Infrastructure at Risk From Feds’ Failure to Share Info, Security Researchers Charge

LONG BEACH, CA — If the government really wants to protect the nation’s electrical grid and critical infrastructure from hackers and other attackers, it’s got to change the way it communicates with the people in charge of securing those systems.

That was the message sent this week from security professionals to the people running the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, the federal group tasked with helping to secure critical infrastructures in the U.S. by disseminating information about vulnerabilities in them as well as known attacks against them.

The forthright comments occurred at DHS’s Industrial Control Systems Joint Working Group (ICSJWG) conference, an event established to improve communication between the government, security professionals, industrial control system vendors and the companies who run the systems, also known as “asset owners.”

For years, preventing hacks into systems that control industrial equipment remained a niche interest in the security world, which largely focused on threats to IT servers and personal computers. But that’s changed radically in the aftermath of Stuxnet, an intricate worm that was designed to derail Iran’s nuclear ambitions by targeting a Siemens industrial control system connected to that country’s centrifuges and sabotage their operation.

The worm shone a spotlight on security vulnerabilities that exist in control systems in the U.S. and elsewhere that operate commercial manufacturing facilities – such as food and car assembly plants – as well as more critical infrastructure systems, such as railway facilities, chemical plants, utility companies and oil and gas pipelines. The worm has created an urgent need to shore up these systems before they’re hit with similar attacks.

But Dale Peterson, an independent security consultant who runs the security portal DigitalBond, said that ICS-CERT has failed to provide clear and forthright information about vulnerabilities that customers and security professionals need. This has left them confused about how best to defend and protect systems.

The agency has also failed to adequately involve security professionals in discussions about how to mitigate known threats, wasting an opportunity to gain their insight.

“There are other people involved [in these matters] that can help in the mitigation, and they’re kept out of it simply because they aren’t asset owners,” Peterson told the gathering.

Peterson has been a vocal critic of ICS-CERT and Siemens over their failure to provide timely and useful analysis of Stuxnet and the vulnerabilities it exploited in the Siemens system. ICS-CERT has said it provided detailed information to asset owners in private. But, publicly, the agency released only cursory information about what the malware affected and how it could be mitigated.

Peterson has also been critical of how Siemens and ICS-CERT handled vulnerabilities that were uncovered this year in Siemens products by Dillon Beresford, a researcher with NSS Labs. Beresford discovered multiple serious vulnerabilities in Siemens control systems – including a backdoor that would allow someone to get shell command on a Siemens controller, a hard-coded password and weak authentication protection.

Beresford contacted ICS-CERT about the vulnerabilities so that the agency could work with Siemens to verify their authenticity and fix the problems before he publicly disclosed them.

Siemens, however, wasn’t forthright about which of its products were affected by the vulnerabilities and fixed only some of them, leaving customers in the lurch, Peterson said. When such vendors fail to communicate honestly and clearly with customers, he said, it becomes ICS-CERT’s responsibility to step in to make sure that customers and security professionals get the information they need to protect their systems.

“I’d say in that area, ICS-CERT has not done a good job, because their bulletins mirror the vendor, whether the vendor does a good job or a bad job at effective disclosure,” he said.

Kevin Hemsley, a senior security analyst with ICS-CERT, welcomed the criticism and said the group’s coordination with vendors is a work in progress, since many vendors aren’t used to the vulnerability disclosure process and are surprised when his group approaches them to discuss vulnerabilities a researcher has uncovered.

“What do they have against me?” he says vendors sometimes ask, thinking that researchers are picking on them. When his group explains how a researcher dug into the system and was able to exploit it, the response is generally, “Well, why would they do that?”

Vendors who are focused on just making sure their products work for customers often have a naïve view of their systems and can’t imagine why anyone would want to look for vulnerabilities in them or research ways to break them. When they realize that ICS-CERT is approaching them under the auspices of trying to help them fix the vulnerabilities “the conversation changes very quickly,” Hemsley said.

Joel Langill, an independent security consultant whose SCADAhacker firm focuses on ICSes, said that ICS-CERT has also failed to provide security professionals with adequate information about successful breaches after they occur, which would help security pros determine how best to protect other potential victims.

He pointed to the so-called “flyaway” forensic teams that DHS sends out to critical infrastructure owners, for free, to help them respond to breaches and collect and analyze data.

“Any details of the breach, what was successfully exploited and what you did . . . we need to see what’s happening in order to protect the people that didn’t get attacked today, when they [do] get attacked tomorrow,” Langill said.

Eric Cornelius, chief technical analyst for DHS’s Control Systems Security Program, told conference attendees that his group is working to address this.

They’re in the process of preparing a report that will distill information and statistics from all of the flyaway investigations the teams have conducted. The report, which will have anonymized data so that victims aren’t identified, will include case studies and statistics to provide information about how particular attacks have unfolded in the field and what steps were taken to remediate them. DHS has no release date for the report yet.

DHS is also looking at doing a long-term follow-up report that will examine how effective remediation efforts were – such as whether they prevented subsequent attacks.