ICS-CERT Publishes Siemens Advisory and Water System Hack

This morning the DHS ICS-CERT published an advisory for a vulnerability in the Siemens APOGEE Insight. Additionally, ICS-CERT published a link to the Verizon Data Breach Digest; a new method Verizon is using to share selected data from their annual data breach report.

Siemens Advisory

This advisory describes an incorrect file permissions vulnerability in the Siemens APOGEE Insight. The vulnerability was reported by Network & Information Security Ltd. Company and HuNan Quality Inspection Institute. Siemens is reporting a work around while they continue to work on a new version of the software to mitigate the vulnerability.

ICS-CERT reports that a relatively unskilled attacker with local access to the file system and authentication credentials could exploit this vulnerability to modify application data.

The Siemens Security Advisory was published last Friday and announced on TWITTER®.

Verizon Data Breach Digest  

The new Verizon Data Breach Digest was published this weekend and ICS-CERT is providing a link to the new document. Actually ICS-CERT is calling this the ‘annual data breach report’, but that was published earlier this year. This is a new document this year where Version takes a selected number of reports (18 in this initial effort) from the latest (2015) breach report and fleshes out the story with some additional details.

Readers of this blog will most likely be interested in Scenario 8 (pg 38); Hacktivist attack—the Dark Shadow. This tells the story of a breached water treatment facility operations system; an actual ICS (well mostly) attack in the United States. I say ‘well mostly’ because the unnamed utility was operating their control systems on an old AS 400 that was also running administrative operations (including employee PII).

Verizon noted that unnamed Syrian based hacktivists stole a bunch of employee PII data and also played with some PLC settings over a couple of days, apparently opening and closing random valves. The random actions did cause some out-of-spec drinking water, but apparently in-line testing equipment alarmed the bad water and the operators were able to take remedial action.

This was not much of an attack, but it was a successful attack on a US utility control system and deserves to be acknowledged as such. The EPA is the agency responsible for security issues at water treatment facilities and it would be interesting to know if the utility ever reported the incident to them. I haven’t heard anything through my limited connections to the water treatment industry, but if the EPA was sharing the information, it would probably be done via restricted distribution.

It is a good thing that the utility called in a Verizon team to conduct a routine security check of their system (they didn’t tell Verizon that they had noted anomalous valve actions until after the team located and reported the hack). If it had been reported to ICS-CERT we might not have heard about this on the public facing web site.