The Department of Homeland Security warns public utilities and critical infrastructure operators about the dangers of not using a firewall and allowing remote access to Internet facing devices. This follows after a group of "sophisticated" hackers attacked an unidentified public utility and compromised its control system network.
The agency's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reports three new cyber incidents due to weak network security. Two of these incidents involve intrusion by unauthorized parties.
As per the ICS-CERT report, the public utility was penetrated by a group of hackers that gained access to its control system network; although it found no evidence that the utility's operations were affected. The agency said the utility was using a simple password mechanism, which hackers can easily bypass using a standard brute-forcing technique by trying on various passwords until they hit the right one.
"It was determined that the systems were likely exposed to numerous security threats and previous intrusion activity was also identified," said [pdf] ICS-CERT in its report. "This incident highlights the need to evaluate security controls employed at the perimeter and ensure that potential intrusion vectors (ex: remote access) are configured with appropriate security controls, monitoring and detection capabilities."
Industrial control security consultant Justin W. Clarke of Cylance security firm said public utilities can rarely identify such security breaches and the government rarely discloses them to continue encouraging businesses to share information with the government.
"In most cases, systems that are so antiquated to be susceptible to such brute forcing technologies would not have the detailed logging to aid in an investigation like this," said Clarke.
The second threat involved an Internet-connected control system attached to a "mechanical device," which was accessed by a hacker using SCADA (supervisory control and data acquisition) protocol. ICS-CERT said the device can be accessed directly through the Internet and is not protected by a firewall or authentication access controls. The device, however, was disconnected for maintenance at the time of the attack, said the report.
Qualys researcher Billy Rios discovered the third vulnerability, an Internet facing HVAC and Energy Management System in an Olympics arena in Sochi, Russia. No attacks were made, but Qualys told ICS-CERT that the system did not have authentication requirements for access.
ICS-CERT said that the use of tools such as SHODAN, Google and other search engines to look for and identify devices that were not meant to be Internet facing, as well as the emergence of vulnerabilities such as Heartbleed and OpenSSL continue to provide a threat to the Internet.