WASHINGTON, D.C. -- America's water and energy utilities face constant cyber-espionage and denial-of-service attacks against industrial-control systems, according to the team of specialists from the U.S. Department of Homeland Security who are called to investigate the worst cyber-related incidents at these utilities.
These ICS-based networks are used to control water, chemical and energy systems, and the emergency response team from DHS ICS-CERT, based at the DHS in Washington, D.C. will fly out to utilities across the country to investigate security incidents they learn about. ICS-CERT typically doesn't name the names of the utilities they try to assist, but this week they did provide a glimpse into how vulnerable America is. In a panel at the GovSec Conference, ICS-CERT's leaders candidly presented a bleak assessment of why America's utilities have a hard time maintaining security, and why it's getting worse.
More form DHS: What is on a US Secret Service mainframe anyway?
"On a daily basis, the U.S. is being targeted," said Sanaz Browarny, chief, intelligence and analysis, control systems security program at the U.S. Department of Homeland Security as she presented some statistics from fly-away trips taken last year by the ICS emergency response team to utilities, most in the private sector.
Out of the 17 fly-away trips taken by the ICS-CERT team to assist in network and forensics analysis, it appeared that seven of the security incidents originated as spear-phishing attacks via e-mail against utility personnel. Browarny said 11 of the 17 incidents were very "sophisticated," signaling a well-organized "threat actor." She said DHS believes that in 12 of the 17 cases, if only the compromised utility had been able to practice the most basic type of network security for corporate and industrial control systems, they would likely have detected or fended off the attack.
One of the basic problems observed at utilities is that "a lot of folks are using older systems previously not connected to the Internet," she said. "The mindset is the equipment would last 20 or 30 years with updates. These systems are quite vulnerable."
ICS-CERT works with outside security researchers willing to share their findings about industrial control systems, of which there are only about half a dozen major manufacturers, such as Siemens and GE. The power, chemical and water systems companies tend to all use the same thing, Browarny pointed out.
There are three basic types of attacks coming at these utilities today, she said, those being thrill-seeking "garden-variety" hackers that target known vulnerabilities; secondly, the dangerous volley of viruses, worms and botnet attacks; and thirdly, "nation-state actors" that have "unlimited funding available" and conduct espionage as they "establish a covert presence on a sensitive network."
She also noted that the hacktivist group Anonymous is becoming more interested in ICS and it's a threat that should be taken seriously.
Kevin Helmsley, a leader in the emergency-response effort in the Control Systems Security Program at ICS-CERT, which operates under DHS, said the count of "incident tickets" related to reported incidents at water and power-generating utilities s going up. While only nine incidents were reported in 2009, last year this grew to 198 incident tickets. Just over 40% came from water-sector utilities, with the rest from various energy, nuclear energy and chemical providers. "There's a lot of exposed water systems," he noted. In three of the 17 fly-away missions last year to some of these companies, the problems were discovered by third parties, such as hired contractors.
Outside researchers will from time to time discover vulnerabilities in ICS-related products, and Helmsley noted that older ICS equipment that is hard to bring up to date is a big issue. He said he knew of one GE product that was 20 years old and still in use and "riddled with problems." But some of the ICS equipment is very expensive and owners want to maximize their investments, he pointed out. "Sometimes the product is no longer being maintained by the vendor and they don't release a patch. But that doesn't mean it's not being used." Sometimes the bad guys do release exploit code for these vulnerable products, he noted.
When asked why some ICS-CERT advisories — some are generally public but much is shared through a private portal with industry in a way that usually sanitizes detail about the victimized organization — are sometimes put out a week or more late, long after industry insiders are all buzzing about a problem — the ICS-CERT team admitted sometimes there are difficulties.
The reason some alert information is delayed is because DHS ICS-CERT has to work with the vendor to sort out newly-identified issues, and some of them aren't in the country, said Browarny. Baird McNaught, ICS-CERT operations lead at the Idaho National Lab, which assists in technical analysis, said sometimes the team is waiting on indications of whether the problem is something that can be patched.
Finding out what's really going on is very difficult based on the current method of gathering information locally and getting it to Washington, D.C. Sometimes news leaks out about information being quietly shared between the nation's local information-collecting organizations called Fusion Centers and ICS-CERT, as it did in the unexpected case with the Springfield, Illi., water utility that had identified what it thought was a serious cyber-attack, but which turned out to be a false alarm.
But have no doubt, serious compromises and attacks are occurring, ICS-CERT team leaders say. McNaught spoke about attacks on utilities he's aware of, saying, "We've seen a couple of denial-of-service attacks that have impacted operations." He also noted there's evidence that attackers are even on the control systems. "Most of attacks are centered around data exfiltration when they're stealing information for the control systems."
Helmsley said in many cases the attacks don't seem to be coming directly through the Internet via ISPs, for example, but are often traced to outside companies that provide services to the attacked utilities, raising the question of compromises there.
Since the advent of the Windows-targeting Stuxnet malware-related attack on Iranian power facilities, there's more news and interest in the vulnerabilities associated with industrial-control systems, which today often use operating systems such as Windows or Linux as some component to operate controls in industrial settings.
News about power plants with security issues comes up, such as the recent Department of Energy inspector general's report about Bonneville power plant in the northwest of the U.S., criticized for security weaknesses, such as using old Windows servers in their networks for which patches aren't even available. Bonneville was also criticized for poor password-security practices, among other failings. Bonneville has agreed with many of the report's findings but says remediation is well underway.
Browarny offered a bleak assessment of where things stand today. In regulated industries, she said, the water and energy utilities will "do the bare minimum" to pass regulatory audits as they seek to comply with NERC or NIST standards. But this is simply not enough based on what America is facing. She also offered some simple advice , such as never grab USB devices from conferences or which are handed out randomly in other ways since many times ICS-CERT has seen evidence that these USBs contain malware used to try and steal data.
"We are a nation at war. And that war is raging 24 x 7 in cyberspace," Curtis Levinson, technical director to NATO, who moderated the panel, put it bluntly. "It's not only hitting stock exchanges and websites. They're also hitting power systems."
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.