Risk
12/13/2011
12:37 PM
50%
50%

DHS, FBI Give SCADA System Vulnerability Warning

Hackers have infiltrated control system environments in at least three cities this year. Yet, many control systems remain Internet-connected and at risk of remote exploitation.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Thousands of Internet-connected industrial control systems aren't being properly protected by firewalls or strong authentication, which leaves them at risk of being exploited by attackers.

That warning arrived last week, when the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the Department of Homeland Security (DHS) reissued a warning, first made last year, that Internet-connected industrial control systems could be discovered using search engines such as Shodan, which find devices with embedded and active Web servers.

"ICS-CERT is tracking and has responded to multiple reports of researchers using Shodan, Every Routable IP Project (ERIPP), Google, and other search engines to discover Internet facing control systems," according to the alert. "ICS-CERT has coordinated this information with the identified control system owners and operators to notify them of their potential vulnerability to cyber intrusion and attack."

[ Crime fighters have a lot of new weapons. Read How Digital Forensics Detects Insider Theft. ]

Control systems need not be Internet-connected, but when they are--typically for remote monitoring purposes--"all too often, remote access has been configured with direct Internet access (no firewall) and/or default or weak user names and passwords," said ICS-CERT.

ICS-CERT warned that security researchers aren't the only ones able to use Shodan and its ilk. "Hackers can use these tools to easily identify exposed control systems, posing an increased risk of attack," it said. "Conversely, owners and operators can also use these same tools to audit their assets for unsecured Internet facing devices." On a related note, ICS-CERT said that it's been working with control system vendors to remove default credentials from their products, especially since so many of these credentials are mentioned in publicly accessible materials.

Vulnerabilities in the supervisory control and data acquisition (SCADA) systems used to run manufacturing environments have been in the news lately, owing to the purported hack of an Illinois water treatment facility control system. The incident involved the burnout of a water pump, which state authorities traced to a Russian attacker. But after further review, federal authorities found that the system had been remotely accessed from Russia--legitimately--by a contractor who was there on vacation, and they dismissed the episode.

The Feds' initial downplaying of the attack--which turned out to not have been an attack--led a hacker known as "pr0f" to launch an actual exploit. In particular, pr0f released evidence that he'd hacked into the programmable logic controller at a water treatment facility in South Houston, Texas. He also told Threatpost that the Siemens Simatic human machine interface (HMI) software that he exploited had been protected with only a three-character password.

Despite the prevalence of poorly secured SCADA systems, how often do they get exploited? Last month, Michael Welch, the deputy assistant director of the FBI's Cyber Division, told a London conference that hackers had recently accessed control systems in multiple cities. According to Welch, "We just had a circumstance where we had three cities, one of them a major city within the U.S., where you had several hackers that had made their way into SCADA systems within the city," reported Information Age.

Update: A spokeswoman for the FBI has disputed the accuracy of the Information Age article, saying that the quotes attributed to Welch were both inaccurate and taken out of context.

Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks--accidental and otherwise. Also in the new, all-digital Dark Reading supplement: Why user provisioning isn't as simple as it sounds. Download the supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.