A significant percentage of ICS owner/operators use SecurID tokens for strong, two-factor authentication for remote access. Similar to the IT space, it has the largest market share by far. With the recent hacks of RSA and Lockheed, it is time to reconsider if you can rely on these tokens for administrator remote access to the control center.
Back in March RSA announced they had been hacked, well sort of. They were a bid dodgy on what exactly was compromised. Eventually most agreed the seed keys that are used to generate the one-time password that changes every minute were compromised, based on analysis and leaked information. So an attacker could recreate the one-time password at any moment in time.
There still was a lot of work to convert this information to a successful compromise. The attacker would need to tie the seed key to an organization/department/individual, based on the deployment scenario. However the attacker may have also stolen the database information that tied token serial numbers / keys to organizations. The final hurdle is most organizations use a combination of the one-time password with a user selected PIN as the password. So the attacker would need to identify the token used and recover the PIN. None of this is easy.
But evidently not too difficult. Last week Lockheed announced, and RSA agreed, that compromised SecurID tokens were a “direct, contributing factor” to the Lockheed compromise.
The stolen SecurID data is being used. There are questions on who is using it? Who are their targets? Are the selling the data? For example, if you wanted to attack utility x, can you buy the SecurID data related to their tokens. This combined with a targeted phishing attack may be enough to get an adversary into the control center with administrator credentials.
This is where risk management gets very difficult. The risk of a compromised SecurID token being used to attack remote SCADA access was never zero, but it has to be considered much higher now than prior to March. Still the likelihood is very small, but the impact would be huge. Should an asset owner respond and move to a different method of secure remote access? I’ll split our recommendation into two cases.