The Department of Homeland Security Is Offering Organizations That Use Industrial Control Systems advice or mitigating the effects of cyber attacks. Among the agency’s recommendations: hold on to data from infected systems and prevent enemies from moving within your organization.

DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published a technical paper on cyber intrusion mitigation strategies on Friday. The document calls on critical infrastructure owners to take a number of steps to thwart attacks, or limit the damage they cause; among them: improving their ability to collect and retain forensic data, and to detect attempts by attackers to move laterally within their organization.

The document, a Technical Information Paper – or TIP, is merely guidance from ICS-CERT to critical infrastructure owners and is targeted at both enterprise and control system networks, DHS said. The agency is responding to a rising drum beat of news about vulnerabilities in SCADA and ICS software and attacks on industrial control systems (ICS) and SCADA systems in the U.S. and abroad. In recent weeks, the agency has warned of cyber threats to organizations that operate gas distribution pipelines

The agency’s advise share similarities with advice offered by consulting firms like Mandiant, which specialize in responding to and cleaning up after so-called Advanced Persistent Threat (APT) style attacks. Critical infrastructure operators are advised to determine the extent of any breach, but not to repair or disinfect compromised systems until they can be studied and analyzed using forensic tools. ICS vendors, for example, are told not to patch or disinfect compromised systems using anti virus software until they have been assessed.

In the short term, ICS operators are urged to invest in technologies to help detect breaches, including IDS (intrusion detection system) and IPS (intrusion prevention system) and that can to pick up the signs of a breach. ICS operators should also discontinue practices like credential caching, which store domain credentials locally on machines and to adopt a “least privilege” model for granting permissions, so that compromised user accounts cannot be used to peruse a network or install other, malicious programs on a compromised system.

In the long term, investments in log management technology and application white listing programs that can spot unusual patterns of information and lock down user desktops are recommended. ICS operators also need to log and monitor their DNS (Domain Name System) infrastructure more closely to take not of any unusual DNS requests that could identify malware command and control activity.

DHS’s ICS-CERT works with ICS firms and vendors on security issues. It has been in the spotlight ever since the Stuxnet worm started making headlines in the Summer of 2010. It has occasionally caused controversy. In September, 2011, for example, ICS-CERT director Marty Edwards told attendees at a conference in Washington D.C. that his agency may start treating design-related security flaws differently from coding-related vulnerabilities. Some design-related flaws were “too big” to be described as “vulnerabilities,” he said. (http://threatpost.com/en_us/blogs/dhs-thinks-some-scada-problems-are-too-big-call-bug-092611)

Categories: Compliance, Critical Infrastructure, Data Breaches, Government

Comments (4)

  1. Marry Tomas
    1

    Love this article at all. Yes I think hold on to data after cyber attack. Really I was looking forward to read about it. Thanks for this allocation. 😛

     

  2. Petey Parker
    2

    ICS owners will always be trying to find the right balance between getting the process running again and trying to preserve information to identify an attacker. Generally, getting the process running is the first priority, and this will often make attribution of the attack difficult if not impossible.

  3. Lucas Zaichkowsky
    4

    It’s positive to see guidance going out that advocates detecting a breach in progress and scoping it out before remediating. When you’re dealing with a hack event, you can’t expect to block all possible initial points of entry. You have to look for activity that occures after they make it onto victim zero to detect an advanced hack in progress. It’s quite obvious when a human adversary is present vs mass malware/botnets/etc.

    You also can’t just run around removing malware like it’s a preprogrammed virus. Attackers plant additional backdoors not yet identified on other systems (part of lateral movement) and they’ll often times have VPN access with compromised user accounts. They use built in system tools and functions, not just relying on hacking tools. If you remove any of their attack tools or backdoors prematurely or block the command and control traffic, all you’re doing is tipping them off that you know they’re. They can tell by what’s removed or blocked what you know about. They then fire up one of their alternate backdoors to resume activity and dig in deeper. They change behavior, avoiding the things that were identified and blocked in the (failed) remediation attempt.

    If anyone wants to discuss this further, please reach out to me. Email address is <FirstName>.<LastName>@mandiant.com

Comments are closed.