SCADA security poetry

Take a few minutes and enjoy some poetry, courtesy of Tyler Klingler:

scadadata

APT APT everywhere I look.
APT APT in every little nook.
APT solutions for needs both big and small.
But most of this APT is not APT at all.

I query Shodan for GoAhead Web.
As a sad thought goes through my head
A moment of grief when I realized
Finding PLCs is no more a surprise.

As I monitor the NVD
I find a pattern I should not see
Oh dear, Oh my, can it be
Another vuln for my PLC

Not willing to be entirely unimaginative, I had to add my own:

Don’t share a SCADA selfie
They’re really not that neat
You’ll paint a target on your back
That leads to your defeat

Vendors shirk responsibility for writing advisories

I was looking over the Advantech vulnerability announced November 20, 2014 on the ICS-CERT Web page.

advantech advisory

Something struck me. Well, it has struck me before, but it struck me again: The DHS advisory has no official Advantech counterpart.

For example, if you go over to Advantech, and search for “vulnerability” you don’t find anything. Search for “security”: no hits that address the security of its products. No link. No reference. Nothing — for more than sixty publicly-disclosed vulnerabilities affecting its products.

Now, I don’t necessarily expect customer support chat help to know the details on the security of its products, but to help me be sure I wasn’t missing anything on the Web site, I started up a support chat with Advantech:

You are now chatting with ‘Perry’

Sean: Hi Perry

Perry: Hi Sean

Perry: How may I assist you?

Sean: I was wondering if there is a location on the Web site for vulnerability notifications

Sean: I saw some put out by the DHS in the United States

Sean: but was wondering whether Advantech also covered them

Perry: Let me get you transferred over to one of our website people

Sean: I seached the site for “security” and “vulnerability”

Sean: sure

Please wait while I transfer the chat to ‘Mark.Yang’.

You are now chatting with ‘Mark.Yang’

Mark.Yang: Hi Sean

Mark.Yang: Not sure if I understand your question “if there is a location on the Web site for vulnerability notifications”

Mark.Yang: Are you looking for any particular Advantech system(s) that would perform as Intrusion Detection?

Sean: no. I am looking for info on the security of your products,

Sean: here’s the report that came out the other day:https://ics-cert.us-cert.gov/advisories/ICSA-14-324-01

Sean: I was wondering whether Advantech has its version of this advisory

Sean: so I can get more information

Sean: direct from the source

Sean: as opposed from some government Web site

Mark.Yang: I see.

Mark.Yang: Sorry I currently don’t have such details at hand

Mark.Yang: But you can open a support ticket for this request

Mark.Yang: Someone can further assist you in greater details

Mark.Yang: http://www.advantech.com/contact/default.aspx?page=contact_form2&subject=Technical+Support

Sean: right — maybe I will give that a shot

Critical Intelligence has analyzed well over 1,000 ICS-specific vulnerabilities. Advantech is not alone; many vendors do not write their own advisories. If the security bugs are reported through the ICS-CERT then the affected vendor may work with the ICS-CERT to help the ICS-CERT write an advisory, but the vendor does not write its own.

To me this is shirking the duty that a vendor owes its customers — customers that rely on those products to control critical infrastructure. Look, If I bought your product you should tell me about its problems. You shouldn’t expect me to go to some government Web site to do that for you — especially when its not even the government of your home/headquarters country.

I also think that the DHS ICS-CERT should push vendors to step up their game. A true “public-private partnership” requires the private side to contribute. At least *try* to tell your customers.

Alms for the cyber poor: municipal water industry

The other day I was investigating a presentation by hackers of foreign origin. Their slide deck, which included references to finding Internet-connected SCADA, presented a screen shot of an HMI.

Old Boston City Hall

Close examination showed it belonged to a water treatment facility in the USA. I was concerned that it could mean attackers had gained access the the HMI over the Internet.

I looked up contact info for the water department at the municipality and shot off an email. I didn’t expect to get any response, as previous attempts with other organizations in similar situations had proved fruitless.

I was surprised when I got a call from the municipality’s IT director. Woot! Someone cared!

Most munis, and water in particular, are under-funded and under-staffed. Security is about bottom of the list. Simultaneously confirming, and dismissing my stereotype, the director told me that her very position had previously been a “parking” spot for policemen who needed something to do (AKA couldn’t be fired).

She thought that it might very well be a breach, and promised to look into it. Later that day, I got another call, this time from a plant engineer, who reported that the system integrator had posted numerous HMI screenshots of their plant to the public Internet — including the one in question.

He believed this to possibly be a breach of the NDA under which the work was done.

In some ways it was a relief. In others it was disconcerting.

Lessons learned:

  • There are munis that care
  • There are water people who care
  • Watch out for the integrators
  • Hackers of foreign origin are looking

PCII and Black Energy 2 incident response

PCII is a program that allows industry to share (cyber security) information with the government while keeping that information out of public sight — it is exempt from FOIA request.

pcii

I was reading an article about the Black Energy 2 cyber “attacks”, and came across an interesting quote regarding PCII:

Organizations that do not want to disclose the breach, but still want to cooperate with ICS-CERT, can invoke the confidentiality protections of the Protected Critical Infrastructure Information (“PCII”) Program to share information with the government.

I am glad that ICS-CERT carries a banner for ICS security. They use the press to their advantage and have won great attention to the issue.

I also think that in a general way it is nice that organizations can share some cyber security details with the government. In theory this may allow the government to understand a bigger picture, and take responses in ways that a private organization might not be able to.

I have to admit though, that there is another way to interpret the quote. Let me re-phrase:

Organizations that were foolish enough to connect their industrial control systems directly to the Internet, despite years of warning from the private sector and DHS, can comfortably request taxpayer assistance by invoking the PCII program. This loophole allows possibly-negligent organizations to receive federal cyber security incident response subsidies while keeping it secret from the taxpayers who ultimately foot the bill.

My point is that in some way we need to encourage industry to take responsibility for their inaction on the cyber issue. There are many ways to do this. But, we can have those conversations another day.

Finding SCADA honeypots on Shodan

I’ve come across a super secret stash of SCADA…

(and no, it’s not Eireann Leverett — that’s the other kind of ‘stache)!

It is the Internet connected SCADA honeypots. Head over to Shodan and you will see 58 results for “Mouser Factory”, which is a known default in the Conpot ICS honeypot.

mouser

You will also find 68 results for “Water valve control #27” — all hosted on Amazon.

Valve 27

Further investigation of these shows a certificate belonging to “US Government”, with a common name of “watercontrol.fortmeade.gov”, valid starting November 6, 2014:

certificate

Lesson: if you are looking for very valid results from Internet-connected ICS/SCADA honeypots research, you’ve got to blend in a little better!