Yesterday the DHS ICS-CERT published their now quarterly
(formerly monthly) Monitor.
This issue is important because it describes publicly for the first time the
first really documented attacks (unsuccessful) on privately-owned control
systems.
Pipeline Control
System Attacks
We have been hearing about these pipeline attacks for some time
now, but the article in the Monitor provides information about the extent of
the attack without providing any sensitive details.
One of the more important pieces of information provided in
the article was that the initial report to ICS-CERT of these attacks came from
a single owner “about an increase in brute force attempts to access their
process control network”. System logs identified 10 IP addresses associated
with the attempted access. When those addresses were shared with other
operators by ICS-CERT similar attempted attacks were found in additional facility
systems logs and more IP addresses were identified. This, again, demonstrates
the needs for maintaining and checking system logs.
The article also mentions, for the first time that I have
seen, the existence of the ‘Control Systems Center’ on the US-CERT Secure
Portal and notes that:
“ICS-CERT periodically releases
alerts, advisories, and indicator bulletins via the Control Systems Compartment
of the US-CERT Secure Portal that provides critical infrastructure constituents
with information intended to be useful for network defense.”
We have seen some of these documents make their way to the
ICS-CERT web page, but only after they have been available for a couple of
weeks on the Portal. It seems to me that owners and operators of control
systems owe it to themselves to ensure that they at least have representatives
who can routine access and monitor this site for valuable information.
Outside Contributors
This issue marks the first time that the Monitor has
included articles from outside contributors. Kyle Wilhoit from Trend Micro
wrote “Your SCADA Devices Are Being Attacked” and Reid Wightman from IOActive
wrote “Why Sanitize Excessed Equipment”.
Both short pieces provide valuable information. Inclusion of these
outside contributors can only make the Monitor more helpful and maybe bring it
back to a mostly monthly publication.
Other Offerings
There is a summary type article about the recent Verizon
2013 data breach report. For those that don’t have time to read the gritty
details of that report, this is a good summary. ICS-CERT notes that they were
one of the 19 global reporters of incident data that helped Verizon with that
report.
There is a belated report on the introduction
of CSET 5.0. There is still some good information, particularly about the changes
that will probably be included in the next version. The article notes that
customer feedback is one of the sources for new ideas that ICS-CERT is using
trying to target in future versions. If you have ideas or comments contact the
ICS-CERT folks at cset@hq.dhs.gov.
All of the standard features we have come to expect in the
Monitor are still here. The list of security researchers that are currently working
with ICS-CERT continues to grow. All of these people should be encouraged to
continue to publicly disclose (preferable through a coordinated disclosure,
IMHO) ICS vulnerabilities that they discover. As a community we need to develop
some way to reward them for their efforts so that they don’t have to sell their
research to the highest bidder that will probably keep the vulnerabilities
quiet.
Posts
No comments:
Post a Comment