Do you leave the factory-default password on your devices that are connected to the Internet? While I certainly hope not, and this may seem like a no-brainer, how much more important is it to change manufacturers’ passwords on our nation’s critical infrastructure control systems? DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned that attacks against critical infrastructure are growing, with more than 200 brute-force cyberattack incidents reported between October and May, surpassing the 198 total attacks in all of fiscal year 2012.
The newly issued ICS-CERT Monitor report [pdf] states that more than half of the attacks were against the energy sector. For example, 49 malicious IPs attacked natural gas companies across the Midwest and Plains. “While none of the brute force attempts were successful,” in only the first half of fiscal year 2013, ICS-CERT deployed onsite teams five different times, three times to energy sector companies and twice to manufacturers. “All of the onsite incident response engagements involved sophisticated threat actors who had successfully compromised and gained access to business networks.” In comparison, the ICS-CERT onsite teams were deployed only six times for all of fiscal year 2012.
“How many times do pumping stations fail, blackouts happen, or elevators and HVAC systems shut down because a hacker is on a network flicking switches on and off?” asked Threatpost. Security researcher Billy Rios suggested, “If it was simple, I doubt DHS would have been brought in to investigate. It probably did disrupt something. I’m not sure how widespread it was, but if it was small, I think an integrator could come in and reset everything. Instead DHS came in to investigate.”
Rios and Terry McCorkle previously reported a critical zero-day vulnerability in Tridium Niagara AX Framework; Tridium is used by “military, hospitals and others would allow attackers to remotely control electronic door locks, lighting systems, elevators, electricity and boiler systems, video surveillance cameras, alarms and other critical building facilities.” Rios told Threatpost:
“We see attacks specific to a particular building management systems, not only brute-force attacks, but exploits for specific systems, not just a Nessus scan or Nmap,” Rios said, adding they saw two IP addresses running behind a Tor exit node that knew exactly what they were after. “They’re literally trying to gain access.”
The most common attack vectors against critical infrastructure sectors, according to the ICS-CERT report, were watering hole attacks, SQL injection, and spearphishing. Of the 200 cyberattacks so far (October 1, 2012–May 2013), 53% targeted the energy sector, followed by 17% targeting the manufacturing sector.
Lila Kee of the North American Energy Standards Board told SC Magazine, "The energy sector was likely targeted more than other critical infrastructure operators because of the widespread impact a successful attack could have on the country." Kee told Softpedia, “This is no longer just speculative noise that causes fear uncertainty and doubt (FUD).” To Dark Reading, Kee added, “Although attacks on major gas and electric systems are nothing new to those in the industry, these facts serve as evidence that low-level criminals, all the way up to state-sponsored groups, see the value in compromising our nation's critical infrastructure."
It's unknown why critical infrastructure cybersecurity is still as such a high risk of attack, since in 2010, experts said, "By the end of 2015, the potential security risks to the smart grid will reach 440 million new hackable points." In 2011, it was announced that we should be "very scared" . . . that a $60 piece of malware could bring down the power grid. In 2012, there was a secret demo for senators that simulated a cyberattack on the power grid, causing a mock blackout in NYC during the midst of a killer heat wave. Then even FEMA trained for a zero-day attack by hacktivists against critical infrastructure. Those are but a few examples, yet some critical infrastructure systems connected online are still using default passwords!
US-CERT: Change the default password on critical infrastructure, embedded systems
On June 24, US-CERT issued the first security alert for a problem that has been around for years . . . leaving the vendors’ default passwords in place on Internet-connected devices. “Any system using password authentication accessible from the internet may be affected. Critical infrastructure and other important embedded systems, appliances, and devices are of particular concern.” US-CERT warned that it is “imperative” to change the manufacturer’s password, as the lists of such default passwords are easily obtained online and attackers can use the Shodan search engine to find exposed systems.
ICS-CERT, FDA warn about ‘uptick’ in cyberattacks remotely exploiting medical devices
On June 13, ICS-CERT and the FDA warned that medical devices with hard-coded passwords can be remotely “exploited to potentially change critical settings and/or modify device firmware.” ICS-CERT wrote, “Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors.” The FDA said this “cybersecurity for medical devices and hospital networks” is a warning for all “medical device manufacturers, hospitals, medical device user facilities, health care IT and procurements staff; and biomedical engineers.”
The FDA added, “Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches. In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates.” Appropriate safeguards must be put in place “to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.”
The categories of affected medical devices included, but were not limited to, “surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors, and laboratory and analysis equipment.” ICS-CERT warned, “Cybersecurity incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery.”
In the last year, there has been a significant “uptick” in medical security incidents. William H. Maisel, chief scientist at the FDA’s Center for Devices and Radiological Health, told The Washington Post, “The type and breadth of incidents has increased.” He added that officials used to hear about security incidents once or twice yearly, but “now we’re hearing about them weekly or monthly,” which have “increased our concern.”
Again, it's a bit confusing why such warnings are not taken much more seriously. In 2008, a group showed how to remotely hack a pacemaker and deliver a lethal shock to an implantable cardiac defibrillator. A 2011 Black Hat presentation explained how an attacker with a powerful antenna could be up to a half mile away from a victim yet launch a wireless hack to remotely control an insulin pump and potentially kill the victim. In 2012, a pacemaker hacker said a worm could possibly 'commit mass murder.' Being killed by code was an idea kicked around since 2010. Also in 2012, the feds were pressed to protect wireless medical devices from hackers.
Let's hope all these vital systems and medical devices will soon be truly secured, so we don't awaken one day to discover our critical infrastructure is down, that people with embedded medical devices are being killed by cyber-assassins, or that people depending upon medical device services are being taken out by malware.