An Attack Near Miss

Monday, May 23, 2011 @ 03:05 PM gHale


If you have to use a USB drive, then “make sure it is clean and free of any potentially dangerous worm, virus, or malware.” The USB drive is a main attack vector for anyone wanting to get into your system and most assuredly that warning appears on most security plans.

But does anyone really pay attention? One company did. In late April, one owner reported to Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) a near miss with an infected USB drive.

A technician was visiting the owner’s facility to install a software update. Because the technician did not have administrative access to the system, he handed a USB drive containing the software update to an employee and asked the employee to copy the files to the control system.

The employee followed established policy and performed an “on demand” virus check on the USB drive, which resulted in detection of a malicious file hidden in the USB drive’s root folder. The technician had no idea his USB drive was carrying malware.

Because the employee followed the proper procedure, the employee averted what could have been a nasty infection of the control system network.

That is just one example of making sure all employees are aware of cyber security policies and practices and training staff to execute them consistently.

In another case, a researcher talked about an Internet-facing building automation control system, configured to allow access using vendor’s default credentials. Come to find out the building owner learned the default credentials on the system changed back to the default settings at the system vendor’s request. The system vendor had made the request to maintain remote support access. The building owner has since permanently changed the default credentials to provide better security against unauthorized access.

This incident highlights a common insecure practice employed by control system vendors who configure a remote access “back door” to their SCADA installations. The vendors use this back door for system maintenance and technical support (e.g., update software, perform maintenance, and troubleshoot issues). While the practice can benefit owners and vendors from a support perspective, it also increases the potential for unauthorized remote access to the system.

When you are able to identify a control system on the Internet, it immediately becomes a potential target for a variety of attacks such as account brute forcing, and exploitation of unpatched vulnerabilities.

This is one example to remind owners about locating control system networks and remote devices behind properly configured and tested firewalls, and isolated from the business IT network.

Owners also need to establish policies requiring strong passwords and the removal or change of vendor default credentials that could allow unauthorized system access, and monitoring and control of vendor accounts on control systems.



Leave a Reply

You must be logged in to post a comment.