Spear Phishing Threat

There are two interesting blog posts today (one from DigitalBond and one from the New York Times) about a presentation made last week at the S4 Conference is Miami, FL concerning an experiment to see how hard it would be to gain access to computers owned by people who had access to control systems. The short answer is toooooo easy.

Spear Phishing Experiment

I’m not going to go into details about the experiment, Dale Peterson and Nicole Perlroth both do excellent jobs in their posts, and I seriously recommend reading both. I will mention the following, the 26% of control systems personnel clicking on the ‘malware’ links in the phishing emails included job titles of:

• Control System Supervisor

• Automation Technician

• Equipment Diagnostics Lead

• Instrument Technician

• Senior VP of Operations and Maintenance

These are people that are very likely to have direct access to control systems through the computers that they used to read the spear phishing emails. So malware dropped onto their computers could be expected to make contact with the control systems.

Social Engineering

I have written about a significant number of ICS-CERT advisories that point out that the vulnerability would require a ‘social engineering’ attack to be successful. Spear phishing is one of the more popular social engineering methods that attackers use when they want to gain access to specific areas of networks; areas like control systems that have some perimeter protection.

Even air-gapped systems can usually be reached via a spear phishing attack since many of the people targeted, or someone they are linked to on the enterprise network, will use a USB drive to transfer data to or from the air-gapped system. It is extremely easy for a moderately skilled attacker to download a virus program to each USB drive attached to an infected computer.

Education or Isolation

Dale makes a very interesting point at the end of his blog post:

“The right lesson is to treat the corporate network as an untrusted network and prevent inbound access to the ICS except for emergency situations — as well as get working on your spear phishing portion of the security awareness program and incident response capability.”

I’m afraid, however, that Dale’s advice is going to be ignored in one important aspect, there are too many devices that are being used to bridge the gap (actually I think “ferry the gap” would be a more appropriate analogy since the device is only connected to one side at a time) between the IT and ICS systems. The lap top that the control system engineers and technicians use to access/program/monitor the system will almost certainly be plugged in to the corporate network from time to time. The USB devices that are used to transfer data and updates to and from the control system will be plugged into devices on the network. And, of course, we cannot forget the wide variety of smart phone applications and wifi devices that the manufacturers are pushing to the field.

In the first instance, I think that any attempt at restricting the use of the engineering lap top on the corporate network or internet will flatly ignored by the engineering/maintenance staff. There are too many legitimate needs to download tools and updates from vendors for these people to ignore. Even if you use a separate computer to download the information, you still have to ferry it to the system; no matter how many cutouts you use, the malware can still ride with the information.

Complex Solutions for Complex Problems

No, I’m afraid that we are going to have to come up with complex solutions to this problem. But remember, not every facility is going to the legitimate target of a spear phishing/control system attack. Dale’s solution will work adequately (with the expectation of the exceptions that I discussed above) for a large number of control systems.

Higher risk systems are going to have to look at establishing, practicing, and verifying a number of different controls on the transfer of information between networks. You are going to have to start with the education of every member of the staff with access to the IT network; if one person falls for a phishing or spear phishing attack the network security can be compromised. This is going to have to include a reporting and investigative component as well.

Then there are going to have to be periodic tests of that training with actual phishing and spear phishing attempts made on personnel with network access. Publicize the failures, share with the entire staff how and why the individuals fell for the attacks. Let people learn from other people’s mistakes.

Then the IT and control system networks are going to have to be segregated to the maximum extent possible; the higher risk the facility, the more rigorous that separation will have to be. The facilities with the highest risk, those that can affect lives or national security, are going to have to be air gapped.

Finally, there are going to have to be specially designed controls put into place that govern the ferrying of data and software between the two networks. Some way of verifying that only the information that is supposed to make the crossing gets on the boat is going to have to be established. Again, the higher the risk, the more rigorous the verifying must be. And audits, checks and challenges to the controls are going to be required for the highest risk systems.

Oh yes, and remember something will get through. You better have a plan in place for detecting and removing the malware. And have it in place before you need it. The longer it takes to fix, the more embarrassed you’re going to be.

ICS-CERT Monthly Monitor – April 2012

Yesterday afternoon the folks at ICS-CERT published the latest edition of their Monthly Monitor. As is usual there is lots of good information, but this one may be especially important because of the description of another industry-wide spear phishing attack.

Gas Phishing

As I would expect from an open-distribution intelligence report there is a large dearth of information available in the report. We do know that it is a spear phishing attack targeted on the gas pipeline industry and that it is ‘tightly focused’ in its targeting. The closest we get to specifics is that “the e-mails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization”. This would seem to indicate that there has already been some intelligence collection effort put into the attack before the targeted emails had been sent.

There is also nothing in this report that specifically mentions if control systems were (or were not) ultimately targeted in this attack. Since this is an ICS-CERT report about their response to the attacks, one could be forgiven for making the assumption that the ‘tightly focused’ targeting was directed at personnel within the organizations with direct control system access from their lap top or desk top computers.

Because of my brief exposure to military intelligence (and even more briefly counter-intel) many years ago I fully understand why this report had to be so vague. I wouldn’t be truthful if I didn’t note that my curiosity was severely annoyed by the lack of details, but I do understand. Fortunately the article does note that people in the affected industry can get additional details about this attack via the US-CERT Control Systems Secure Portal. As one would expect, there is a vetting process, but critical infrastructure owner/operators can apply for access via an email to

ics-cert@hq.dhs.gov.

I would certainly recommend that security managers or cybersecurity managers petition for this access as soon as possible. The Monitor article notes that an alternative source for this information would be the critical infrastructure sector Informa­tion Sharing and Analysis Center (IS AC). NOTE: The chemical sector does not have and ISAC.

I would like to reiterate a point that is made in the closing paragraph of this article in the Monitor; ICS-CERT is only able to share this information because affected personnel reported the suspected attack to them in a timely manner. The article notes (page 1):

“In this particular campaign, reporting organizations enabled ICS-CERT to analyze the data and create an overall view of the activity in progress. This would not have been possible without the active cooperation of the reporting organizations, so ICS-CERT commends those involved and requests continued private sector reporting whenever possible.”

While the information sharing bill (HR 3523) recently passed in the House had no real provisions included for encouraging or requiring information sharing between the government and the private sector, this situation shows that at least within the control system security community there may not be a real need for such legislation. In this instance, at least, there appears to have been the type of cooperation and information sharing that should be a model for other sectors.

More information on the US-CERT Secure Portal is included in a separate article on page 5 of the Monthly Monitor.

Situational Awareness

The ‘Situational Awareness’ section of the Monitor again has a number of brief but interesting articles covering a wide spectrum of control system security issues. The articles address:

• Risk management planning for the electricity sector;

• ICS tabletop security exercises; and

• Planning for a cyber-incident.

Again, because of my military background, I am a firm believer in conducting emergency response exercises of all types. There is an old military adage that no plan survives contact with the enemy, but the more often you practice anything the better you will be at it when the real thing comes around. As the table top security exercise article notes, if you need more information on, or want assistance with, an ICS exercise contact the folks at ICS-CERT (cssp@hq.dhs.gov; Note: this is a different email address than normally given for ICS-CERT).

Coordinated Disclosures

All of the normal features that we have come to expect in the Monthly Monitor (Have I mentioned recently how much I appreciate the effort that has gone into this publication?) are in this issue and well worth the brief time necessary to review them.

I do want to make one specific point about the ‘Coordinated Vulnerability Disclosure’ section. This boxed section includes a monthly list (February 2012 in this case) of ‘Notable Coordinated Disclosure Researchers’ that ICS-CERT wants to acknowledge for their on-going efforts to coordinate the disclosure of their reported vulnerabilities. A prominent name (5 of the 7 listed disclosures) is that former poster-child for uncoordinated disclosures, Luigi Auriemma.

While I am certainly not an adamant believer in the absolute necessity for coordinated disclosures, I do believe that, all things being equal, the control system community is better served if researchers, vendors, and CERTS can cooperate in the reporting and remediating process. It is certainly heartening to see a ‘notorious’ researcher like Luigi working within the process where possible.

Again, another good job by the folks at ICS-CERT in publishing this month’s Monitor. This should be read and shared by all within the control system security community and up the chain of command to those with ultimate responsibility for the security of these systems.

ICS-CERT Publishes September Monthly Monitor

On Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published the September edition of their Control System Monitor. Articles in this issue included reports on the latest spear-phishing campaign, hurricane response, and an update on the cross-vendor working group.

Spear Phishing Campaign

The newsletter reports on what appeared to be a focused campaign of spear phishing attacks on the energy, nuclear and government sectors. ICS-CERT reports that their analysis showed that this campaign appeared to be targeting control systems engineers. The article notes that ICS-CERT issued two alerts on this campaign in July.

The last bit of information will be news to most readers of this blog, as I certainly didn’t report on those alerts. The reason is that they were published on the US-CERT Control Systems Center secure portal. ICS-CERT explains that limited dissemination by stating that:

“While ICS-CERT strives to make as much information publicly available as possible, the indicators in these Alerts are considered sensitive and cannot be disseminated through public or unsecure channels.”

These alerts would be essentially counter-intelligence reports and there is always a fine line that has to be drawn about releasing such information. Too wide a release will alert the adversary about the means used to detect their attack which would allow the refinement of the attack. Too little release would leave the targeted organizations unaware of the potential threat. It is easy to criticize such decisions in hind sight and without responsibility for protecting the information.

Having said that, I would think that it would have been helpful for ICS-CERT to have published a limited information alert on their open access web page with a note for the potentially affected industries to get more information from the secure portal. That is, after all, what this article in the Monthly Monitor is doing. A more timely alert on the same lines may have protected more systems from potential attack or identified successful attacks earlier. At the very least it would have ensured that bloggers, like me, would have addressed the issue, spreading the word to a wider audience.

Interestingly it appears that this campaign may have been the reason that the previous issue of the Monthly Monitor included an article on the topic of spear phishing. If so, kudos to ICS-CERT for a creative partial-solution to the timely disclosure problem.

Hurricane Response

The article on the ICS-CERT monitoring efforts during Hurricane Irene helps to remind people that a full look at security includes protecting an organization against the effects of natural hazards as well as human attacks. The article provides a brief discussion about the importance of contingency plans for response to interruptions caused by both man-made and natural disasters.

Cross-Vendor Working Group

There is an interesting but brief article on the kick-off meeting of the cross-vendor working group of ICSJWG that is trying to “develop a unified approach for addressing serious security issues that exist across many vendor platforms”. One particular sentence in report may draw some criticism from the control system security blogger community;

“An inaccurate perception exists that the vendor community does not fully understand control system security challenges.”

There will certainly be a disagreement about the extent of the ‘community’ that does or does not ‘fully understand’ the control system security challenge. I think that we all can agree however, that a wider and fuller understanding would be helpful in all parts of the community.

ICS-CERT Monthly Monitor

Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published the latest edition of their ICS security newsletter, the ICS-CERT Monthly Monitor; which this issue covers two months. A number of interesting topics are covered in this issue, including Spear Phishing, Black Hat 2011, the Siemens fiasco and preserving cyber forensics data.

Spear Phishing

A nice article on Spear Phishing notes that ICS-CERT has been responding to an “increasing number of spear phishing attacks”. One would assume that when ICS-CERT got involved it was a successful spear phishing attack where something ‘malicious’ was noted on the attacked network. It is interesting to note in the article (mentioned in passing as it were) that the apparent response to a successful spear phishing attack involves shutting down the corporate email system “until the extent of the problem [is] known and mitigation steps [are] taken”.

Black Hat Briefings

The brief piece on the Black Hat Briefings conference provides a brief bit of information from the conference that I haven’t seen mentioned elsewhere; the description of an airborne hacker tool. The wireless aerial survey platform (WASP) is apparently a remotely piloted vehicle that would fly over an installation trying to detect and intercept Wi-Fi and cell transmissions. With the increased use of wireless communications between control systems components, this could provide another route of access into the control system network. Of course, high-risk chemical facilities should already be concerned about the use of RPVs for surveillance or even attacks, so this is just one more reason to acquire sophisticated anti-aircraft attack capabilities (just a little sarcasm).

Siemens

The brief piece on the Siemens issues provides essentially a summary of their summarizing advisory that I have previously addressed. I would like to suggest that an alternative analysis of the ICS-CERT approach to the Siemens issues can be found at Ralph Langner’s recent blog posting on the issue. Anyone who has read Ralph’s stuff on Stuxnet will not be surprised that he has been less than enamored with the response of ICS-CERT on much of anything to do with Siemens.

Cyber Forensics

There is a relatively lengthy piece on cyber forensics and the importance of planning for how to respond to a cyber incident. Most facilities will be focusing on getting their systems back into the normal functional mode when something goes wrong with their system (either from an attack, human error, or just a glitch piece of equipment/software). Cyber forensics is used to determine why and how a problem occurred and is important in figuring out how to limit the current problem and prevent it from happening again. This piece is well worth the read and further exploration. Some of the techniques suggested for preserving forensics data would normally fly in the face of standard procedures for quickly restoring functionality, but with more cyber-attacks occurring, facilities really need to consider these techniques as a method of discovering the true extent of what happened.

Other Information

There is also a nice text box describing the wonders and benefits of ‘coordinated vulnerability disclosure’. ICS-CERT has a vested interest in the CVD process, so they can be expected to support it. It seems to me that when the process works (ie: the vendor responds promptly and puts forth a reasonable effort to fix the problem) this system provides the most effective method for identifying and responding to vulnerabilities. When there is no response, or an inadequate response, then alternate methods of communication need to be used.

Finally, the Monitor closes with two pages of ‘Open Source Situational Awareness Highlights’; a listing or articles and blog posts of significance to the control system security community. While certainly not an exhaustive bibliography, it certainly provides a pretty good reading list. I was impressed that there are a couple of blog posts included in their list (none of mine, alas). I would have been more impressed if they had included a listing of some posts by people like Ralph Langner or Dale Peterson that questioned the various responses of ICS-CERT to cyber security issues, but that would be expecting a bit more objectivity than is probably reasonable.

In short, this is a fairly impressive newsletter by a government agency that is small but important cornerstone of the Federal response to cyber security issues in industrial control systems. Everyone in the ICS security community should read it.

ICS-CERT Publishes Two New Advisories

Today, the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two new SCADA advisories in the Wonderware InBatch Client and the Honeywell ScanServer. Both vulnerabilities were discovered by security researchers and have patches that have been developed by the vendor and verified by ICS-CERT.

Wonderware InBatch

This new Wonderware vulnerability is similar to the earlier reported vulnerability in the Inbatch Server in that it is a buffer overflow vulnerability. The difference is that this vulnerability is in the Client ActiveX control and it is not covered by the earlier patch. Additionally, this vulnerability would be more difficult to exploit because it would require a social engineering attack to convince the user to access a malicious host.

No direct link to the patch is provided in this advisory. Invensys recommends that registered users log into the Wonderware Developer Network or contact Wonderware Tech Support. Additional information can be obtained by logging into the Invensys Cyber Security Updates site.

Honeywell ScanServer

The reported Honeywell vulnerability is found in its ScanServer, a component of their Web Toolkit. The toolkit can be included in the Honeywell SymmetrE building control systems product or as a stand alone tool to be used with other software products. According to the ICS-CERT advisory explains:

“When a client system accesses a web page created with the vulnerable version of Honeywell’s Web Toolkit, it will receive an ActiveX component that is vulnerable to exploitation if the client system subsequently visits a malicious website.” (page 1)

The publicly available proof of concept (PoC) code could allow a moderately skilled attacker to create an exploit that would allow remote execution of arbitrary code. Implementing the exploit would require convincing the target to visit a malicious web site.

The advisory provides a detailed discussion of the mitigation measures that include downloading the “the updated version of Web Toolkit ScanServer component build 862.1.10.1”. The remaining mitigation measures will depend on the type system involved.

Spear Phishing

It is interesting that both of these vulnerabilities require the use of social engineering tools. Since the previous report from ICS-CERT was the NCCIC report on spear phishing, it almost seems as if the web site owner knew these advisories were coming. Well, actually they almost certainly did; these advisories have been in the work for some time with ICS-CERT apparently being contacted by the researcher and then working with the vender to verify the vulnerability and the effectiveness of the mitigation.

In fact, I would assume that the reason for the unusual posting of an NCCIC report on the ICS-CERT site was the fact that these two vulnerabilities were quickly approaching publication. I think that it would have been more effective if all three documents were released on the same day and some one at ICS-CERT had published a more reader friendly editorial going into more detail how different social engineering attacks were crafted.