Industrial Systems Still Lack Firewalls, Authentication, Basic Security

The Department of Homeland Security and the Federal Bureau of Investigation have reissued their warning from last year that industrial control systems that operate critical infrastructure and complicated machinery are still not properly protected.

Thousands of industrial control systems that are connected to the Internet lack proper firewalls or aren't using strong authentication methods, making them vulnerable to attack, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the Department of Homeland Security said in its warning Dec. 9.

Malicious perpetrators can discover these industrial control systems using search engines such as Shodan, which indexes devices with embedded and active Web servers, according to the warning.

Control systems don't need to be connected to the Internet, but they are often online to make it easier for administrators to remotely monitor the systems. "All too often, remote access has been configured with direct Internet access (no firewall) and/or default or weak user names and passwords," said ICS-CERT in its warning, adding that adversaries can use the information to identify control systems that are vulnerable to attack.

There's a trade-off between making it easy to do work and increasing security, Joe Schorr, enterprise security practice manager for Creative Breakthroughs, told eWEEK. Organizations have to decide whether the systems and data being protected are worth locking down business, Schorr said.

"ICS-CERT is tracking and has responded to multiple reports of researchers using Shodan, Every Routable IP Project (ERIPP), Google and other search engines to discover Internet-facing control systems," according to the alert.

The increasing "connectedness" of infrastructure not only makes utility companies more vulnerable to cyber-attacks, but increases the effect on other infrastructure capabilities when one is affected, Chris Petersen, CTO of LogRhythm, told eWEEK.

The supervisory control and data-acquisition systems used within industrial companies were not designed to be secure, and much of the existing infrastructure was developed and deployed prior to the Internet, according to Petersen. Security was considered in the physical sense, so many of the devices transmit data in clear text, have limited or nonexistent logging capabilities and employ very basic authentication methods, Petersen said.

"Nobody imagined SCADA [supervisory control and data acquisition] devices and their associated serial protocols would later be converted to IP and made accessible to untrusted networks," said Petersen.

ICS-CERT said that it's working with control system vendors to remove default credentials from their products, especially since so many of these credentials are mentioned in publicly accessible materials.

The attacks against industrial control systems are not theoretical, as a senior FBI official admitted that recently intruders compromised utilities in at least three U.S. cities but caused no damage. Industrial and chemical companies are also under regular cyber-attack.

Symantec issued a warning Oct. 31 about a malware attack, dubbed Nitro, which targeted chemical and military industries between July and September. The perpetrators behind the attack "persist in continuing their activities unchecked," using the same social-engineering techniques and same hosting provider to host their command and control servers, wrote Tony Millington and Gavin O’Gorman, security researchers at Symantec Security Response.

Symantec claimed to have disrupted the campaign in September, so it wasn't clear how the attackers had managed to revive their operations. Symantec said the domains that were used have been shut down, again.

What appears to have changed since the warning was publicized, is that some of the attack emails now attempt to impersonate Symantec. The subject line for the malicious email was titled "Symantec Security Warning!" and the message contained information about Symantec supposedly releasing new antivirus software capable of detecting and removing the Poison Ivy Trojan, used as part of the Nitro campaign.

"The attackers, in an attempt to lend some validity to their email, are sending a document to targets that describes their very own activity," wrote Millington and O’Gorman.

Nitro attackers have switched targets over the past few months, Mary Landesman, senior security researcher at Cisco Security, said Dec. 13 at a news conference. The campaign initially targeted industrial companies in June, shifted to aviation companies with ties to the federal government in August and peaked in September by hitting chemical companies, according to Cisco Security research. In many cases, the victims saw the attack emails and realized it "probably" wasn't real, but they took the "let's see what it is, anyway" approach, Landesman said. In this case, "curiosity killed the cat," or the company, she said.