New DHS alert on breaches of the power grid and other control systems

Brief

 New DHS alert on breaches of the power grid and other control systems

Issue

Disabling safety or security controls invalidate risk assessment and mitigation.  It won’t matter if the control was disabled by a hacker or by an employee.

New information is surfacing about the breach of control systems first identified in August 2017.  One conceptual flaw and one implementation or operating error combined to defeat safety systems and shut down systems.

In a SCADA environment, the TRICONEX system is a sound concept, using triple redundancy comparison of signals as a check of proper operating conditions. If one of the 3 is different, the system enters a safety condition with appropriate alerts and changes. That could mean opening vales to increase cooling or shutting fuel valves to stop the machinery. The firmware of the controllers can, of course, be updated.

To ensure security, a physical switch is used to change it from “read-only” to “read-write” for updates. A variety of implementation factors, from remote locations to limited personnel managing large automated systems, may have contributed to operators leaving systems in read-write. In at least one case, one of the maintenance management computers was compromised allowing hackers access to now fully modifiable controllers. In another case, the SCADA system was on a larger network and not properly isolated from external connections leaving it vulnerable to external penetration.

Remote network access to systems enabled hackers to destroy hard drives inside the company’s computers and their data was wiped clean. (NYT). It also appears that only an error in the attack code prevented physical damage and possibly explosions.

Impact

InGuardians’ clients may be at LOW risk for the specific attacks used against these Industrial Control Systems (ICS).

However, the broader issue of increased risk from “workarounds” which inevitably occur in every business may be negating what you think is in place for risk mitigation. The focus is NOT on malicious employees, but on those trying to succeed in the face of unintended policy conflicts. Too few people required to do detailed checks on too many systems too widely separated or remotely located is only one of the sorts of situations that creep into daily ops.

Recommendations

Review ACTUAL operating conditions and procedures compared to the policy. Third-party audits or interdepartmental audit teams provide fresh perspectives.

Think more like an attacker. Be less sure – “my door is locked, I can relax” – and more – “the door has a lock but how would it get picked? Broken? Simply evaded?  If it was picked, how would I know”.  Red Teams don’t simply do set penetration tests, but use creative thinking to find the unexpected gaps, the new approaches. Those attacking your systems don’t have any rules.

Additional Resources

US CERT:

https://www.us-cert.gov/ncas/alerts/TA18-074A

NY TIMES:

https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html

WIRED:
https://www.wired.com/story/triton-malware-dangers-industrial-system-sabotage/