Monday Accidents & Lessons Learned: “Brute Force” Compromises Assets
Fighting today’s cybercrime has become a scenario in which businesses continually strive to stay ahead of the most recent evolution. Technology has forever changed the way we work, and the company culture that stays cybersecurity-alert is less likely to spend worklife looking over its collective shoulder.
The very real situation that follows is a Lesson Learned, the Risk of Internet Accessible Cyber Assets, from Western Electric Coordinating Council and NERC (North American Electric Reliability Corporation).
An electronic access point connected to the internet from a low-impact facility for remotely accessing a capacitor bank was compromised by unauthorized internet users for seven months prior to discovery.
A registered entity discovered a compromised electronic access point connected to the internet from a low-impact facility. The access point was originally intended to be temporary and was installed by a SCADA (supervisory control and data acquisition) Manager who subsequently left the entity without providing adequate documentation and turnover to the next SCADA Manager. The access point was misidentified as a remote terminal unit (RTU) with an end-of-life (EOL) operating system and left in place. Unauthorized personnel accessed the cyber asset for seven months before the registered entity became aware of the compromise. Because the device was identified as an EOL system, the compromised system was not maintained (patched, monitored, etc.) by the registered entity and was thus more susceptible to exploitable vulnerabilities.
The initial compromise resulted from an unauthorized internet user guessing via a “brute force”1 method the weak password for the administrators’ account, which permitted remote access. The compromised cyber asset was used over a seven-month period as a mail relaying (SMTP) and remote desktop (RDP) scanner.2 Additionally, the IP address and credentials for the cyber asset were posted on a Russian-based media site, and the cyber asset was subsequently infected with ransomware. The compromise was discovered after support staff could not remotely access the cyber asset. The purpose of the internet-connected access point was to remotely access and operate the capacitor banks to ensure the reliability of the system. Upon looking into the matter further, personnel discovered that the cyber asset was compromised with ransomware, so the registered entity immediately powered off the cyber asset.
Forensic analysis on the compromised system identified several different scanning tools designed to locate remotely accessible RDP or SMTP servers along with text files containing IP addresses for the scanners to target. Although the attackers likely conducted reconnaissance on the local network to identify other vulnerable devices, the primary focus of their activity appears to identify other remote systems to target for attacks.
The registered entity removed the compromised device from service and performed forensic analysis to identify all malware on the affected device and determine agent(s) of the compromise, time lines, and reveal (to the most possible extent) the underlying activities and motives of the compromise. A virus scan was also performed on all devices at the same site as well as a review of logs on all of the devices to look for anomalous activity. Other locations were also scanned to determine whether they had similar installations or issues.
Cyber assets at low-impact facilities capable of remote internet connectivity are susceptible to unauthorized access from the internet or unsecured networks if not properly secured. These remote access points are typically used to provide communication paths for monitoring and control purposes to maintain BES (Bulk Electric System) reliability. Remote connectivity that can provide unauthorized and potentially malicious access to systems that supply auxiliary power, power quality, voltage support, fault monitoring, and breaker control is of particular concern.
Failure to develop and follow appropriate policies and procedures to control the installation and maintenance of cyber assets may create exploitable vulnerabilities that could negatively impact BES reliability. In this case, installation of, inaccurate identification of, and failing to provide adequate security protections for a device connected to a registered entity’s network led to the compromise of the device. There may be several practical lessons learned that can be derived from this event that apply to low-impact cyber assets and constitute good cybersecurity practices in general.
Policy and Procedures
- Train employees and contractors on cybersecurity awareness, policy, and practices
- Catalog cyber assets at low-impact facilities to determine use and facilitate accurate records
- Consult with and obtain authorization from responsible IT departments as well as compliance and risk management groups to evaluate potential risks and impacts of internet-facing and internet-worked cyber assets at low-impact facilities
- Have personnel (e.g., operations, maintenance) who perform periodic onsite visits conduct cyber-device inventory checks as part of routine safety and maintenance inspections
- Consider using a checklist
- Periodically reevaluate risks and potential impacts of the inventoried cyber assets as new threats and vulnerabilities are revealed or vendor support is discontinued
- An entity’s IT department could use tools such as Shodan3 and nmap4 on the entity’s own public IP space on a regular basis to verify only authorized ports are open to the internet
- When an employee or contractor leaves the company or is terminated, ensure appropriate turnover and knowledge transfer processes occur
Cybersecurity practices to consider for low-impact facilities
- Identify and secure cyber assets at low-impact facilities capable of remote connectivity
- Where possible, implement network access controls within the system to prevent the installation of unauthorized hardware
- Implement network segmentation into trust zones
- Change default passwords with strong passwords on user accounts and administrative accounts and restrict operational use of administrative accounts
- Implement MFA (multi-factor authentication) for all internet-facing resources that support these technologies
- Provide for a patch management plan for evaluating security patching for cyber assets at low-impact facilities
- Whenever practical, monitor the network for anomalous behavior
1“Brute forcing” is an automated method of attempting authentication with many different passwords until the attacker is able to successfully login to the system.
2A network scanner performs a scan on a network and collects an electronic inventory of the systems and the services for each device on the network. In this case, the server was used to scan for open SMTP (Simple Mail Transfer Protocol) servers and RDP (Remote Desktop Protocol) servers for potential compromise.
3Shodan is an internet site used to discover devices that are connected to the internet, where they are located and who is using them.
4Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing.
TapRooT® recommends the following modifications to your online behavior to reduce the possibility of cybercrime:
- Change passwords regularly; be the sole owner of your passwords; avoid using personal information in passwords; create passwords with random keyboard patterns, numbers, and special characters.
- Don’t respond to emails or messages requesting personal or financial information.
- Sending your password in an email is a definite no-no.
- Never give unauthorized persons access to business computers—at the workplace or at home.
- Don’t interact with money-sending instructions in emails.
- Always call clients and vendors to verify any financial/billing changes.
- Choose automatic software updates.
- Back up data to reduce the likelihood of ransomware attacks, and ensure that your backup management is secure. (Often, a company’s most valuable asset is its intellectual property, so a loss in this area can be disastrous.)
- Install/maintain antivirus and anti-spyware software and a firewall on all business computers.
- Secure all WiFi networks and passwords.
- Educate all employees what comprises business information, and the risks in sharing this with anyone.
- Grant administrative privileges only to trusted staff and limit employee access to data systems that are workload-critical.
- Require administrative approval and assistance in any and all downloads by employees.
Circumstances can crop up anywhere at any time if proper and safe sequence and procedures are not planned and followed. We encourage you to learn and use the TapRooT® System to find and fix problems. Attend one of our courses. We offer a basic 2-Day Course and an advanced 5-Day Course. You may also contact us about having a course at your site.