Yesterday the DHS ICS-CERT published their now quarterly (formerly monthly) Monitor. This issue is important because it describes publicly for the first time the first really documented attacks (unsuccessful) on privately-owned control systems.
Pipeline Control System Attacks
We have been hearing about these pipeline attacks for some time now, but the article in the Monitor provides information about the extent of the attack without providing any sensitive details.
One of the more important pieces of information provided in the article was that the initial report to ICS-CERT of these attacks came from a single owner “about an increase in brute force attempts to access their process control network”. System logs identified 10 IP addresses associated with the attempted access. When those addresses were shared with other operators by ICS-CERT similar attempted attacks were found in additional facility systems logs and more IP addresses were identified. This, again, demonstrates the needs for maintaining and checking system logs.
The article also mentions, for the first time that I have seen, the existence of the ‘Control Systems Center’ on the US-CERT Secure Portal and notes that:
“ICS-CERT periodically releases alerts, advisories, and indicator bulletins via the Control Systems Compartment of the US-CERT Secure Portal that provides critical infrastructure constituents with information intended to be useful for network defense.”
We have seen some of these documents make their way to the ICS-CERT web page, but only after they have been available for a couple of weeks on the Portal. It seems to me that owners and operators of control systems owe it to themselves to ensure that they at least have representatives who can routine access and monitor this site for valuable information.
This issue marks the first time that the Monitor has included articles from outside contributors. Kyle Wilhoit from Trend Micro wrote “Your SCADA Devices Are Being Attacked” and Reid Wightman from IOActive wrote “Why Sanitize Excessed Equipment”. Both short pieces provide valuable information. Inclusion of these outside contributors can only make the Monitor more helpful and maybe bring it back to a mostly monthly publication.
There is a summary type article about the recent Verizon 2013 data breach report. For those that don’t have time to read the gritty details of that report, this is a good summary. ICS-CERT notes that they were one of the 19 global reporters of incident data that helped Verizon with that report.
There is a belated report on the introduction of CSET 5.0. There is still some good information, particularly about the changes that will probably be included in the next version. The article notes that customer feedback is one of the sources for new ideas that ICS-CERT is using trying to target in future versions. If you have ideas or comments contact the ICS-CERT folks at email@example.com.
All of the standard features we have come to expect in the Monitor are still here. The list of security researchers that are currently working with ICS-CERT continues to grow. All of these people should be encouraged to continue to publicly disclose (preferable through a coordinated disclosure, IMHO) ICS vulnerabilities that they discover. As a community we need to develop some way to reward them for their efforts so that they don’t have to sell their research to the highest bidder that will probably keep the vulnerabilities quiet.