According to a new report by the Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), public facing control systems often have weak internet security and are inviting targets for hackers.
The report cites two incidents of hacking, including an unnamed public utility that was hacked because a control system had weak password authentication that could be overcome by brute force.
In a second incident, a control system operating a mechanical device was compromised because the unnamed organization controller had no authentication protection at all. The report states that the device was directly connected to the Internet with no authentication or even firewall protection. The device was compromised by a sophisticated hacker using a cellular modem. By chance, the device was disconnected from the controller system for scheduled maintenance so the hackers could not manipulate the device itself. According to the cyber report, this incident highlights the need for perimeter security and monitoring systems to prevent hackers from identifying vulnerable ICS.
In addition, the report states that an Internet connected HVAC system and Emergency Response System at an arena at the Sochi Olympics lacked authentication to access. The problem was identified and addressed by a consultant with the security firm Qualys.
The report makes the following recommendations, which are all good advice for any Internet facing system.
- Minimize network exposure for all control system devices. In general, locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Remove, disable or rename any default system accounts wherever possible.
- Implement account lockout policies to reduce the risk from brute forcing attempts.
- Establish and implement policies requiring the use of strong passwords.
- Monitor the creation of administrator level accounts by third-party vendors.
- Apply patches in the ICS environment, when possible, to mitigate known vulnerabilities.
The message from Homeland Security is simple, you’re network is only as secure as your weakest link. Unfortunately, hackers know that and working hard to find it before you do.