SCADA Security Vulnerability

DHS Control System Security Program (CSSP) actions in the natural gas pipeline alert get even stranger. They have either bungled helping natural gas pipeline companies to protect themselves or have some risky stratagem to take down an attacker and are willing to accept the collateral damage.

1) First, what it isn’t. There still is no evidence disclosed by DHS that the goal of spear-phishing attacks is any way ICS related except the natural gas pipeline companies have ICS. There has not been evidence that they are trying to collect ICS information or attack the ICS.

2) As reported by Mark Clayton of CS Monitor, Bob Huber and Jonathan Pollet confirmed that there were similarities between the “indicators of compromise” of the natural gas pipeline compromise and those of the attack on RSA and its token database. In simple terms, it is likely that the same person or group that attacked RSA and US defense contractors is attacking natural gas pipeline companies.

3) DHS has not told the public or the affected natural gas pipeline companies that the source of the attack is likely the same as the RSA attack. It appears that DHS did not know about the likely connection to the RSA attack until told by outside security professionals. At this time it’s impossible to say what they knew and when, but it is clear they chose not to share this information with the people being attacked.

4) If the natural gas pipeline companies had been told it was the same attacker and similar attack, they could have implemented more effective defenses and responses. The RSA attack has been studied and effective protective and detective measures developed. DHS could have even shared these security controls with all of the energy sector to limit or prevent additional attacks.

Even more troubling is the DHS advice “do not block or take mitigating action”. Was DHS planning to take immediate action and responsibility for purging the RSA attacker from the affected companies? Short of that, the advice puts the companies at risk. They could have said this is a skilled attacker, based on the RSA attack link, and your company is going to need a well planned approach to identify where the attacker is and how to expel him.

Based on past performance, bungle is the more likely answer. It’s not the goal of this blog or my articles to be a constant DHS bashing vehicle, but it would be nice to see them take on a serious issue in a reasonable way from start to finish. Except for issues completely under their control (training, vuln coordination with willing parties, hired assessments), DHS/INL seems incapable of having a rationale and effective approach to a complex issue with uncertainties.