ICS-CERT Warns of Anonymous Potential to Attack Control Systems

Thanks to the folks at PublicIntelligence.net for posting a copy of the FOUO bulletin from DHS ICS-CERT concerning their assessment of the threat from Anonymous to attack control systems. ICS-CERT looks at reports that Anonymous has recently expressed an interest in targeting industrial control systems (ICS). They look at open source reports related to capabilities and intentions.

WARNING: Under the Obama Administration’s WIKI leaks doctrine government employees and contractors accessing this document or discussing its contents on the internet may be liable to disciplinary actions up to and including dismissal.

The summary of the document states that:

“While Anonymous recently expressed intent to target ICS, they have not demonstrated a capability to inflict damage to these systems, instead choosing to harass and embarrass their targets using rudimentary attack methods, readily available to the research community. Anonymous does have the ability to impact aspects of critical infrastructure that run on common, internet accessible systems (such as web-based applications and windows systems) by employing tactics such as denial of service. Anonymous’ increased interest may indicate intent to develop an offensive ICS capability in the future. ICS-CERT assesses that the publically available information regarding exploitation of ICS could be leveraged to reduce the amount of time to develop offensive ICS capabilities. However, the lack of centralized leadership/coordination and specific expertise may pose challenges to this effort.”

Politicizing Hacking

The increasing politicization of the hacktavist community probably increases the potential threat of successful attacks on industrial control systems. While there are probably only a small minority of that community with an interest in attacking chemical controls systems for political reasons, the general anarchistic nature of the hacktavist community ensures that there will be a significant amount of information and assistance available for anyone within that community desiring to conduct such attacks.

Moreover, unsuccessful or partially successful attacks are sure to encourage apolitical members of the community to press those attacks to completion just to establish or increase community credibility.

Known terrorist or extremist groups desiring to attack chemical facilities to turn them or their products into chemical weapons have long been the concern of security professionals and politicians, even though these potential attacks are low probability events. This possibility of hacktavist attacks raises the stakes by increasing the universe of potential attackers; attackers that will be harder to detect in the pre-attack process.

Negative Comments about Siemens

In the closest thing that I have seen from ICS-CERT to expressing concerns about Siemens control systems; the report notes that an anonymous (as opposed to Anonymous I suppose) individual tweeted about access to multiple Siemens control systems. While ICS-CERT doubted the extent of those claims, they did not that the code published could be “used to create password dump files for a human-machine interface control system software product from Siemens” (page 2).

They also noted that additional code published by the individual “is used in server communication with control system devices such as programmable logic controllers, remote terminal units, intelligent-electronic devices, and industrial controllers”. ICS-CERT notes that this is not directly exploitable code but is a necessary prequel to producing that code.

Preventing Attacks

The ICS-CERT report closes with:

“Asset owners and operators of critical infrastructure control systems are encouraged to engage in addressing the security needs of their control system assets.”

This is extremely helpful information (pardon the sarcasm), but it is a valid point. It would be more helpful and valid if ICS-CERT hadn’t put FOUO markings on this document; allowing wider dissemination of the document. It could have actually been posted on the ICS-CERT open web page, for instance.

BTW: ICS-CERT authors need to pay a little closer attention to their paragraph classification markings (those codes at the beginning of the paragraph that tells readers which portions of the document actually contain protected information). The first paragraph under the “ICS-CERT Assessment of Capabilities” clearly should be marked ‘(U)’ since it just describes a TWITTER post; clearly not protected information.