Attackers recently compromised a utility in the United States through an Internet-connected system that gave the attackers access to the utility’s internal control system network. The utility, which has not been named, had remote access enabled on some of its Internet-connected hosts and the systems were only protected by simple passwords.
Officials at the ICS-CERT, an incident response and forensics organization inside the Department of Homeland Security that specializes in ICS and SCADA systems, said this week that the public utility was compromised “when a sophisticated threat actor gained unauthorized access to its control system network.”
The attacker apparently used a simple brute-force attack to gain access to the Internet-facing systems at the utility, and then compromised the ICS network.
“After notification of the incident, ICS-CERT validated that the software used to administer the control system assets was accessible via Internet facing hosts. The systems were configured with a remote access capability, utilizing a simple password mechanism; however, the authentication method was susceptible to compromise via standard brute forcing techniques,” ICS-CERT said in a published report.
The security of industrial control systems and SCADA systems has become a serious concern in recent years as attackers and researchers have begun to focus their attention on them. Many of these systems, which control mechanical devices, manufacturing equipment, utilities, nuclear plants and other critical infrastructure, are connected to the Internet, either directly or through networks, and this has drawn the attention of attackers looking to do reconnaissance or cause trouble on these networks. Researchers have been sharply critical of the security in the SCADA and ICS industries, saying it’s “laughable” and has no formal security development lifecycle.
The ICS-CERT report says that the systems in the compromised utility probably were the target of a number of attacks.
“It was determined that the systems were likely exposed to numerous security threats and previous intrusion activity was also identified,” the report says.
The investigators were able to identify the issues and found that the attackers likely hadn’t done any damage to the ICS system at the utility.
In the same report, ICS-CERT detailed a separate compromise at an organization that a control system connected to the Internet. Attackers were able to compromise the ICS system, which operates an unspecified mechanical device, but didn’t do any real damage.
“The device was directly Internet accessible and was not protected by a firewall or authentication access controls. At the time of compromise, the control system was mechanically disconnected from the device for scheduled maintenance,” the report says.
“ICS-CERT provided analytic assistance and determined that the actor had access to the system over an extended period of time and had connected via both HTTP and the SCADA protocol. However, further analysis determined that no attempts were made by the threat actor to manipulate the system or inject unauthorized control actions.”