Increasing Threat to Industrial Control Systems (Update A)
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
ICS-CERT is monitoring and responding to a combination of threat elements that increase the risk of control systems attacks. These elements include Internet accessible industrial control system (ICS) configurations, vulnerability and exploit tool releases for ICS devices, and increased interest and activity by hacktivist groups and others.
On February 14, 2012, several new exploit tools were publicly released that specifically target programmable logic controllers (PLCs), the building blocks of many ICSs. These exploits target PLCs from GE, Rockwell Automation, Schneider Electric, and Koyo. In addition, one of the exploits targets the EtherNet/IP protocol, which is deployed by numerous PLC vendors in addition to those listed here. The payloads purportedly can affect any device that uses the EtherNet/IP protocol and could allow an attacker to crash or restart affected devices.
--------- Begin Update A Part 1 of 2 --------
A team of researchers recently contacted ICS-CERT with preliminary results from their analytical project to locate Internet facing control system related devices. Using the SHODAN search engine, the researchers compiled a list of more than 500,000 control systems-related devices using supervisory control and data acquisition (SCADA) and other ICS-related search terms. The researchers have brought their findings to the attention of ICS-CERT, citing concerns that an adversary could use the search engine as a shortcut to find vulnerable systems and thereby threaten or attack critical infrastructure. ICS-CERT is working with the researchers and industry partners to notify the owners of the identified IP addresses, but recommends that asset owners and operators take a proactive approach and audit their systems to ensure that strong authentication/logon credentials and defensive measures are in place.
--------- End Update A Part 1 of 2 --------
ICS-CERT is issuing this alert to inform critical infrastructure and key resource (CIKR) asset owners and operators of recent and ongoing activity concerning increased risk to CIKR assets, particularly Internet accessible control systems.
Multiple threat elements are combining to significantly increase the ICSs threat landscape. Hacktivist groups are evolving and have demonstrated improved malicious skills. They are acquiring and using specialized search engines to identify Internet facing control systems, taking advantage of the growing arsenal of exploitation tools developed specifically for control systems. Asset owners should take these changes in threat landscape seriously, and ICS-CERT strongly encourages taking immediate defensive action to secure their systems using defense-in-depth principles.1 Asset owners should not assume that their control systems are secure or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities.
Hacktivist Group Activity
ICS-CERT has recently seen a marked increase in interest shown by a variety of malicious groups, including hacktivist2 and anarchist groups, toward Internet accessible ICS devices. This increased activity includes the identification of Internet facing ICS devices and the public posting of IP address to various Web sites. In addition, individuals from these groups have posted online requests for others to visit or access the identified device addresses.
Specialized Search Engines
The ERIPP and SHODAN search engines can be easily used to find Internet facing ICS devices, thus identifying potential attack targets. These search engines are being actively used to identify and access control systems over the Internet. Combining these tools with easily obtainable exploitation tools, attackers can identify and access control systems with significantly less effort than ever before.
--------- Begin Update A Part 2 of 2 --------
Search engines, such as SHODAN or ERIPP, may be proactively used by owners, operators, and security personnel to audit their networks and devices to locate Internet-facing control system devices that may be susceptible to compromise. Asset owners are encouraged to query various search engines using the vendor product, model, and version of a device, to determine if their IP address block is found within the search results. If control systems devices are found using these tools, asset owners should take the necessary steps to remove these devices from direct or unsecured Internet access as soon as possible.
--------- End Update A Part 2 of 2 --------
ICS-CERT has released two prior alerts3, 4 warning of the risks associated with Internet accessible devices; the alerts are available on the ICS-CERT Web page.
Exploitation Tool Releases
The increased interest in ICS product security has resulted in a significant increase in product vulnerability reports. Security researchers and others have released tools exploiting vulnerabilities identified in these reports. These targeted exploits are readily available through various software tools and from exploit developers. Easy access to free or low cost exploit tools has dramatically lowered the skill level required for novice hackers and has likewise reduced the development time for advanced attackers.
On February 14, 2012, several independent researchers released exploit tools specifically targeting programmable logic controllers (PLCs), which are the building blocks of many ICSs. These tools include modules that can be plugged into exploit frameworks, such as Metasploit, giving potential attackers another avenue to target ICS. Modules have been released to exploit several major PLC vendors, including:
- GE (D20),
- Schneider Electric (Modicon Quantum),
- Rockwell Automation (Allen Bradley ControlLogix), and
- Koyo (H4-ES).
ICS-CERT is actively coordinating with these vendors and has published specific alerts and advisories to notify ICS stakeholders of this addition to the ICS threat landscape.
- 1. CSSP Recommended Practices, http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html, Web site last accessed October 25, 2012.
- 2. Hacktivist groups are ideologically motivated hackers who attack entities’ networks to promote change or make a political statement. Tactics include Web defacements, redirects, denial of service, information theft, Web site parodies, virtual sit-ins, and virtual sabotage. Some groups are well organized and aim to conduct more malicious attacks to advance their views.
- 3. ICS-ALERT-11-343-01 – Control System Internet Accessibility, http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-343-01.pdf, last accessed October 25, 2012.
- 4. ICS-ALERT-10-301-01 – Control System Internet Accessibility, http://www.us-cert.gov/control_systems/pdf/ICS-Alert-10-301-01.pdf, last accessed October 25, 2012.
ICS-CERT strongly recommends that asset owners and operators audit device configurations for Internet accessibility, regardless of whether they believe they have Internet accessible devices.
Control systems often have Internet accessible devices installed without the owner’s knowledge, putting those systems at increased risk of attack.
ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
- Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
- Remove, disable, or rename any default system accounts wherever possible.
- Implement account lockout policies to reduce the risk from brute forcing attempts.
- Implement policies requiring the use of strong passwords.
- Monitor the creation of administrator level accounts by third-party vendors.
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
ICS-CERT also provides a recommended practices section for control systems on the US-CERT Web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.