/direction, document and implement, monitor and report progress.

  5. Pursue ongoing, broader ICS security improvements
    - after getting basic IT-centric hardening measures in place, tools such as DHS's CSET (Cyber Security Evaluation Tool) - free for critical infrastructure organizations are available to build better understanding of ICS security susceptibilities and consequences, measure risk, and identify, prioritize further security improvements.
Any such attack damaging a water utility's pump is more akin to amateur antics than part of any organized nation state effort in my opinion. Regardless, even if this turns out to be a false alarm for causing of equipment damage, many related "what ifs" will be asked by media and others. We can expect various hats of hackers (white, grey, black) interest will also increase (SHODAN anyone?). Industrial control systems, including SCADA, are widely used to support a number of critical infrastructure functions. Secured communication paths and protected remote access must be ensured. Organizations that have blindly entrusted their vendor to adequately address cybersecurity in an increasing risk environment need to do more. People, process, technology requirements addressing security in such settings must be understood, documented, supported (with enforcement), and continue to be further developed.


More/sources:

- Cyber Intrusion Blamed for Hardware Failure at Water Utility- KrebsonSecurity 11/18/2011
- H(ackers)2O: Attack on City Water Station Destroys Pump- Wired.com 11/18/2011
- Second Water Utility Reportedly hit by hack attack - The Register 11/18/2011
-proof of concept Intrusion
- Hacker targets South Houston Sewer System - The Houston Chronicle 11/19/2011

- What You Should Know About SHODAN and SCADA - DigitalBond 11/2/2010