February 2012 ICS Monthly Monitor

On Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published their February 2012 issue of the Monthly Monitor. This issue includes a brief description of a government facilities incident independently identified by ICS-CERT and a lengthy discussion about network-based intrusion detection systems (NIDS) for control systems.

Incident Description

The incident briefly described on the first page of the monitor deals with a government owned control system of a type frequently overlooked in the general discussion of industrial control systems, an environmental control system for a building. While not directly involved in the production of commercial products they may be used in an important support role in many manufacturing locations (clean rooms for instance).

In this instance ICS-CERT somehow (not discussed in the brief report for obvious reasons) detected the intrusion into the environmental control system of an unidentified state government building. Facility personnel had already detected unauthorized adjustments to the control system and had already reconfigured their system to remove internet access to the controls.

ICS-CERT determined that the access had been made through the Internet interface for the system even though it had been configured to require a password. The report does not note whether the password had been a default password, if it had been compromised or if it had been broken by a bruit-force attack.

The most interesting thing about this brief report is that ICS-CERT contacted the facility not the other way around. As with the ‘water system hack’ last year it is becoming increasingly evident that the services of ICS-CERT are not adequately known or facilities are reluctant to report incidents to the one government agency most likely to be able to help them deal with a control system intrusion or attack.

Situational Awareness

In the Situational Awareness article there is an informative write up about NIDS and two open source NIDS packages recently upgraded (SNORT) or being upgraded (Suricata) to be useful in detecting control systems intrusions. This information alone in the article makes it well worth reading, but the lengthy article also addresses two other ICS issues of at least equal importance; Project Basecamp and source code exfiltration.

Project Basecamp is certainly not new and it has been addressed by ICS-CERT in advisories and alerts, but this is the first time that ICS-CERT has actually described the Project Basecamp process and discussed its consequences (and yes, it does include the appropriate links to the source material). Nothing really new informationally here, but it is a valuable acknowledgement of the importance of Project Basecamp.

The recent public exposure of the source code for two Symantec products (Norton Anti-virus and PCAnywhere) is addressed in the portion of the article about source code. While these two specific incidents have been addressed in more depth elsewhere, this Monthly Monitor piece addresses the general potential importance of exfiltrating control system source code. While identification of system vulnerabilities is the most obvious problem with gaining access to the source code for any application this ICS-CERT write-up identifies an even scarier potential problem modifying the code to implant backdoors and other vulnerabilities and re-infiltrating the code on the vendor’s site for distribution. Similar problems could occur if doctored counterfeit copies of the system were sold on the black market.

The Situational Awareness article closes with a well-deserved plug for the ICS-CERT CSET Assessment Tool and the on-site assistance that ICS-CERT can provide for using that tool to conduct an in depth assessment of the security of a facility’s control system.

Another Good Monthly Monitor Issue

The other standard features of the Monthly Monitor provide a wealth of valuable ICS-CERT information (list of ICS-CERT alerts and advisories from February) and links to other sources of ICS security information. The plug for coordinated vulnerability disclosure includes even further expanded recognition of researchers who do not fully work ‘within the system’ on vulnerability disclosures by recognizing researchers who do assist in the validation of patches developed in response to their uncoordinated disclosures.

All in all this is another example of the type of open-source information sharing that should be the hallmark of any public-private partnership on ICS security.