We're All Good

The spring edition of the ICS-CERT Monthly Monitor’s lead story is “Brute Force Attacks On Internet Facing Control Systems”. It got picked up by a large number of the mainstream press including the Wall Street Journal. Author Rachel King points out that according to ICS-CERT, “These attempted attacks originated from 49 IP addresses but ultimately, none were successful”.

SCADAsec and other lists have been going on about this story for a while now; I’ve been surprised by the discussion that is missing the big points. I’m full of enough outrage and disbelief to break my self imposed complaining about ICS-CERT ban:

  1. Where is the guidance in the article that gas compression systems and other ICS components should not be Internet accessible? More importantly, did those organizations pull their systems off the Internet?
  2. Based on the article we are to believe that all the organizations that made these devices Internet accessible changed the default passwords and chose strong passwords?
  3. As I’ve been preaching, you have no integrity in your ICS. If someone gained remote access she could have changed the logic or firmware. How would you know? Ultimately, none were successful?
  4. If ultimately, none were successful I guess everything is ok. Security controls were effective. We just need to be vigilant to attacks. DHS remains silent on the need to replace insecure by design devices and protocols in the critical infrastructure. Sure they will put out an alert or advisory on the problem, but it just fades off the site without any call to action by DHS. (Side note: congressional staffers are consistently amazed and skeptical when I tell them that most ICS field devices and protocols lack even basic security controls. They receive regular DHS briefings, and this never comes up. Instead they hear about the increase number of Alerts/Advisories ICS-CERT is publishing, single digit fly away team efforts, and other “success” stories.)
  5. Either DHS does not have access to information on ICS being compromised or they are unable or unwilling to share it. It’s hard to believe that small, boutique firms like Digital Bond and our peers have more and better info on incidents than DHS.

The happy talk later in the article is barely helpful and not the blunt, straight talk that is needed from DHS. Example:

ICS-CERT recommends that critical infrastructure asset owners 
continually evaluate their cybersecurity posture against recommended 
practices available from the federal government, industry groups,
 vendor, and standards bodies. Asset owners should employ continual 
risk-based assessment of cybersecurity policies to prioritize and
 tailor these recommended guidelines and solutions to fit specific
security, business, and operational requirements.

I’m sure most asset owners would say they are doing this today. So again, we’re all good.

They also are kind enough to call their own site “an excellent resource”. The biggest win DHS has had is in the PR battle. Vendors, owner operators and many ICS security leaders are willing to support the happy talk because it is good for business. SANS NewsBites had three expert commenters stating how DHS/ICS-CERT is one of the few success stories in government.

While the muzzle is off … how can you cancel the spring and fall ICSJWG meeting if the public/private partnership is the key?

The self-imposed moratorium on ICS-CERT bashing was temporarily lifted. I’m still baffled on how any organization can claim success when there has been so little progress in ICS security, but I guess it makes everyone in the community feel better. Moratorium back on – as ICS-CERT has proven they are not part of the solution and not worth the distraction.

Image by Katy.Tresseder