Will 2013 be the year of a major utility attack, or the year when the industry gets serious about security? Katherine Tweed: January 4, 2013
The Industrial Control Systems Cyber Emergency Response Team's (ICS-CERT) latest monitor report detailed a malware discovery at a power generation facility. A USB drive that was used to back up control systems configurations was to blame for spreading the virus. In this case, having a siloed network was not enough to keep it safe.
Although the issue was resolved largely without incident, the ICS-CERT team found that the facility could have taken several basic precautions to limit the risk of spreading such a virus. One option would have been an antivirus solution; another was to ensure that all engineering workstations were backed up, which they were not.
Regular reports of hacks at utilities make it crystal-clear that events like these are not isolated. The ICS-CERT also reported that there are more than 7,200 critical infrastructure devices connected to the internet that nearly anyone could easily locate and attempt to log on to. Some didn’t even require a password. “Once accessed, these devices may be used as an entry point onto a control systems network, making their internet-facing configuration a major vulnerability to critical infrastructure,” the report states.
The energy industry is not alone, but it holds the dubious distinction that in 2012, more than 40 percent of all incidents reported to ICS-CERT were against the sector. Many of those hits were trying to log into ICS/SCADA systems, including data that could control SCADA systems remotely. Not all of the targets are utilities; some were oil and gas pipelines.
The next closest sector was water, which accounted for 15 percent of the reported risks. Government, by comparison, was 4 percent and transportation was 3 percent.
Some of the notable disclosures in 2012 came from researchers that found significant vulnerabilities in SCADA field devices, such as programmable logic controllers from major vendors.
Another major disclosure came from researchers who identified the vulnerability of the Tridum Niagara AX Framework, which is used to integrate building devices.
The findings from 2012 have led ICS-CERT to update its Vulnerability Disclosure Policy to disclose issues 45 days after the initial contact with vendors. ICS-CERT says that 2013 will continue a focus on an ongoing flow of information exchange to reduce the risk of attacks.
The group implores critical infrastructure owners to develop and implement baseline security policies, but warns that the basics are no longer enough. “Defense-in-depth strategies are also essential in planning control system networks and in providing protections to reduce the risk of impacts from cyber events.”