ICS-CERT Monitor Interesting Facts & Factoids

Cyber SquirrelThe January – April 2014 edition of the ICS-CERT Monitor was chock full of interesting facts and factoids. Here is what caught my eye.

Internet Accessible Control Systems

Facts – Three examples of Internet accessible control systems are described. The value is in the description of the two attacks; the third an HVAC was found by researcher Billy Rios.

Factoid – The attackers were described as “sophisticated threat actors” yet one of the systems had no authentication or protection and the other had any easily cracked password. Perhaps the attackers were sophisticated, but minimal skill and knowledge were required to compromise these systems.

Recap of Vulnerabilities

Consider this quote:

Authentication flaws were the most abundant vulnerability type coordinated in 2013, which includes vulnerabilities like factory hard-coded credentials, weak authentication keys, etc. These tend to be of highest concern because an attacker with minimal skill level could potentially gain administrator level access to devices that are accessible remotely over the Internet.

Yet the insecure by design (no source or data authentication) ICS protocols used to monitor the critical infrastructure are still not considered a vulnerability or worth addressing by DHS???

ICS-CERT Assessments

Our #1 competitor performed 20 assessment consulting engagements in Q1 2014.

Enhanced Cybersecurity Services (ECS)

An information sharing vehicle that passes info from DHS to Commercial Service Providers (CSP) who can pass it to approved asset owners. Currently there are 40 asset owners in the program and two approved CSP.

3 comments to ICS-CERT Monitor Interesting Facts & Factoids

  • “Our #1 competitor performed 20 assessment consulting engagements in Q1 2014.”

    If I remember correctly that’s against the law as a government entity must not compete against private corporations?

  • Sean McBride

    The government has an important role to play, but we’ve warned about Shodan and online ICS since 2009.

    If you run critical infrastructure, and you put your poorly secured systems on the public Internet — you are negligent! Get your act together.

    I don’t think we are taking a long term view when we choose to reward negligence with free security consulting….

  • Bryan Owen

    Private sector effort with RISI was ground breaking. Unfortunately something about the model seemed just enough to inhibit scale out.

    That ICS-CERT services result in publication of ICS breach/vuln data has value for all but even this model won’t scale and isn’t too conducive to whistleblowers.

    As many have suggested, the ICS community may ultimately be better served by an equivalent of the Aviation Safety Reporting System.

Leave a Reply