Homeland Security's ICS-CERT warned that industrial control systems are still vulnerable and need to be protected.
of Homeland Security and the Federal Bureau of Investigation have reissued
their warning from last year that industrial control systems that operate
critical infrastructure and complicated machinery are still not properly
industrial control systems that are connected to the Internet lack proper
firewalls or aren't using strong authentication methods, making them vulnerable
to attack, the Industrial Control Systems Cyber Emergency Response Team
(ICS-CERT) at the Department of Homeland Security said in its warning Dec. 9.
perpetrators can discover these industrial control systems using search engines
such as Shodan, which indexes devices with embedded and active Web servers,
according to the warning.
systems don't need to be connected to the Internet, but they are often online
to make it easier for administrators to remotely monitor the systems. "All
too often, remote access has been configured with direct Internet access (no
firewall) and/or default or weak user names and passwords," said ICS-CERT
in its warning, adding that adversaries can use the information to identify
control systems that are vulnerable to attack.
trade-off between making it easy to do work and increasing security, Joe
Schorr, enterprise security practice manager for Creative Breakthroughs, told eWEEK
. Organizations have to decide
whether the systems and data being protected are worth locking down business,
is tracking and has responded to multiple reports of researchers using Shodan,
Every Routable IP Project (ERIPP), Google and other search engines to discover
Internet-facing control systems," according to the alert.
"connectedness" of infrastructure not only makes utility companies
more vulnerable to cyber-attacks, but increases the effect on other
infrastructure capabilities when one is affected, Chris Petersen, CTO of LogRhythm,
supervisory control and data-acquisition systems used within industrial
companies were not designed to be secure, and much of the existing
infrastructure was developed and deployed prior to the Internet, according to
Petersen. Security was considered in the physical sense, so many of the devices
transmit data in clear text, have limited or nonexistent logging capabilities
and employ very basic authentication methods, Petersen said.
imagined SCADA [supervisory control and data acquisition] devices and their
associated serial protocols would later be converted to IP and made accessible
to untrusted networks," said Petersen.
that it's working with control system vendors to remove default credentials
from their products, especially since so many of these credentials are
mentioned in publicly accessible materials.
against industrial control systems are not theoretical, as a senior FBI
official admitted that recently intruders compromised utilities
in at least three U.S. cities
but caused no damage. Industrial and chemical
companies are also under regular cyber-attack.
issued a warning Oct. 31 about a malware attack, dubbed Nitro, which targeted
chemical and military industries between July and September. The perpetrators
behind the attack "persist in continuing their activities unchecked,"
using the same social-engineering techniques and same hosting provider to host
their command and control servers, wrote Tony Millington and Gavin O'Gorman,
security researchers at Symantec
to have disrupted the campaign in September, so it wasn't clear how the
attackers had managed to revive their operations. Symantec said the domains
that were used have been shut down, again.
to have changed since the warning was publicized, is that some of the attack
emails now attempt to impersonate Symantec. The subject line for the malicious
email was titled "Symantec Security Warning!" and the message
contained information about Symantec supposedly releasing new antivirus software
capable of detecting and removing the Poison Ivy Trojan, used as part of the
attackers, in an attempt to lend some validity to their email, are sending a
document to targets that describes their very own activity," wrote
Millington and O'Gorman.
attackers have switched targets over the past few months, Mary Landesman,
senior security researcher at Cisco Security, said Dec. 13 at a news
conference. The campaign initially targeted industrial companies in June,
shifted to aviation companies with ties to the federal government in August and
peaked in September by hitting chemical companies, according to Cisco Security
research. In many cases, the victims saw the attack emails and realized it
"probably" wasn't real, but they took the "let's see what it is,
anyway" approach, Landesman said. In this case, "curiosity killed the
cat," or the company, she said.