Threat Alert Reaches New High

Monday, February 20, 2012 @ 04:02 PM gHale

In the aftermath of researchers revealing vulnerabilities before informing a vendor and an increase in attacks, ICS-CERT is issuing an alert to keep manufacturers aware of the heightened threat posture in the industry.

Several new exploit tools hit the street last week that specifically target programmable logic controllers (PLCs), the building blocks of industrial control systems (ICSs). These tools target PLCs from GE, Rockwell Automation, Schneider Electric, and Koyo. In addition, one targets the EtherNet/IP protocol, which numerous PLC vendors use. The payloads can affect any device that uses the EtherNet/IP protocol and could allow an attacker to crash or restart affected devices, according to the ICS-CERT report.

DoD Readies for Stuxnet-like Attack
Cyber Report: Bad Guys Winning
Security Best Practices will Cut Downtime
Government Tries to Define Cyber Security
DHS Unveils Cyber Strategy Plan

Multiple threat elements are combining to increase the ICSs threat landscape. Hacktivist groups are evolving and have demonstrated improved malicious skills. They are acquiring and using specialized search engines to identify Internet facing control systems, taking advantage of the growing arsenal of exploitation tools developed specifically for control systems.

Asset owners should take these changes in threat landscape seriously, and ICS-CERT strongly encourages taking immediate defensive action to secure their systems using defense-in-depth principles, according to the ICS-CERT report.

Manufacturers should not assume their control systems are secure or they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities.

The ERIPP and SHODAN search engines can easily find Internet facing ICS devices, thus identifying potential attack targets. In fact, these search engines are seeing use to identify and access control systems over the Internet. Combining these tools with easily obtainable exploitation tools, attackers can identify and access control systems with significantly less effort than ever before, according to the ICS-CERT report.

Manufacturers should actually use those search engines to audit their own IP address space. If you find control system devices by using these tools, a manufacturer should take the necessary steps to remove these devices from direct Internet access as soon as possible.

Increased interest in ICS product security has resulted in a significant increase in product vulnerability reports. Security researchers and others have released tools exploiting vulnerabilities identified in these reports. These targeted exploits are readily available through various software tools and from exploit developers. Easy access to free or low cost exploit tools has dramatically lowered the skill level required for novice hackers and has likewise reduced the development time for advanced attackers.

While end users may or may not know the software they are running is vulnerable, they should be auditing their systems on a routine basis.

That is why as far as a mitigation approach goes, ICS-CERT recommends manufacturers audit device configurations for Internet accessibility, regardless of whether they believe they have Internet accessible devices. Control systems often have Internet accessible devices installed without the owner’s knowledge, putting those systems at increased risk of attack.

Leave a Reply

You must be logged in to post a comment.