Last night the DHS ICS-CERT published an updated version
of their alert for the Havex Trojan. The update provides a more complete
description of the actions of the Havex Remote Access Trojan (RAT), though
still not as detailed as the original F-Secure blog post.
It does, however, report for the first time a separate operational issue with
the Havex RAT:
“It is important to note that
ICS-CERT testing has determined that the Havex payload has caused multiple
common OPC platforms to intermittently crash. This could cause a denial of
service effect on applications reliant on OPC communications.”
This would not be expected to be a deliberate design element
of the Trojan, but it could serve as an indicator of a potential Havex attack
for organizations that do not have operational system logging capabilities.
ICS-CERT Still
Restricting Information
ICS-CERT is still restricting information about the known ‘watering
hole’ sites to the US-CERT secure portal. I agree with Dale Peterson’s
Tweet that this probably slows the community response to this threat vector
as only a very limited number of control systems organizations currently have
access to this information source. ICS-CERT continues to provide information on
how to request access the US-CERT secure portal:
“ICS-CERT encourages US asset
owners and operators to join the control systems compartment of the US-CERT
secure portal. To request access to the secure portal send your name, email
address, and company affiliation to ics-cert@hq.dhs.gov.”
This is a very low threshold to pass to gain access to this
information. While we can (and should) debate whether or not ICS-CERT should be
restricting access to information that the source of the Havex attack already
knows (and the F-Secure blog post identifies clearly enough for the attacker to
know which compromised sites have been identified), any organization that uses
an OPC server in their control system architecture should apply for access to
this information.
Mitigation Measures
The update also significantly expands the mitigation
measures that organizations can use to limit the activity of the Havex Trojan.
There is not anything new here, but this appears to be a pretty good list of
actions to take to secure control systems in general. ICS-CERT does not provide
any specific indicators of compromise in this alert, but they do provide a link
to the F-Secure blog post on this RAT from Monday that does contain some of
those indicators.
Presumably more up-to-date indicators are available through
the US-CERT secure portal. This is another reason for potential targets to
request access to the US Cert Secure Portal.
Information Sharing
ICS-CERT continues to request that organizations that know
or suspect that they have been compromised by Havex contact ICS-CERT. Any new
information that may be provided by users will make the ICS-CERT investigation
of this malware more complete.
This would be a very good point in time to have federal legislation
in place that would provide safeguards for organizations that wish to share
this type of information with ICS-CERT. At a minimum such information sharing
activities should be protected to limit liability concerns and restrict what detailed
data the government can share with other organizations, both governmental and
private sector.
Lacking such specific cybersecurity information sharing
protections, anyone submitting detailed information to ICS-CERT should attempt
to avail themselves of the protections provided by Protected
Critical Infrastructure Information (PCII) program. At an absolute minimum
any information submitted to ICS-CERT should specifically include the following
PCII Express Statement:
“This information is voluntarily
submitted to the Federal Government in expectation of protection from
disclosure as provided by the provisions of the Critical Infrastructure Information
Act of 2002.”
A better method would be to include the ‘Express and
Certification Template’ found in Appendix 5 of the PCII
Procedures Manual.
Posts
No comments:
Post a Comment