Recently, I spoke at the Forum of Incident Response and Security Teams (FIRST) in Bangkok, Thailand on threat intelligence and incident response. The mantra throughout FIRST was “sharing to win”, the concept of which echoes throughout security got me to thinking about information sharing in the ICS/SCADA security arena. This idea of sharing thoughts and experiences led me to contribute an article in the US Department of Homeland Security’s ICS-CERT April-June 2013 Monthly Monitor.
This piece is related to the paper I wrote last March about Internet-facing SCADA systems. The issue gained prominence due to high-profile attacks such as FLAME and Stuxnet. Nonetheless, ICS/SCADA systems security remains an important topic as they are commonly used to operate important industries e.g. vehicle manufacturing, transportation, energy and water treatment plants. Attempts to attack these systems may lead to significant damages.
For this research, I developed a honeypot architecture that emulated several types of SCADA and ICS devices. These honeypots include vulnerabilities found in across similar or same systems to showcase a realistic environment.
During the research, we found some interesting information on how these attacks were conducted and where these attacks are coming from. Some of the most prominent of these attacks were attempts to bypass authentication mechanisms. An attacker also attempted to used spear-phising by sending an email to the “administrator” of the system. We noticed that the attackers demonstrated knowledge of Modbus communications protocol. However, the most worrisome part is that out of these attacks, 17 can be considered “catastrophic”.
Fortunately, there are some basic configurations considerations that can improve ICS/SCADA systems security which includes the following:
- Disable Internet access to your trusted resources, if possible.
- Ensure that your trusted resources have the latest updates and that new patches/fixes are monitored.
- Use real-time anti-malware protection and real-time network scanning locally on trusted hosts and where applicable.
- Require user name/password combinations for all systems, even those deemed “trustworthy.”
- Set secure login credentials and do not rely on defaults.
- Implement two-factor authentication on all trusted systems for any user account.
- Disable remote protocols that are insecure.
- Disable all protocols that communicate inbound to your trusted resources but are not critical to business functionality.
- Utilize network segmentation to secure resources like VES systems, ICS, and SCADA devices. See a great write-up on network segmentation here.
- Develop a threat modeling system for your organization. Understand who’s attacking you and why.
For more security measures you can implement for ICS/SCADA systems and information about my research, you can read the paper here.
In addition to my contribution, Reid Wightman of IO Active published an article that also warrants a read for those interested in ICS security.