A U.S. utility was recently compromised by a “sophisticated threat actor,” according to an ICS-CERT report. The control system was accessed through a remote access feature and brute-force tactics applied to the password authorization mechanism. In other words, this unnamed public utility placed its control system at risk by making it directly accessible through the Internet. In “Internet Accessible Control Systems at Risk,” the ICS-CERT, a part of the Department of Homeland Security, which investigates system vulnerabilities to cyber attacks and promotes situational awareness, asks:
And the answer: If your answer was yes to any or all these questions, you are at increased risk of cyber attacks including scanning, probes, brute force attempts and unauthorized access to your control environment.
The likelihood of Internet-facing, mission-critical industrial and utility systems under ICS-CERT’s purview being compromised is rising, the department warns, in part because public documents expose search terms that help identify these critical control systems to anyone scanning for them. It’s now just not that hard to find the systems, and when they are not adequately protected with authentication mechanisms anyway, breaches will occur. Homeland Security does not report on every attempted or successful breach of public systems or utilities. This is just one instance that appears to be a near-miss situation. In the report, ICS-CERT makes a vague reference to two other recent events, as well. Could one of them have been a public utility in your area? It could have.
The reality is that critical systems are sitting like pretty little packages all wrapped up for a bad actor with an Internet connection to open. In addition to a heightened level of concern about the effect a breach of this sort could have on our own communities and the country, we can take these generalized recommendations that ICS-CERT provides. Practically speaking, the department knows that not all Internet accessibility will be removed, even in industrial operations and public utilities. Maybe a similar breach to your systems wouldn’t bring a city to its knees. That being said, spending some time comparing these action items with your own critical systems could shed light on opportunities to tighten up and reduce risk. You may decide that simply removing remote access and isolating systems is no long optional: