The January – April 2014 edition of the ICS-CERT Monitor was chock full of interesting facts and factoids. Here is what caught my eye.
Internet Accessible Control Systems
Facts – Three examples of Internet accessible control systems are described. The value is in the description of the two attacks; the third an HVAC was found by researcher Billy Rios.
Factoid – The attackers were described as “sophisticated threat actors” yet one of the systems had no authentication or protection and the other had any easily cracked password. Perhaps the attackers were sophisticated, but minimal skill and knowledge were required to compromise these systems.
Recap of Vulnerabilities
Consider this quote:
Authentication flaws were the most abundant vulnerability type coordinated in 2013, which includes vulnerabilities like factory hard-coded credentials, weak authentication keys, etc. These tend to be of highest concern because an attacker with minimal skill level could potentially gain administrator level access to devices that are accessible remotely over the Internet.
Yet the insecure by design (no source or data authentication) ICS protocols used to monitor the critical infrastructure are still not considered a vulnerability or worth addressing by DHS???
Our #1 competitor performed 20 assessment consulting engagements in Q1 2014.
Enhanced Cybersecurity Services (ECS)
An information sharing vehicle that passes info from DHS to Commercial Service Providers (CSP) who can pass it to approved asset owners. Currently there are 40 asset owners in the program and two approved CSP.