Cybersecurity

Infrastructure cyber intrusion: A cautionary tale

gloved hands

The Department of Homeland Security revealed the details of cyber incursions at two critical infrastructure providers to remind power, water and electricity companies that they need to pay closer attention to their control systems.

In its latest "ICS-CERT Monitor" report, the Industrial Control Systems Cyber Emergency Response Team said that in the past few months, it had assessed the potential damage done by cyber intruders that had burrowed into control systems at two critical infrastructure providers.

Although the team typically does not provide much detail in its reporting of critical infrastructure attacks, it made an exception to provide a cautionary tale for those responsible for securing critical infrastructure networks.

The group noted that cyberattackers can identify and target ICS devices more easily now because of an increasing body of knowledge detailing ICS-specific terminology. Given the public availability of that information and the reach of powerful search tools such as Shodan and Google, the threshold for finding vulnerable systems is lower than ever, the report states.

The team did not name the two infrastructure providers but said one was a public utility that was compromised when "a sophisticated threat actor" accessed its control network via Internet-facing hosts that had been secured with only a simple password. The intruder used brute-force techniques to find that password.

After the intrusion was discovered, ICS-CERT was asked to analyze what had happened. The report states that the systems were exposed to numerous security threats and that intruders had used the unlocked door before. The team recommended redesigning the system.

In the second attack detailed in the report, an intruder used a cellular modem to access a control system server via supervisory control and data acquisition protocols. The unprotected system operated a mechanical device that at the time of the compromise was disconnected for scheduled maintenance. According to the report, the team determined that the "threat actor" likely had access to the system over an extended period of time, though the actor made no attempt to manipulate it.

ICS-CERT said both incidents point to the increasing need for critical infrastructure providers to keep up with perimeter security, remote access authentication and security monitoring capabilities to prevent adversaries from discovering and targeting vulnerable control systems and devices.

In addition to the detailed breach narratives, ICS-CERT reported that from January to March, it performed 20 security assessments for water, power and transportation providers, and nuclear facilities. Those assessments are typically performed at the request of providers after they have found evidence of a possible intrusion or experienced a cyberattack.

About the Author

Mark Rockwell is a staff writer covering acquisition, procurement and homeland security. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.

Reader comments

Wed, Jun 18, 2014

Why are supervisory control and data automation (SCADA) networks even **ON** the Internet in the first place? Before the internet these things were linked together with leased lines and other private communications channels. I fear I already know the reason: cost. It's ridiculous. True, even air gapped networks can be vulnerabile (just ask Iran) - but that kind of a compromise is far less likely than the casual hacking that can come from a poorly secured machine accessible by literally the world. The mind boggles that this is even an acceptable bets practice...

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above