ECSC Review - Cyber Attack On U.S. Soil Targeting Critical Public Utility Infrastructure in Illinois
*Editor's Update: On November 22, the Department of Homeland Security, along with the FBI, concluded that the event discussed in this blog was not a cyber attack after all. However, the risks and exposure of the public utility infrastructure discussed in this posting remain the same.*
A cyber attack halted the operation at a central Illinois utility's water pump November 8th. The attack has caught the attention of the media worldwide and is now under federal investigation. The incident thought to be the first known attack by a foreign source on a United States industrial system and definitely generated a lot of discussion in Emergent Consulting. It raises serious questions about critical infrastructure. Older industrial control systems (SCADA) are not inherently secure, but yet they control and operate most of our critical infrastructure - railroads, traffic lights, power grids, water systems, nuclear reactors. Until these legacy systems are brought up to Infosec standards, we need to institute compensating controls and best practice to mitigate the risk of cyber warfare.
The incident was reported on November 10, 2011 and addressed in a report from the Illinois Statewide Terrorism and Intelligence Center. The report states that the hackers, using a computer whose IP address was traced to Russia, obtained access to the network with credentials stolen from a company that makes software aimed at controlling industrial systems. While the "attack" was limited to burning out a water pump, it signifies a much larger problem and could be a turning point in the cyber security threat landscape for the United States.
First of all this seems very similar to the Stuxnet worm that disabled a number of nuclear centrifuges in Iran in 2010, surreptitiously reprogramming its industrial equipment's logic controllers. It is too early to tell if the Illinois water utility was the target of a worm or solely a hacking breach, but the end result of manipulating its control systems was the same. The fact that this successfully pierced the veil of U.S. critical infrastructure (defined by HSPD-7 and DHS as telecommunications, energy, water, energy, financial services, nuclear reactors, transportation, and 11 other sectors) is even more alarming.
If the details in the report are accurate, then we can reasonably conclude that this was a prototype to stage a much larger attack on our critical infrastructure. The dress rehearsal would almost certainly have included a reconnaissance mission to garner engineering details, manufacturer data and passwords to be used in other public utility implementations. Imagine the wide-ranging implications if a terrorist hacks the smart grid through breaching a rural power company. This demonstrates the point that smaller enterprises loom as the weak link.
This is also endemic to a larger problem - a system wide breakdown of people, process, reporting, information sharing, and other inter-agency protocol to protect our critical infrastructure. In one article an attorney and trustee for the Illinois township's public water district was reported as saying that the small water utility was aware that "something happened" but that he did not have much information on the matter. He was also confident that no customer records were compromised, and was mystified as to the reason hackers might have targeted the tiny hamlet. Clearly this official is missing the point and the bigger picture.
While terms like "cyber-espionage" and "cyber-warfare" seem glamorous and get tossed around a lot, we also can't lose sight of the root cause of the breach, which was much more prosaic. The report states the attackers gained access to the water utility's network using credentials stolen from a software manufacturer for controlling industrial systems. In short, the bad guys stole a badge. So here is the larger issue: Currently there is no information security for SCADA systems (its manufacturers, the customers that own and operate them, and those that interact with them), so the emphasis must be placed on a number of other compensating controls. The security measures aren't, and can never be, perfect but they can make us much more secure than we apparently are:
- Fortify the perimeter networks that surround or include SCADA systems through intrusion detection and protection systems (IDPS).
- Implement strong authentication based on credentialing and digital certificates to mitigate unauthorized access to the control software by people or devices (non-person entities).
- Packets sent to control SCADA devices can be encrypted and digitally signed using PKI.
- Implement endpoint protection and disable USB drives to minimize local computer and network access.
- Conduct vulnerability assessments at the utility or plant.
- Implement SCAP-compliant devices to report security incidents.
All of these measures require awareness about cybersecurity. And here may be the most worrisome aspect of the Illinois incident: They don't seem to have understood their vulnerabilities in the first place. And they probably aren't alone. One water utility official in a small southeastern Iowa city said that the attack in Illinois could not occur at his facility. "Our system in Ottumwa is what we call a ‘closed' computer system, meaning that it's not accessible via the Internet". Our critical infrastructure could be in more danger than we think.