ICS-CERT Monthly Monitor – April 2012

Yesterday afternoon the folks at ICS-CERT published the latest edition of their Monthly Monitor. As is usual there is lots of good information, but this one may be especially important because of the description of another industry-wide spear phishing attack.

Gas Phishing

As I would expect from an open-distribution intelligence report there is a large dearth of information available in the report. We do know that it is a spear phishing attack targeted on the gas pipeline industry and that it is ‘tightly focused’ in its targeting. The closest we get to specifics is that “the e-mails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization”. This would seem to indicate that there has already been some intelligence collection effort put into the attack before the targeted emails had been sent.

There is also nothing in this report that specifically mentions if control systems were (or were not) ultimately targeted in this attack. Since this is an ICS-CERT report about their response to the attacks, one could be forgiven for making the assumption that the ‘tightly focused’ targeting was directed at personnel within the organizations with direct control system access from their lap top or desk top computers.

Because of my brief exposure to military intelligence (and even more briefly counter-intel) many years ago I fully understand why this report had to be so vague. I wouldn’t be truthful if I didn’t note that my curiosity was severely annoyed by the lack of details, but I do understand. Fortunately the article does note that people in the affected industry can get additional details about this attack via the US-CERT Control Systems Secure Portal. As one would expect, there is a vetting process, but critical infrastructure owner/operators can apply for access via an email to

ics-cert@hq.dhs.gov.

I would certainly recommend that security managers or cybersecurity managers petition for this access as soon as possible. The Monitor article notes that an alternative source for this information would be the critical infrastructure sector Informa­tion Sharing and Analysis Center (IS AC). NOTE: The chemical sector does not have and ISAC.

I would like to reiterate a point that is made in the closing paragraph of this article in the Monitor; ICS-CERT is only able to share this information because affected personnel reported the suspected attack to them in a timely manner. The article notes (page 1):

“In this particular campaign, reporting organizations enabled ICS-CERT to analyze the data and create an overall view of the activity in progress. This would not have been possible without the active cooperation of the reporting organizations, so ICS-CERT commends those involved and requests continued private sector reporting whenever possible.”

While the information sharing bill (HR 3523) recently passed in the House had no real provisions included for encouraging or requiring information sharing between the government and the private sector, this situation shows that at least within the control system security community there may not be a real need for such legislation. In this instance, at least, there appears to have been the type of cooperation and information sharing that should be a model for other sectors.

More information on the US-CERT Secure Portal is included in a separate article on page 5 of the Monthly Monitor.

Situational Awareness

The ‘Situational Awareness’ section of the Monitor again has a number of brief but interesting articles covering a wide spectrum of control system security issues. The articles address:

• Risk management planning for the electricity sector;

• ICS tabletop security exercises; and

• Planning for a cyber-incident.

Again, because of my military background, I am a firm believer in conducting emergency response exercises of all types. There is an old military adage that no plan survives contact with the enemy, but the more often you practice anything the better you will be at it when the real thing comes around. As the table top security exercise article notes, if you need more information on, or want assistance with, an ICS exercise contact the folks at ICS-CERT (cssp@hq.dhs.gov; Note: this is a different email address than normally given for ICS-CERT).

Coordinated Disclosures

All of the normal features that we have come to expect in the Monthly Monitor (Have I mentioned recently how much I appreciate the effort that has gone into this publication?) are in this issue and well worth the brief time necessary to review them.

I do want to make one specific point about the ‘Coordinated Vulnerability Disclosure’ section. This boxed section includes a monthly list (February 2012 in this case) of ‘Notable Coordinated Disclosure Researchers’ that ICS-CERT wants to acknowledge for their on-going efforts to coordinate the disclosure of their reported vulnerabilities. A prominent name (5 of the 7 listed disclosures) is that former poster-child for uncoordinated disclosures, Luigi Auriemma.

While I am certainly not an adamant believer in the absolute necessity for coordinated disclosures, I do believe that, all things being equal, the control system community is better served if researchers, vendors, and CERTS can cooperate in the reporting and remediating process. It is certainly heartening to see a ‘notorious’ researcher like Luigi working within the process where possible.

Again, another good job by the folks at ICS-CERT in publishing this month’s Monitor. This should be read and shared by all within the control system security community and up the chain of command to those with ultimate responsibility for the security of these systems.