Tidbits Heard at SCADA Meeting

One of the things that I have been missing by being unable to attend meetings and conferences is the side conversations that take place during the breaks in the meetings. I heard lots of interesting stuff at the meeting Thursday and I thought that I would mention a couple of them here.

Password Phishing Attacks

I was talking with a nice lady from the Coast Guard (I’m terrible about names and we both thought that she had given me her card, but I don’t have it) and the conversation turned to the DHS HSIN (Homeland Security Information Network) and Homeport. Both are semi-secure communications network that require some level of vetting and password access. I asked about the password change frequency and she told me it was 90-days, so this seems to be some sort of DHS (at least) standard.

I then asked her if the CG sent out emails reminding people about changing their password and they do. I didn’t get to ask any more follow-up questions, but it got me to thinking. Readers will remember that I have taken ISCD to task (most recently) for the emails they send out for updating the passwords for access to CSAT. These emails contain a link to CSAT where the password can be updated. I suspect that the Coast Guard and the folks running HSIN do the same thing.

This practice leaves a large part of the security community open to phishing attacks. A savvy attacker could send out an email like this and get system logon information by having the link go to a site they controlled. It’s not that difficult to set up an official looking site, or even a duplicate of the official site, that would allow for the collection of sign-on information; and even transmit the information to the official site so the password change would take effect.

It seems that DHS as an organization needs to re-think its password policy. I’m not sure how justifiable a 90-day reset requirement is, but the emails going out to remind people to reset their passwords should not include a link to the site where that takes place. I know, it sounds real customer oriented, but it just sets people up for failure.

A final word on this topic (well in this post anyway, I’m afraid I will return to it again at some future time). If you receive an email from a DHS agency about updating one of your passwords with them, DO NOT click on any links in the email to do so. Use your own list of links to get to the site.

Shamoon Attack Vector

You’ll pardon me if I don’t mention where this last tidbit came from. There were a couple of side conversations that went on about the control system implications of the recent big name attacks, including Shamoon. No one had any news about any direct attacks on control systems by these programs, but a number of people were concerned about the possibility of control system information being harvested by these attacks; nothing new there. One of these conversations, however, did provoke a comment about an idea floating around the counter-intel community that the Shamoon attack on Aramco was initiated via a thumb drive (no duh) inserted into a security system computer by a Palestinian security guard.

Palestinians perform a large number of low-level jobs in Southwest Asia including front line security officers. Okay, I know that security guards are an important part of the overall security plan and shouldn’t be considered low-level employees, but they certainly are so considered by most people; just look at their pay scales. It wouldn’t be hard for any national intelligence agency, terrorist group, organized crime syndicate, or even an oil-industry competitor to find and turn one of these security guards into a thumb-drive agent.

I’ll bet that every guard-house at active security gates have a computer or security terminal inside. I would bet that they don’t receive anywhere near the attention that computers do in the secure areas of the facility. But they are networked to the security office which is, almost certainly, linked to the enterprise system. This would be a nice attack surface.

And, if you were planning an attack, cyber or physical, wouldn’t it be nice to have a look at the security system controls before you started the attack? Quis custodiet ipsos custodes? Hopefully, not the attacker.