A U.S. utility was recently compromised by a “sophisticated threat actor,” according to an ICS-CERT report. The control system was accessed through a remote access feature and brute-force tactics applied to the password authorization mechanism. In other words, this unnamed public utility placed its control system at risk by making it directly accessible through the Internet. In “Internet Accessible Control Systems at Risk,” the ICS-CERT, a part of the Department of Homeland Security, which investigates system vulnerabilities to cyber attacks and promotes situational awareness, asks:
- Is your control system accessible directly from the Internet?
- Do you use remote access features to log into your control system network?
- Are you unsure of the security measures that protect your remote access services?
And the answer: If your answer was yes to any or all these questions, you are at increased risk of cyber attacks including scanning, probes, brute force attempts and unauthorized access to your control environment.
The likelihood of Internet-facing, mission-critical industrial and utility systems under ICS-CERT’s purview being compromised is rising, the department warns, in part because public documents expose search terms that help identify these critical control systems to anyone scanning for them. It’s now just not that hard to find the systems, and when they are not adequately protected with authentication mechanisms anyway, breaches will occur. Homeland Security does not report on every attempted or successful breach of public systems or utilities. This is just one instance that appears to be a near-miss situation. In the report, ICS-CERT makes a vague reference to two other recent events, as well. Could one of them have been a public utility in your area? It could have.
In this instance, ICS-CERT performed an analysis of the threat level at the utility and provided recommendations for increased system protections.
The reality is that critical systems are sitting like pretty little packages all wrapped up for a bad actor with an Internet connection to open. In addition to a heightened level of concern about the effect a breach of this sort could have on our own communities and the country, we can take these generalized recommendations that ICS-CERT provides. Practically speaking, the department knows that not all Internet accessibility will be removed, even in industrial operations and public utilities. Maybe a similar breach to your systems wouldn’t bring a city to its knees. That being said, spending some time comparing these action items with your own critical systems could shed light on opportunities to tighten up and reduce risk. You may decide that simply removing remote access and isolating systems is no long optional:
- Minimize network exposure for all control system devices. In general, locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Remove, disable or rename any default system accounts wherever possible.
- Implement account lockout policies to reduce the risk from brute forcing attempts.
- Establish and implement policies requiring the use of strong passwords.
- Monitor the creation of administrator level accounts by third-party vendors.
- Apply patches in the ICS environment, when possible, to mitigate known vulnerabilities.