ICS-CERT is monitoring and responding to an increase in a combination of threat elements that increase the risk of control systems attacks.
These elements include Internet accessible ICS configurations, vulnerability and exploit tool releases for ICS devices, and increased interest and activity by hacktivist groups and others.
On February 14, 2012, several new exploit tools were publicly released that specifically target programmable logic controllers (PLCs), the building blocks of many industrial control systems (ICSs). These exploits target PLCs from GE, Rockwell Automation, Schneider Electric, and Koyo.
In addition, one of the exploits targets the EtherNet/IP protocol, which is deployed by numerous PLC vendors in addition to those listed here. The payloads purportedly can affect any device that uses the EtherNet/IP protocol and could allow an attacker to crash or restart affected devices.
ICS-CERT is issuing this alert to inform critical infrastructure and key resource (CIKR) asset owners and operators of recent and ongoing activity concerning increased risk to CIKR assets, particularly Internet accessible control systems.
Multiple threat elements are combining to significantly increase the ICSs threat landscape. Hacktivist groups are evolving and have demonstrated improved malicious skills. They are acquiring and using specialized search engines to identify Internet facing control systems, taking advantage of the growing arsenal of exploitation tools developed specifically for control systems.
Asset owners should take these changes in threat landscape seriously, and ICS-CERT strongly encourages taking immediate defensive action to secure their systems using defense-in-depth principles.
CSSP Recommended Practices, Asset owners should not assume that their control systems are secure or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities.
HACKTIVIST GROUP ACTIVITY
ICS-CERT has recently seen a marked increase in interest shown by a variety of malicious groups, including hactivist and anarchist groups, toward Internet accessible ICS devices. This increased activity includes the identification of Internet facing ICS devices and the public posting of IP address to various websites. In addition, individuals from these groups have posted online requests for others to visit or access the identified device addresses.
SPECIALIZED SEARCH ENGINES
The ERIPP and SHODAN search engines can be easily used to find Internet facing ICS devices, thus identifying potential attack targets. These search engines are being actively used to identify and access control systems over the Internet. Combining these tools with easily obtainable exploitation tools, attackers can identify and access control systems with significantly less effort than ever before.
Asset owners are encouraged to use search engines such as ERRIP and SHODAN to audit their own IP address space. If control system devices are found using these tools, asset owners should take the necessary steps to remove these devices from direct Internet access as soon as possible.
ICS-CERT has released two prior alerts warning of the risks associated with Internet accessible devices; the alerts are available on the ICS-CERT web page.
EXPLOITATION TOOL RELEASES
The increased interest in ICS product security has resulted in a significant increase in product vulnerability reports. Security researchers and others have released tools exploiting vulnerabilities identified in these reports. These targeted exploits are readily available through various software tools and from exploit developers. Easy access to free or low cost exploit tools has dramatically lowered the skill level required for novice hackers and has likewise reduced the development time for advanced attackers.
On February 14, 2012, several independent researchers released exploit tools specifically targeting programmable logic controllers (PLCs), which are the building blocks of many industrial control systems. These tools include modules that can be plugged into exploit frameworks such as Metasploit, giving potential attackers another avenue to target ICS. Modules have been released to exploit several major PLC vendors, including:
• GE (D20)
• Schneider Electric (Modicon Quantum)
• Rockwell Automation (Allen Bradley ControlLogix)
• Koyo (H4-ES).
ICS-CERT is actively coordinating with these vendors and has published specific alerts and advisories to notify ICS stakeholders of this addition to the ICS threat landscape.
ICS-CERT strongly recommends that asset owners and operators audit device configurations for Internet accessibility, regardless of whether they believe they have Internet accessible devices. Control systems often have Internet accessible devices installed without the owner’s knowledge, putting those systems at increased risk of attack.
ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
• Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
• Locate control system networks and devices behind firewalls, and isolate them from the business network.
• If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
• Remove, disable, or rename any default system accounts wherever possible.
• Implement account lockout policies to reduce the risk from brute forcing attempts.
• Implement policies requiring the use of strong passwords.
• Monitor the creation of administrator level accounts by third-party vendors.
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
The full ICS-CERT advisory can be found here: