ICS-CERT Publishes 2012 Review

Yesterday ICS-CERT published a full-color glossy (it is an electronic document so ‘glossy’ refers to ‘slick’ in the advertising sense) pamphlet reviewing their operations in 2012. While this has the feel of a PR exercise more than anything else, there are some interesting tidbits of information to be winnowed from the document.

Spear Phishing Campaigns

We have heard about the spear phishing campaign directed against the pipeline/energy companies. That is, of course, mentioned here, but there is also a brief note about a similar campaign targeted against chemical companies (pg6);

“The chemical sector was also the victim of targeted spear-phishing attacks in 2012. AAL [Advanced Analytical Laboratory] worked directly with companies affected by this campaign, providing onsite support, analyzing drive images and malware samples and disseminating indicators back to the community. AAL provided onsite support to one of the affected companies.”

That’s it folks. Nothing about what kinds of chemical companies or how many companies were targeted. Oh well, maybe we will see more in the January 2013 Monthly Monitor, or is it now a Quarterly Monitor?

Antivirus Engines

There is an interesting note about antivirus engines (pg 6);

“AAL also developed a tool to scan whole drives for malware using multiple antivirus engines. This tool greatly reduced the time needed to scan multiple drive images with commercial antivirus products.”

Unfortunately, that tool will never leave their lab; the AV companies would scream bloody murder (justifiably so). But it does bring an interesting thought to mind; if ICS-CERT finds new malware in one of their investigations, do they provide signatures to the AV companies? If so, which ones? My favorite answers would be ‘YES’ and ‘whichever ones are actively cooperating with ICS-CERT’.

Training

There are two interesting facts from their section on training. First (pg 9);

“Provided 12 Advanced Training sessions, which are week-long events that provide intensive hands-on training and a 12-hour, red team/blue team exercise that simulates a corporate espionage scenario [emphasis added].”

While this is the apparent threat-of-the-day (and there is a certain justification for that), it is hardly a control system threat. Okay, maybe they are trying to get control system access information, but I haven’t seen anything to date about actual control system penetrations. Admittedly, ICS-CERT and the affected community might not be willing to tell us about such penetration, but preventing cyber-espionage training should be a US-CERT or FBI focus, not ICS-CERT.

The second factoid is certainly control system focused (pg 9);

“Developed a Control Systems Forensics for Law Enforcement course. This course helps law enforcement agents to understand the differences in performing forensics on ICSs versus normal corporate enterprise network forensics.”

This is a great idea. I would hope that this is being pushed at all major metropolitan police departments that have cyber-crime units, particularly those with large concentrations of critical infrastructure facilities. It would also be nice if they had a slightly more basic ICS forensics course for those companies that would be  large enough to  have the staff necessary to do forensics stabilization and data collection.

ICS Evaluations

There are two pages that deal with ICS system evaluations that can be conducted by ICS-CERT. On the first of the two pages (pg 10) it states that:

“Asset owners can now request Cybersecurity Evaluation Tool (CSET®) evaluations and/or Architecture Reviews, which is a more in-depth comprehensive evaluation of specific control systems networks, architectures, and components.”

Now I hadn’t heard of Architecture Reviews before, so I did a quick search of the ISC-CERT web page and found an interesting pamphlet that provides a little more information. It looks interesting and interested organizations should contact o cset@dhs.gov. It would have been nice if the evaluation pamphlet had been mentioned/linked in this review

The second page about system reviews provides some more detailed information about the Control System Evaluation Tool. Even though CSET v.0 was introduced this year there is a brief description of the changes made in this 2012 Review. I wrote about the CSET 5.0 introduction, but didn’t have much information about what actual changes had been made. This Review notes (pg 11);

“ICS-CERT released CSET® 5.0, in January 2013, this version represents the most significant upgrade in the underlying technical architecture of the tool. This upgrade involves conversion to the Microsoft.NET framework environment as well as utilization of component pieces from Syncfusion [http://www.syncfusion.com/]. In addition, Section 508 of the Americans with Disabilities Act (ADA) was incorporated into the new version to allow those with disabilities a way to interact with and use the CSET®.”

Incident Modeling

It looks like ICS-CERT is actually trying to determine what the potential consequences of a successful cyber-attack (or natural disaster, a more likely affecter) on a control system at a critical infrastructure facility. The review describes a modeling tool called the Industrial Control Systems Consequence Effects and Analysis (ICS-CEA) framework (pg 12);

“The Industrial Control Systems Consequence Effects and Analysis (ICS-CEA) framework is a collaboration tool. ICS-CEA provides a critical infrastructure modeling and simulation capability. The tool also provides a means for users to model, analyze, and share information related to potential consequences of naturally occurring or man-made threats on our Nation’s critical infrastructure. The ICS-CEA system provides the NCCIC a capability for daily use of modeling, simulation, analysis, and information sharing related to potential cross-sector ‘consequence’ effects to ICS and their related CIKR sectors.”

Again, I hadn’t heard of this whiz bang idea, so I did a search of the ICS-CERT web site and found an abstract from the Spring  ICSJWG Conference (I knew there was a reason that I have wanted to attend at least one of these);

“Situational Awareness (SA) is achieved through access to comprehensive and relevant information pertaining to evolving events. Historically, SA has been achieved through semi-automated or manual processes to aggregate data into actionable information. The purpose of the Industrial Control Systems' Consequence Effects and Analysis (ICS-CEA) application is to provide tools to efficiently access relevant information pertaining to Critical Infrastructure Key Recourse (CIKR) assets. This allows the Industrial Control Systems - Cyber Emergency Response Team (ICS-CERT) analysts to understand potential cross-sector impacts associated with environmental impacts and ongoing incidents or known vulnerabilities. ICS-CEA provides the ability to perform exploratory geographic-based analysis and modeling via a web-browser interface. In doing so, analysis, data, and information products are created to meet the unique requirements for SA audiences.”

Again, this is something that I would like to know more about; as would many of the readers here, I’m sure. (Hint, hint)

Statistics

You can’t have a year-end review without statistics and this Year in Review is no different. There are three different pages of statistics

• ICS-CERT by the Numbers, ‘Calendar Years’, page 14;

• ICS-CERT by the Numbers, ‘Fiscal Years’, page 15; and

• Sector Support by the Numbers, page 16.

I’m not sure why they included calendar year stats and fiscal year stats, but it is interesting that they did because you see two different sets of trends. We’ve seen the FY stats before and they were used to describe the rapid escalation of ‘attacks’ on control systems. The calendar year stats, show a completely different picture, a substantial decrease (204 to 138) in ICS Incident[s] Reported between 2011 and 2012. Well, you know what they say about statistics….