Friday, November 25, 2011

Russian Hack Explained

On Wednesday I reported on the DHS ICS-CERT bulletin concerning the reported hack of an Illinois water system that apparently wasn’t a hack. The bulletin made very clear that the ICS-CERT flyaway team could find no evidence of a hack of the control system. There was an odd statement in that bulletin, however, relating the Russian connection. It stated that:

“In addition, DHS and the FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported.”

While we still haven’t seen the Illinois Statewide Terrorism & Intelligence Center (ISTIC) report that started this discussion, Joe Weis was very clear that the copy of the For Official Use Only (FOUO) that he saw clearly indicated that the cyber-attack originated from a Russian IP. Joe specifically reported that;

The IP address of the attacker was traced back to Russia.

Looking at the two statements it seems clear that there must have been access of the system from an IP address in Russia. An article today on explained how that happens; according to the article an unnamed source reported that a contractor “who had remote access to the computer system, was in Russia on personal business”. That would explain how a Russian IP address showed up in communications logs of the control system.

Now it seems clear that an cyber investigator that was less than proficient in control system forensics (and that would cover the vast majority of cyber investigators) sees some apparent irregularities associated with communications from a Russian IP address. Add in some recent news stories about control system related attacks like Nitro and Duqu (I know neither targeted control systems, but you would be hard pressed to know that based upon many press reports) and one can understand by an investigator could jump to a control system hack as an explanation for an unexpected equipment failure.

Contact ICS-CERT

Once again this points out the need for control system owners (and supervisory contractors such as MECO Engineering for Curran Gardner Township PWD) to contact ICS-CERT if they suspect that unusual control system actions may be related to a cyber-intrusion. ICS-CERT maintains the following contact information on their web site.

• E-mail -
• Phone - 1-877-776-7585

ICS-CERT recommends that when sending sensitive information to ICS-CERT, facilities should download their public key to provide secure transmission capability.

No comments:

/* Use this with templates/template-twocol.html */