ICS-CERT: Control System Internet Accessibility Advisory

Monday, January 09, 2012

Headlines

69dafe8b58066478aea48f3d0f384820

On October 28, 2010, ICS-CERT published an alert titled “ICS-ALERT-10-301-0 - Control System Internet Accessibility” on the ICS-CERT web page. The alert warned control system owners and operators that a search engine called SHODAN was being used to locate Internet facing control systems.

ICS-CERT is issuing this new alert to warn of an uptick in related activity and urge asset owners and operators to audit their control systems configurations and verify whether or not they are susceptible to an attack via this vector.

ICS-CERT is tracking and has responded to multiple reports of researchers using SHODAN, Every Routable IP Project (ERIPP), Google, and other search engines to discover Internet facing control systems. ICS-CERT has coordinated this information with the identified control system owners and operators to notify them of their potential vulnerability to cyber intrusion and attack.

When appropriate, ICS-CERT also coordinates with the corresponding sector Information Sharing and Analysis Centers (ISACs) or international CERT/CIRT (Computer Incident Response Team) to notify asset owners. In many instances, the exposed systems were unknowingly or unintentionally configured with potentially unsecure access authentication and authorization mechanisms.

ICS-CERT works with the asset owner/operators and vendor or systems integrators whenever possible to remove any default credentials and secure these systems from attack.

In cases where unauthorized access has been identified, ICS-CERT has assisted control system owners and operators with system and firewall data analysis to determine the extent of the intrusion and whether any configuration changes might have been made to the system.

The use of readily available and generally free search tools significantly reduces time and resources required to identify Internet facing control systems. In turn, hackers can use these tools to easily identify exposed control systems, posing an increased risk of attack. Conversely, owners and operators can also use these same tools to audit their assets for unsecured Internet facing devices.

Internet facing control systems have been identified in several critical infrastructure sectors. The systems vary in their deployment footprints, ranging from stand-alone workstation applications to larger distributed control systems (DCS) configurations. In many cases, these control systems were designed to allow remote access for system monitoring and management.

All too often, remote access has been configured with direct Internet access (no firewall) and/or default or weak user names and passwords. In addition, those default/common account credentials are often readily available in public space documentation. In all cases, ICS-CERT has worked with these organizations to remove default credentials and strengthen their overall security.

Recent examples of these are:

• In February 2011, independent security researcher Ruben Santamarta used SHODAN to identify online remote access links to multiple utility companies’ Supervisory Control and Data Acquisition (SCADA) systems. Mr. Santamarta notified ICS-CERT for coordination with the vendor and the affected control system owners and operators. Further research indicated that many systems were using default user names and passwords.

• In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. ICS-CERT worked with the Water Sector ISAC and the vendor to notify affected control system owners and operators. Many of those control systems had their remote access configured with default logon credentials.

• In September 2011, independent researcher Eireann Leverett contacted ICS-CERT to report several thousand Internet facing devices that he discovered using SHODAN. To date, this response has included international partners and approximately 63 other CERTs in the effort to notify the identified control system owners and operators that their control systems/devices were exposed on the Internet.

• In November 2011, another individual claimed to have directly accessed an Internet facing control system. The report indicated that the individual gained access using default username and password. ICS-CERT notified the affected control system owner and advised the owner to disconnect the control system from the Internet and reconfigure the remote access security. ICS-CERT also coordinated with the SCADA vendor to provide the owner detailed instructions for removing the default logon account.

• Currently, ICS-CERT is coordinating the response to several new reports of Internet facing control systems from independent researchers Billy Rios, Terry McCorkle, Joel Langill, and other trusted sources.

When incidents of this nature are reported, ICS-CERT works with the reporting entity, control system owners and operators, vendors, integrators, ISACs, and other U.S. and international CERT/CIRTs to notify the identified entities and help the mitigate their exposure.

MITIGATION

ICS-CERT recommends that control system owners and operators audit their control systems—whether or not they think their control systems are connected to the Internet—to discover and verify removal of any default administrator level user names and passwords. Because each control system installation is unique, owners and operators may need to contact their system vendor or integrator for assistance with locating and eliminating default accounts.

Owners and operators can also perform a comprehensive control system cybersecurity assessment using the DHS Control Systems Security Program (CSSP) Cyber Security Evaluation Tool (CSET). CSET is a free, downloadable, stand alone software tool that is designed to assist owners and operators to:

1. Determine their current security posture
2. Identify where security improvements can/should be made
3. Map out the existing component/network configuration
4. Output a basic cybersecurity plan.

A CSET fact sheet is available on the CSSP web page. It explains the self-evaluation process and provides further information and assistance with the tool. The tool can be downloaded online or organizations can contact CSSP to request onsite training and guidance.

The complete ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-343-01.pdf

Possibly Related Articles:
10971
Network->General
Information Security
SCADA Shodan Vulnerabilities internet Headlines Network Security Search Engine hackers Advisory ICS ICS-CERT CSET Industrial Control Systems ERIPP
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.