Earlier this month at the Flemings Cyber Security conference, Michael Welch, the Deputy Assistant Director of the FBI’s Cyber Division acknowledged that there were 3 public utilities in different cities that have been hacked:
“We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into Scada systems within the city.”
He also admitted that the hackers could have caused significant damage by manipulating the SCADA systems that they had compromised:
“Essentially it was an ego trip for the hacker because he had control of that city’s system and he could dump raw sewage into the lake, he could shut down the power plant at the mall – a wide array of things.”
He did not say if these three included the two water plants that made news last month. It also sounded like the FBI cyber security team is somewhat limited in manpower and resources as he said they currently run on a 9-5 schedule and are not a 24 hour operation.
The Deputy Assistant Director statements inadvertently answered one of my questions asked in a previous post, as to why federal agents are not using the same search tools to find and help lock down these systems. If they only have the staff to work a 9-5 operation, they simply do not have the manpower needed to do so.
According to GCN, hackers are using “readily available and generally free search tools“, most likely Shodan, to find and gain access to these systems.
In response, the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) asked city workers to carefully audit their systems to prevent further incidents. They also provided a free security tool to aid the utility operators called the DHS Control Systems Security Program (CSSP) Cyber Security Evaluation Tool.
In addition, the DHS recommends the following steps be taken:
Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
• Locate control system networks and devices behind firewalls and isolate them from the business network.
• If remote access is required, use secure methods such as virtual private networks, recognizing that VPNs are only as secure as the connected devices.
• Remove, disable or rename any default system accounts wherever possible.
• Create account lockout policies to reduce the risk from brute forcing attempts.
• Create policies requiring the use of strong passwords.
• Monitor the creation of administrator level accounts by third-party vendors.