Late yesterday the DHS ICS-CERT published the latest edition
of their Monitor;
a periodic report on the activities of the organization. This is one of the
better issues with some interesting topics.
Incident Response
As we have come to expect, ICS-CERT leads off the
publication with a brief piece discussing a recent anonymized attack. Also, as
we have come to expect, the attack being used in the discussion is on an
organization that would be expected to have an extensive industrial control
system operation (a water utility in this case), but the attack never
apparently reached the control system.
The attack was a ransomware attack on the utility, so this
is a timely issue. The author uses the mixed response from the utility (one
system with good backup recovery and a second system with a backup recovery
with significant gaps) to explicate the need for timely backups to respond to
this type of attack. Unfortunately, the discussion never reaches beyond IT
systems and the topic of backups for control systems is never broached.
The second article also addresses incident response, this
time giving an overview of the role of ICS-CERT in incident response. The
discussion is somewhat marred however by the apparently fictional response to a
water utility incident that could be used as a story proposal for a CSI Cyber
television episode. While my cybersecurity application talents are more than a
little out-of-date, I would be really surprised if the ICS-CERT team could
remotely start an effective whitelisting application on a system before they
had even seen network logs.
Protected Critical Infrastructure Information
The third major article is a brief overview of the
importance of the PCII program. This is an important information sharing tool
that allows a covered entity to submit data to a federal agency while
protecting that information from public disclosure. The article does a good job
of providing a description of the importance of the program and an overview of
its protections.
The article does fall short, however, in failing to discuss
the major problem with the program; facilities must use a very specific phrase
at the start of any document that attempts to claim PCII protection. Failure to
include the Express
Statement (and two the other key pieces of information discussed on that
page) will mean that the information will not be protected by the PCII program.
While the article does provide a link to the extensive PCII
web site failure to explicitly mention that there are specific requirements
for claiming PCII protections does a disservice to the readers.
To be fair this problem is not limited to this ICS-CERT
article about the PCII program. I have not yet seen a government discussion of
the PCII program that really emphasized the importance of properly claiming
PCII protection.
NOTE: Remember that DHS is in the process of trying to
revise the PCII regulations (see here
and here).
Strong Passwords
No discussion of cybersecurity would be complete without the
topic of passwords being addressed. The fourth (and last) major article of this
issue of the Monitor addresses this important topic. While there have been
periodic discussions in the industry of replacing passwords with some neat new
technology, ICS-CERT apparently remains a strong proponent of strong passwords.
Their definition of a strong password is now 12 characters using: caps, lower
case, numbers and symbols. Remember it must be unique, but easily remembered as
you should never write it down. Sharing passwords or multiple users using the
same password are both strictly verboten.
There is an important caveat in the article that should be
remembered by everyone:
“There is only one proven method to
prevent your password from being cracked: leave your device sealed in the box
in which it was shipped. Otherwise, all passwords can be cracked. Given enough
time and processing power, even the longest most random password can be
cracked.”
Standard Features
This issue includes all of the standard blurbs that we have
come to expect, including:
• Onsite Assessments Activity;
• ICS-CERT News;
• Recent Product Releases;
• Coordinated Vulnerability
Disclosure;
• Open Source Situational Awareness
Highlights; and
• Upcoming Events
It is nice to see three chemical sites listed in the Onsite
Assessments Activity chart. At the risk of offending the increasing number of
businesses that provide a for-fee assessment (a valuable service that should be
encouraged) any facility that is being regulated by the federal government
program that addresses cybersecurity of control systems (not many to be sure)
would be foolish not to avail themselves of the free assessments provided by
ICS-CERT. That assessment should be supplemented by the best fee-based
assessment that the budget allows, but an ICS-CERT assessment has got to look
good to any Federal inspector.
The ICS-CERT news piece in this issue was yet another non-update
on the December Ukraine attacks. Apparently ICS-CERT has no new information
that can be shared with the general control system community. It does plug the
latest update to IR-ALERT-H-16-043-01BP, “Cyber-Attack Against Ukrainian Critical
Infrastructure”. This is only available on the US CERT Secure Portal. You can
request access through ICS-CERT (see the ‘I Want To’ box on the bottom of their
landing
page).
There is an ironic touch in the discussion of coordinated
disclosures this month. The first name on the list of personnel being praised
for coordinated disclosures is none other than Reid Wightman for his work on the Moxa vulnerabilities. I am sure that this mention makes Reid very happy.
Posts
No comments:
Post a Comment