The United States Department of Homeland Security and its Industrial Control Systems Cyber Emergency Response Team, aka ICS-CERT, issued a report this week (PDF ) confirming several recent attacks.
The report on the very first quarter of 2014 occurrences discussed information on an unnamed public utility which was recently breached by means of a sophisticated threat actor who acquired unauthorized entry to its control system network. It turned out that the software utilized by the utility to manage the control system assets were available through its Internet facing hosts.
ICS-CERT examined accessible network logs and forensics to discover that:
- The systems were likely exposed to a number of security threats
- Previous intrusion activity was also identified
- Recommendations were to ensure that potential attack vectors such as remote access should be configured with appropriate security controls, monitoring, and detection capabilities.
Security and cyber risk are actually new inclusions in their list of concerns, and not all are prepared to evaluate and correct configuration errors and vulnerabilities.“ICS-CERT strongly encourages taking immediate defensive action to secure ICSs by using defense-in-depth principles. Audit your networks for Internet facing devices, weak authentication methods, and component vulnerabilities.”
ICS-CERT also recommends users take defensive measures to minimize risk of exploitation:
- Minimize network exposure for all control system devices. In general, locate control system networks and devices behind firewalls and isolate them from the business network
- When remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices
- Remove, disable or rename any default system accounts wherever possible
- Implement account lockout policies to reduce the risk from brute forcing attempts
- Establish and implement policies requiring the use of strong passwords
- Monitor the creation of administrator level accounts by third-party vendors
- Apply patches in the ICS environment, when possible, to mitigate known vulnerabilities
You can read more on the breach here.