Comment Crew

Brian Krebs breaks a big story in the ICS security world — Telvent has been informing customers they have been compromised by the Comment Group.

Over the past two decades Telvent has dominated the oil and gas pipeline SCADA market. In recent years they have moved aggressively into the smart grid market and were acquired by Schneider Electric.

According to the Krebs reporting, “Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA.” This is Telvent’s flagship SCADA product. There are at least three potentially serious consequences of this compromise:

  1. The attackers used their presence on the Telvent network to pivot and compromise the Telvent customer SCADA systems that were connected to the Telvent network. Vendors typically connect to their customers for weeks during deployment and periodically for maintenance and support after deployment. Krebs reports that Telvent has terminated the usual method of connecting to customers and deployed a new method.
  2. The attackers used their presence on the Telvent network to modify project files that were in the deployment phase. The system would be compromised before it was commissioned.
  3. The attackers used their presence on the Telvent network to download the customer project files for a future attack — think future Stuxnet. If an attacker were going to attack a process in a sophisticated manner they would need time and talent to study the project files and essentially reverse engineer the process

If this Comment Group is the same as Comment Crew, then this is likely the same people that sent spear phishing email to Digital Bond and EnergySec. They are going after the ICS energy sector, and Telvent is almost certainly not the only vendor being targeted or compromised. In fact, I would be worried if a large asset owner or vendor in the energy sector is not detecting these attacks. Little Digital Bond and non-profit EnergySec must be rather low on the list of energy sector ICS targets.

Telvent does deserve some credit for addressing this head on rather than trying to bury it. Recent events have shown IT security vendors do much more to hide compromise. Telvent has a good reputation in implementing security controls and responding to reported vulnerabilities, but no one is immune to compromise.

This reported compromise points to two security principles that deserve their own articles. First, owner/operators should not allow full time vendor remote access. It should be emergency remote access only and completely under the owner/operator control. And second, vendors and all other organizations should segment their internal networks. Assume the corporate network will be compromised and focus security resources on the key information resources.

(Full disclosure – Telvent has participated in Digital Bond’s Bandolier Project)