Infrastructure cyber intrusion: A cautionary tale
ICS-CERT typically does not provide much detail when reporting incursions, but it made an exception for two recent cases to highlight the dangers.
The Department of Homeland Security revealed the details of cyber incursions at two critical infrastructure providers to remind power, water and electricity companies that they need to pay closer attention to their control systems.
In its latest "ICS-CERT Monitor" report, the Industrial Control Systems Cyber Emergency Response Team said that in the past few months, it had assessed the potential damage done by cyber intruders that had burrowed into control systems at two critical infrastructure providers.
Although the team typically does not provide much detail in its reporting of critical infrastructure attacks, it made an exception to provide a cautionary tale for those responsible for securing critical infrastructure networks.
The group noted that cyberattackers can identify and target ICS devices more easily now because of an increasing body of knowledge detailing ICS-specific terminology. Given the public availability of that information and the reach of powerful search tools such as Shodan and Google, the threshold for finding vulnerable systems is lower than ever, the report states.
The team did not name the two infrastructure providers but said one was a public utility that was compromised when "a sophisticated threat actor" accessed its control network via Internet-facing hosts that had been secured with only a simple password. The intruder used brute-force techniques to find that password.
After the intrusion was discovered, ICS-CERT was asked to analyze what had happened. The report states that the systems were exposed to numerous security threats and that intruders had used the unlocked door before. The team recommended redesigning the system.
In the second attack detailed in the report, an intruder used a cellular modem to access a control system server via supervisory control and data acquisition protocols. The unprotected system operated a mechanical device that at the time of the compromise was disconnected for scheduled maintenance. According to the report, the team determined that the "threat actor" likely had access to the system over an extended period of time, though the actor made no attempt to manipulate it.
ICS-CERT said both incidents point to the increasing need for critical infrastructure providers to keep up with perimeter security, remote access authentication and security monitoring capabilities to prevent adversaries from discovering and targeting vulnerable control systems and devices.
In addition to the detailed breach narratives, ICS-CERT reported that from January to March, it performed 20 security assessments for water, power and transportation providers, and nuclear facilities. Those assessments are typically performed at the request of providers after they have found evidence of a possible intrusion or experienced a cyberattack.