{"id":3119,"date":"2018-03-19T12:52:23","date_gmt":"2018-03-19T19:52:23","guid":{"rendered":"https:\/\/zed.inguardians.com\/?p=3119"},"modified":"2019-08-19T13:41:00","modified_gmt":"2019-08-19T20:41:00","slug":"new-dhs-alert-on-breaches-of-the-power-grid-and-other-control-systems","status":"publish","type":"post","link":"https:\/\/zed.inguardians.com\/brief\/new-dhs-alert-on-breaches-of-the-power-grid-and-other-control-systems\/","title":{"rendered":"New DHS alert on breaches of the power grid and other control systems"},"content":{"rendered":"
\u00a0New DHS alert on breaches of the power grid and other control systems<\/h5>\n
\n

Issue<\/strong><\/p>\n

Disabling safety or security controls invalidate risk assessment and mitigation. \u00a0It won\u2019t matter if the control was disabled by a hacker or by an employee.<\/p>\n

New information is surfacing about the breach of control systems first identified in August 2017. \u00a0One conceptual flaw and one implementation or operating error combined to defeat safety systems and shut down systems.<\/p>\n

In a SCADA environment, the TRICONEX system is a sound concept, using triple redundancy comparison of signals as a check of proper operating conditions. If one of the 3 is different, the system enters a safety condition with appropriate alerts and changes. That could mean opening vales to increase cooling or shutting fuel valves to stop the machinery. The firmware of the controllers can, of course, be updated.<\/p>\n

To ensure security, a physical switch is used to change it from \u201cread-only\u201d to \u201cread-write<\/em>\u201d for updates. A variety of implementation factors, from remote locations to limited personnel managing large automated systems, may have contributed to operators\u00a0leaving systems in read-write<\/em>. In at least one case, one of the maintenance management computers was compromised allowing hackers access to now fully modifiable controllers. In another case, the SCADA system was on a larger network and not properly isolated from external connections leaving it vulnerable to external penetration.<\/p>\n

Remote network access to systems enabled hackers to destroy hard drives inside the company\u2019s computers and their data was wiped clean. (NYT). It also appears that only an error in the attack code prevented physical damage and possibly explosions.<\/p>\n

Impact<\/strong><\/p>\n

InGuardians\u2019 clients may be at\u00a0LOW<\/em>\u00a0risk for the specific attacks used against these Industrial Control Systems (ICS).<\/p>\n

However, the broader issue of increased risk from \u201cworkarounds\u201d which inevitably occur in every business may be negating what you think is in place for risk mitigation. The focus is NOT on malicious employees, but on those trying to succeed in the face of unintended policy conflicts. Too few people required to do detailed checks on too many systems too widely separated or remotely located is only one of the sorts of situations that creep into daily ops.<\/p>\n

Recommendations<\/strong><\/p>\n

Review ACTUAL operating conditions and procedures compared to the policy. Third-party audits or interdepartmental audit teams provide fresh perspectives.<\/p>\n

Think more like an attacker. Be less sure \u2013 \u201cmy door is locked, I can relax\u201d \u2013 and more \u2013 \u201cthe door has a lock but how would it get picked? Broken? Simply evaded? \u00a0If it was picked, how would I know\u201d. \u00a0Red Teams don\u2019t simply do set penetration tests, but use creative thinking to find the unexpected gaps, the new approaches. Those attacking your systems don\u2019t have any rules.<\/p>\n

Additional Resources<\/strong><\/p>\n

US CERT:<\/em><\/p>\n

https:\/\/www.us-cert.gov\/ncas\/alerts\/TA18-074A<\/a><\/p>\n

NY TIMES:<\/em><\/p>\n

https:\/\/www.nytimes.com\/2018\/03\/15\/technology\/saudi-arabia-hacks-cyberattacks.html<\/a><\/p>\n

WIRED:<\/em>
\n
https:\/\/www.wired.com\/story\/triton-malware-dangers-industrial-system-sabotage\/<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\u00a0New DHS alert on breaches of the power grid and other control systems Issue Disabling safety or security controls invalidate risk assessment and mitigation. \u00a0It won\u2019t matter if the control was disabled by a hacker or by an employee. New information is surfacing about the breach of control systems first identified in August 2017. \u00a0One […]<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[169],"tags":[153,107,105,150,135,112,152,130,129,148],"_links":{"self":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3119"}],"collection":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/comments?post=3119"}],"version-history":[{"count":1,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3119\/revisions"}],"predecessor-version":[{"id":3120,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3119\/revisions\/3120"}],"wp:attachment":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/media?parent=3119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/categories?post=3119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/tags?post=3119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}