Security Advisory: DHS Reports U.S. Utility’s SCADA System Hacked
National Rural Water Association (Washington, DC)
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) recently reported that, “a public utility was recently compromised when a sophisticated threat actor gained unauthorized access to its control system network. After notification of the incident, ICS-CERT validated that the software used to administer the control system assets was accessible via Internet facing hosts. The systems were configured with a remote access capability, utilizing a simple password mechanism; however, the authentication method was susceptible to compromise via standard brute forcing techniques… This incident highlights the need to evaluate security controls employed at the perimeter and ensure that potential intrusion vectors (ex: remote access) are configured with appropriate security controls, monitoring, and detection capabilities.”
DHS declined to provide any details on the target or timing of the attack, which could have been directed against anything from a major electric power utility to a small municipal water utility. According to DHS, the utility breach at issue involved one of the most fundamental defensive breakdowns – a link connecting the utility control system to the Internet. ICS-CERT strongly encourages taking immediate defensive action to secure ICSs by using defense-in-depth principles:
- Audit your networks for Internet facing devices, weak authentication methods, and component vulnerabilities. Understand the usage of tools, such as SHODAN and Google, and leverage those platforms to enhance awareness of the Internet accessible devices that might exist within your infrastructure.
- Minimize network exposure for all control system devices. In general, locate control system networks and devices behind firewalls and isolate them from the network.
- When remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Remove, disable or rename any default system accounts wherever possible.
- Implement account lockout policies to reduce the risk from brute forcing attempts.
- Establish and implement policies requiring the use of strong passwords.
- Monitor the creation of administrator level accounts by third-party vendors.
- Apply patches in the ICS environment, when possible, to mitigate known vulnerabilities.
ICS-CERT’s full report is available at this link.