Attack: ICS-CERT Aids Recovery

Thursday, March 10, 2016 @ 02:03 PM gHale


Incidents occur throughout the industry all the time, and whether a manufacturer has a security plan in place or not, it is only a matter of time before a manufacturer suffers an attack. The idea, though, is to know when you suffered an attack and then have a protection plan in place everyone understands.

That is where the Industrial Control System Cyber Emergency Response Team (ICS-CERT) comes into play. In one case, ICS-CERT just worked with an industrial control system asset owner following a report of a possible intrusion. The asset owner operates in the power and water sectors, providing power and water to their local community. This report ended up published in the ICS-CERT Monitor and the name of the end user remained confidential.

RELATED STORIES
Attacking an ICS from ‘Inside Out’
ICS-CERT BlackEnergy Report
Breach at IN Utility
Tracking ICS Threats Difficult

In an environment where some organizations are skeptical with working with the government, the company requested ICS-CERT to come onsite in an effort to gather data and attempt to discover compromises on their network. ICS-CERT held a conference call with the company to plan onsite incident response actions, request technical information, and establish expectations. On the call, ICS-CERT learned the asset owner was in the process of merging its power and water networks, which had previously operated independently.

When the incident response team arrived onsite, the first thing they did was to meet with network engineers and executives.

At the request of the company, the team temporarily installed network security monitoring equipment, gathered host and network data, and examined ICS equipment to assess network integrity. Through their initial analysis, team members spotted low-level malware throughout the water network, but found no indication of the same on the power network.

The team then visited several sites essential to the company’s operations. One of these sites was the distribution/transmission control center, where the team met with personnel who oversee operations on the power side and manually collected information from the site’s servers and HMI. While reviewing the network architecture of the distribution/transmission control center and the data capture, the team discovered a wireless router the asset owner believed was disconnected from the network. Instead, the wireless router was active and allowed for direct access into the control system.

The team also visited the water control center and a power substation to examine equipment. At the water control center, the team discovered a cellular modem connected to the main water switch. The local staff was unsure of its direct function, but it was later identified as a cellular modem that allowed for remote vendor access via a simple username and password. While analyzing the collected data, TeamViewer connections were on high value hosts (IT operations computers, billing, finance, and badging) to foreign hosts. The team confirmed with local staff these were not legitimate and the asset owner blocked the activity.

At the end of the visit, the team provided the asset owner with its initial findings, as well as an assortment of best practices/recommendations specific to their environment. The company took the recommendations and requested additional support to review the architecture/cyber security posture of its proposed new network.