Today the DHS ICS-CERT people published their January edition of their Monthly Monitor, a brief look at industrial control system news over the previous month. This issue highlights two ICS-CERT incident responses in December (one that you may have heard about in the news), industrial cellular security, a short 2011 cybersecurity review and the standard sections that been a major part of the Monthly Monitor’s outreach efforts on behalf of ICS-CERT.
Two Incident Responses
As you would expect, ICS-CERT can’t go into a lot of details in publicly describing any of the incidents that they have been involved in investigating or evaluating; but these two short reports provide some invaluable information about the responses from ICS-CERT and the types of problems that face the community. One dealt with a chemical facility and the other dealt with a railroad.
The chemical facility incident did not apparently involve an actual control system. Rather an advanced persistent attach had been discovered and the company was concerned that it might have involved data exfiltration. The involvement of the control systems at the company might, thus have been placed in a compromised situation.
The result was that “ICS-CERT assisted the company with identifying the scope of the infection and by providing analysis and mitigations for eradicating the threat actor from their network” (page 1). Hopefully it also provided some educational assistance at avoiding similar troubles in the future.
The second response story apparently relates to an incident that made the news earlier this month where one DHS organization announced that there had been a foreign based cyber-attack on a railroad control system. Apparently this was more of an attack than we had seen in the water system story, but it wasn’t an attack specifically directed at the railroad. The article reminds security managers that (page 1):
“This incident underscores that Critical Infrastructure Key Resource (CIKR) own-ers and operators should evaluate existing cybersecurity countermeasures they have in place against broader cybersecurity risks. Any number of non-targeted cybersecurity events can impact operations when systems are Internet accessible.”
As is usual with this newsletter, the publishing team includes links to ICS-CERT or US-CERT documents that provide additional information regarding the topic. In this case they link to a short handout about ICS-CERT incident handling procedures with emphasis on how to get ready for a fly-away team investigation.
Industrial Cellular Security
There is a full page article about security issues associated with the wide variety of cellular devices that are available for industrial control system applications. It’s a very interesting primer; well worth the read. There are two interesting outside-of-DHS documents listed in the article, unfortunately the links were corrupted in the printing process; cut-and-paste them though and they work fine.
Coordinated Disclosure Researchers
At the end of every issue, ICS-CERT makes a plug for its coordinated disclosure program. Knowing that many researchers can use the free publicity, they include a listing of researchers that are currently working with ICS-CERT to help resolve exploits that they have discovered. Their efforts are apparently succeeding as the list of names continues to grow each issue. In fact, they have expanded the effort by adding a listing of ‘Notable’ researchers, listing the specific projects that they have worked on.
An interesting note about these two lists of researchers is the inclusion of one specific name that is well known to readers of this blog; Luigi Auriemma. Readers will certainly remember that Luigi sprang full blown on the ICS scene with a large number of uncoordinated disclosures on a single day; he took a lot of heat for that from a number of people. Apparently ICS-CERT has forgiven Luigi his trespasses and brought him at least partially into the fold; welcome Luigi.