Two intrusions into control-system networks revealed in a recent report underscore that such systems continue to be the focus of online attackers and remain vulnerable, but details of the motives and methods of attackers continue to be lacking.
In one incident, described in the Industrial Control System Computer Emergency Readiness Team (ICS-CERT) Monitor Newsletter, attackers compromised the control-system network of a utility, after the unspecified company left a management system open to access from the Internet. The attacker used a brute-force password attack to gain access to the system, the ICS-CERT report stated.
"This incident highlights the need to evaluate security controls employed at the perimeter and ensure that potential intrusion vectors—(for example) remote access—are configured with appropriate security controls, monitoring, and detection capabilities," ICS-CERT stated in the report. A second attack, also mentioned in the report, appeared to be less serious, with the attacker gaining access to the controlling server for a mechanical device. The device, however, was not connected and undergoing maintenance, the report stated.
While the ICS-CERT report gives few public details of the incidents, the attacks show that utilities and control systems remain a target of online hackers, said Tim O'Brien, director of threat intelligence for Norse, a security information firm.
"The security posture for utilities, for industrial control systems, that run our critical infrastructure is about at the same level as the PC business infrastructure was back in the 1980s," O'Brien told eWEEK. "It just isn't there."
Security flaws in the software on which industrial control systems rely certainly resemble those of more than decade ago, with remotely exploitable vulnerabilities predominating. In 2013, the ICS-CERT received information on 177 vulnerabilities and worked with more than 50 ICS vendors to fix the issues. Seven out of eight issues were remotely exploitable, according to the ICS-CERT's Monitor Newsletter.
While anecdotal evidence exists of security problems in the utilities sector, most incidents have not been made public and a recent report from security metrics firm BitSight appears to show that the utility sector is doing a good job securing its systems. The report evaluated the security posture of companies in four industries based on external indicators such as whether computers communicating from a company's IP address space communicated with known botnets.
The utility sector as a whole had the second-best security score, just under the financial industry. Yet the problem could be in the data, because utilities do not have many public-facing systems and security missteps could be camouflaged, Stephen Boyer, CEO of BitSight, told eWEEK.
"I don't know if it is a disclosure issue, or the performance is really that much better," Boyer said. "What we can see empirically in our data is it is that much better."