Infrastructure cyber intrusion: A cautionary tale
- By Mark Rockwell
- May 21, 2014
The Department of Homeland Security revealed the details of cyber incursions at two critical infrastructure providers to remind power, water and electricity companies that they need to pay closer attention to their control systems.
In its latest "ICS-CERT Monitor" report, the Industrial Control Systems Cyber Emergency Response Team said that in the past few months, it had assessed the potential damage done by cyber intruders that had burrowed into control systems at two critical infrastructure providers.
Although the team typically does not provide much detail in its reporting of critical infrastructure attacks, it made an exception to provide a cautionary tale for those responsible for securing critical infrastructure networks.
The group noted that cyberattackers can identify and target ICS devices more easily now because of an increasing body of knowledge detailing ICS-specific terminology. Given the public availability of that information and the reach of powerful search tools such as Shodan and Google, the threshold for finding vulnerable systems is lower than ever, the report states.
The team did not name the two infrastructure providers but said one was a public utility that was compromised when "a sophisticated threat actor" accessed its control network via Internet-facing hosts that had been secured with only a simple password. The intruder used brute-force techniques to find that password.
After the intrusion was discovered, ICS-CERT was asked to analyze what had happened. The report states that the systems were exposed to numerous security threats and that intruders had used the unlocked door before. The team recommended redesigning the system.
In the second attack detailed in the report, an intruder used a cellular modem to access a control system server via supervisory control and data acquisition protocols. The unprotected system operated a mechanical device that at the time of the compromise was disconnected for scheduled maintenance. According to the report, the team determined that the "threat actor" likely had access to the system over an extended period of time, though the actor made no attempt to manipulate it.
ICS-CERT said both incidents point to the increasing need for critical infrastructure providers to keep up with perimeter security, remote access authentication and security monitoring capabilities to prevent adversaries from discovering and targeting vulnerable control systems and devices.
In addition to the detailed breach narratives, ICS-CERT reported that from January to March, it performed 20 security assessments for water, power and transportation providers, and nuclear facilities. Those assessments are typically performed at the request of providers after they have found evidence of a possible intrusion or experienced a cyberattack.
Mark Rockwell is a staff writer at FCW.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at firstname.lastname@example.org or follow him on Twitter at @MRockwell4.