Modern field guide to security and privacy

DHS alert: Heartbleed may have been used against industrial control systems

Specifically, there are unconfirmed reports that the Heartbleed cybervulnerability has been used to attack encrypted communications systems of these control systems. DHS is investigating.

|
Pawel Kopczynski/Reuters/File
Security experts warn there is little Internet users can do to protect themselves from the recently uncovered 'Heartbleed' bug that exposes data to hackers, at least not until vulnerable Web sites upgrade their software.

The threat from the cybervulnerability dubbed Heartbleed reaches well beyond Web businesses and social networks into the industrial systems that power the US economy, apparently including those used to operate the US power grid.

Unconfirmed reports that Heartbleed has already been used to attack encrypted communications systems of US industrial control systems are being investigated, the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) announced in an alert Friday.

“ICS-CERT is aware of reports of attempted exploitation and is in the process of confirming these reports,” read the alert. “ICS-CERT continues to monitor the situation closely and encourages entities to report any and all incidents regarding this vulnerability to DHS.”

At the same time, industrial firewall-maker Innominate Security Technologies AG of Berlin on Friday informed its customers in an e-mail that some of its firmware products used in industrial firewall systems were vulnerable to Heartbleed attacks. Innominate’s industrial firmware is used by several US industrial cybersecurity companies, but it may not be too widespread, some cybersecurity experts said.

Still, users of the vulnerable versions of the Innominate firmware were “strongly recommended to update the device” with a new, patched version and change the encryption key of the device, the company said in its release.

Among electric utilities, chemical plants, and other critical infrastructure companies using certain encrypted communications to communicate with their most sensitive industrial processes, Heartbleed holds potential to lay bare encrypted communications between the company’s central controllers and vital but often far-flung processes – ranging from substations to refineries to chemical plants.

But at this point, the extent to which vulnerable versions of OpenSSL encryption software have been deployed in industrial settings isn’t clear. The trend in recent years, experts say, has been to replace telephone connections with Internet connections protected by such encryption.

“The impact of the Heartbleed vulnerability on the cyber security of critical infrastructure (where it involves industrial control systems) is minimal,” writes Ralph Langner, an industrial control systems expert who first identified Stuxnet as a cyberweapon, in an e-mail. “The majority of this infrastructure still uses non-encrypted and non-authenticated protocols” – a far worse vulnerability that may nevertheless lower the Heartbleed problem in the pecking order of industrial cybervulnerabilities.

There’s also the question of how widespread the Heartbleed vulnerability is across the industrial control systems landscape. A snapshot of potentially affected Innominate-related equipment using the SHODAN search engine, which indexes industrial control systems, revealed that 1,500 or so systems worldwide are affected, with just over 200 US systems.

That’s not many. Yet it’s too soon to breathe easy, says Robert Radvanovsky, a cybersecurity researcher and co-founder of Infracritical, a think tank focused on shoring up cyberweaknesses in critical infrastructure.

“It’s still very unclear just what type of systems are vulnerable to Heartbleed, and there will be many other systems not listed by SHODAN,” he says. “Right now the numbers look small, but it would be a mistake to take it easy.”

Other cybersecurity researchers in the industrial control system community remain concerned. Compared with the recent worries about the widespread use of the now-vulnerable Windows XP operating system in industrial settings, “this is a bigger deal,” says Adam Crain, a partner in Automatak, a security-focused industrial control system developer in Raleigh, N.C.

He cautions against assuming that the Heartbleed vulnerability is confined, noting that a key protocol used widely in the electric utility industry employs various versions of the OpenSSL protocol.

“I have already found an implementation that uses the affected OpenSSL” software, he says in an e-mail interview. “I suspect many of the implementations will need to be patched.”

Also emerging Friday were reports indicating that nation-states’ intelligence agencies – with their extensive cyberresources – might have known about the vulnerability for some time. This suggested to some that it was used to invade vital systems.

Bloomberg reported Friday that the National Security Agency has been actively exploiting the vulnerability for two years. That report was flatly denied by the Obama Administration in a subsequent New York Times account. Separately, other reports suggested that botnet-based Heartbleed-based attacks may have been ongoing for some time. Such an activity “makes a little more sense for intelligence agencies than for commercial or lifestyle malware developers,” the Electronic Frontier Foundation, a San Francisco-based Internet watchdog group, noted on its website.

If indeed intelligence agencies have been exploiting Heartbleed in industrial systems, it’s a serious issue, even if more obvious vulnerabilities are slathered across the industrial control system space, says Jake Brodsky, a cybersecurity expert who chairs an industrial communications protocol users group.

“I’m not sure of the full extent of this, and, yes, there are lots of people who will say there are bigger problems,” he says. “It’s really unlikely that you’ll see anyone doing this, exploiting OpenSSL in the industrial control systems, except, perhaps, a nation-state. That’s what should worry us.”

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to DHS alert: Heartbleed may have been used against industrial control systems
Read this article in
https://www.csmonitor.com/World/Passcode/2014/0411/DHS-alert-Heartbleed-may-have-been-used-against-industrial-control-systems
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe