Late yesterday the DHS ICS-CERT published the latest edition of their Monitor; a periodic report on the activities of the organization. This is one of the better issues with some interesting topics.
As we have come to expect, ICS-CERT leads off the publication with a brief piece discussing a recent anonymized attack. Also, as we have come to expect, the attack being used in the discussion is on an organization that would be expected to have an extensive industrial control system operation (a water utility in this case), but the attack never apparently reached the control system.
The attack was a ransomware attack on the utility, so this is a timely issue. The author uses the mixed response from the utility (one system with good backup recovery and a second system with a backup recovery with significant gaps) to explicate the need for timely backups to respond to this type of attack. Unfortunately, the discussion never reaches beyond IT systems and the topic of backups for control systems is never broached.
The second article also addresses incident response, this time giving an overview of the role of ICS-CERT in incident response. The discussion is somewhat marred however by the apparently fictional response to a water utility incident that could be used as a story proposal for a CSI Cyber television episode. While my cybersecurity application talents are more than a little out-of-date, I would be really surprised if the ICS-CERT team could remotely start an effective whitelisting application on a system before they had even seen network logs.
Protected Critical Infrastructure Information
The third major article is a brief overview of the importance of the PCII program. This is an important information sharing tool that allows a covered entity to submit data to a federal agency while protecting that information from public disclosure. The article does a good job of providing a description of the importance of the program and an overview of its protections.
The article does fall short, however, in failing to discuss the major problem with the program; facilities must use a very specific phrase at the start of any document that attempts to claim PCII protection. Failure to include the Express Statement (and two the other key pieces of information discussed on that page) will mean that the information will not be protected by the PCII program. While the article does provide a link to the extensive PCII web site failure to explicitly mention that there are specific requirements for claiming PCII protections does a disservice to the readers.
To be fair this problem is not limited to this ICS-CERT article about the PCII program. I have not yet seen a government discussion of the PCII program that really emphasized the importance of properly claiming PCII protection.
NOTE: Remember that DHS is in the process of trying to revise the PCII regulations (see here and here).
No discussion of cybersecurity would be complete without the topic of passwords being addressed. The fourth (and last) major article of this issue of the Monitor addresses this important topic. While there have been periodic discussions in the industry of replacing passwords with some neat new technology, ICS-CERT apparently remains a strong proponent of strong passwords. Their definition of a strong password is now 12 characters using: caps, lower case, numbers and symbols. Remember it must be unique, but easily remembered as you should never write it down. Sharing passwords or multiple users using the same password are both strictly verboten.
There is an important caveat in the article that should be remembered by everyone:
“There is only one proven method to prevent your password from being cracked: leave your device sealed in the box in which it was shipped. Otherwise, all passwords can be cracked. Given enough time and processing power, even the longest most random password can be cracked.”
This issue includes all of the standard blurbs that we have come to expect, including:
• Onsite Assessments Activity;
• ICS-CERT News;
• Recent Product Releases;
• Coordinated Vulnerability Disclosure;
• Open Source Situational Awareness Highlights; and
• Upcoming Events
It is nice to see three chemical sites listed in the Onsite Assessments Activity chart. At the risk of offending the increasing number of businesses that provide a for-fee assessment (a valuable service that should be encouraged) any facility that is being regulated by the federal government program that addresses cybersecurity of control systems (not many to be sure) would be foolish not to avail themselves of the free assessments provided by ICS-CERT. That assessment should be supplemented by the best fee-based assessment that the budget allows, but an ICS-CERT assessment has got to look good to any Federal inspector.
The ICS-CERT news piece in this issue was yet another non-update on the December Ukraine attacks. Apparently ICS-CERT has no new information that can be shared with the general control system community. It does plug the latest update to IR-ALERT-H-16-043-01BP, “Cyber-Attack Against Ukrainian Critical Infrastructure”. This is only available on the US CERT Secure Portal. You can request access through ICS-CERT (see the ‘I Want To’ box on the bottom of their landing page).
There is an ironic touch in the discussion of coordinated disclosures this month. The first name on the list of personnel being praised for coordinated disclosures is none other than Reid Wightman for his work on the Moxa vulnerabilities. I am sure that this mention makes Reid very happy.