Is the Security Response System for SCADA-ICS Broken?

Monday, December 05, 2011



Two weeks ago it was widely reported that water control systems at the Curran-Gardner Public Water District in Springfield, Illinois, had been breached by hackers.

The Department of Homeland Security's ICS-CERT subsequently issued statements denying there was an attack against systems governing the Curran-Gardner Public Water District in Springfield, Illinois.

"There is no evidence to support claims made in the initial Fusion Center report - which was based on raw, unconfirmed data and subsequently leaked to the media - that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported," the DHS issued statement read.

The assertion by DHS ran counter to initial reports by the Illinois Statewide Terrorism and Intelligence Center that there had been a cyber intrusion into the industrial control networks (ICS) resulting in data loss and that may have potentially physically damaged systems.

Almost as shocking at the reported intrusion was the revelation that the entire episode may have been a mistake triggered by a contractor staff member who had logged into systems remotely while visiting Russia, a move which has been almost unanimously condemned as a bad security practice by industry experts.

"It's without question a poor security practice, probably the most distressing information out of this investigation. Most organizations would limit access inbound and outbound to certain countries, especially to certain countries like Russia or China," said Andre Eaddy.

While it is shocking to most that a seasoned information security pro would would have made such a risky move, even more concerning is the cascade of failures that occurred in the official reporting of the alleged incident as a result.

"It is shocking... we have no control system forensics and logging... What Illinois put out is scarier than hell," said Joe Weiss, who first disclosed information on the alleged Illinois attack.

In a less than straight forward manner, ICS-CERT has attempted to characterize their part in the reporting fiasco as being a necessary response to the information leaked and subsequently reported on by Weiss.

"Publicly disclosing affected identity names and incident information is highly unusual and not part of ICS-CERT's normal incident reporting and triage procedures. In this particular case, because unconfirmed information had already been leaked to the public, ICS-CERT and the asset owner/operator felt it was in the best interest of the community to collaboratively analyze all available data and disclose some of the findings," ICS-CERT stated.

The entire episode has many in the security industry questioning whether the security response system in place for monitoring and reporting serious events at facilities considered part of our nation's critical infrastructure is in need of an overhaul.

"Right now, it's not a good model... proactive information coming from the other way," said Gartner analyst John Pescatore.

To top it all off, last week Michael Welch, deputy assistant director of the FBI's Cyber Division, revealed that three U.S. cities recently experienced significant network intrusion events by unnamed attackers by way of poorly secured supervisory control and data acquisition (SCADA) networks.

Welch made the disclosure at the Flemings Cyber Security conference in London, and while he downplayed the intrusion he was candid about the potential for mayhem had the attacker's intentions been more malicious.

Welch did not specify it the intrusions he was referring to included the recently reported attacks against the Illinois and another against networks at a water treatment facility in South Houston, Texas, which is still under investigation.

Other than Welch's seemingly offhand statements, there is little information available on the supposed intrusion events, and no specific alerts have been issued.


Possibly Related Articles:
Information Security
SCADA Headlines Network Security Infrastructure DHS Alert ICS ICS-CERT Industrial Control Systems Water Control Systems
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked