CSET™ Version 4.0.1 Available for Download

The Cyber Security Evaluation Tool (CSETTM) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets.

The Department of Homeland Security (DHS) Control Systems Security Program (CSSP) has released an interim Version 4.0.1 of the Cyber Security Evaluation Tool (CSET™). This new version of the tool can be downloaded from the CSSP website:

http://us-cert.gov/control_systems/satool.html.

This interim Version 4.0.1 release addresses some minor issues identified in report formatting and corrects a problem with Zone Security Assurance Level (SAL) calculations.

Additionally, this release incorporates a new sub-report to isolate and show user comments in a single location, includes modifications to clarify how firewall analysis is performed, and improves upon the gap analysis for pass/fail standards.

Purpose of CSET

CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards.

The output from CSET is a prioritized list of recommendations for improving the cybersecurity posture of the organization's enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls.

CSET has been designed for easy installation and use on a stand-alone laptop or workstation. It incorporates a variety of available standards from organizations such as National Institute of Standards and Technology (NIST), North American Electric Reliability Corporation (NERC), International Organization for Standardization (ISO), U.S. Department of Defense (DoD), and others.

When the tool user selects one or more of the standards, CSET will open a set of questions to be answered. The answers to these questions will be compared against a selected security assurance level, and a detailed report will be generated to show areas for potential improvement. CSET provides an excellent means to perform a self-assessment of the security posture of your control system environment.

Key Benefits of CSET

• CSET contributes to an organization's risk management and decision-making process
• Raises awareness and facilitates discussion on cybersecurity within the organization
• Highlights vulnerabilities in the organization's systems and provides recommendations on ways to address the vulnerability
• Identifies areas of strength and best practices being followed in the organization
• Provides a method to systematically compare and monitor improvement in the cyber systems
• Provides a common industry-wide tool for assessing cyber systems

DHS and FBI have disputed that the Springfield, Illinois incident was a cyberattack

Apparent cyberattack destroys pump at Illinois water utility

A pump at a public water utility in Springfield, Illinois was destroyed after cyberattackers gained access to a SCADA system controlling the device, according to a security expert who obtained an official report on the incident.

CS-CERT has released the following statement saying that DHS and FBI have disputed that the Springfield, Illinois incident was a cyberattack.

ICS-CERT is assisting the FBI to gather more information about the separate Houston incident.

>UPDATE - Recent Incidents Impacting Two Water Utilities
ICSJWG Communications [ICSJWG.Communications@HQ.DHS.GOV]

Greetings:

After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.

There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported. Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.

In a separate incident, a hacker recently claimed to have accessed an industrial control system responsible for water supply at another U.S. utility. The hacker posted a series of images allegedly obtained from the system. ICS-CERT is assisting the FBI to gather more information about this incident.

ICS-CERT has not received any additional reports of impacted manufacturers of ICS or other ICS related stakeholders related to these events. If DHS ICS-CERT identifies any information about possible impacts to additional entities, it will disseminate timely mitigation information as it becomes available. ICS-CERT encourages those in the industrial control systems community who suspect or detect any malicious activity against/involving control systems to contact ICS-CERT.

Regards,

ICS-CERT
E-mail: ics-cert@dhs.gov
Toll Free: 1-877-776-7585
For CSSP Information and Incident Reporting: www.ics-cert.org

Department of Homeland Security (DHS) Cyber Security Audit FAIL

The DHS US-CERT office is currently plagued by at least 600 vulnerabilities

A new report warns that the Department of Homeland Security (DHS) is falling short on some cybersecurity protocols.

The news of cybersecurity shortcomings at the agency are more than slightly concerning, as DHS has been tapped to lead information security efforts nationally for both the public and private sectors.

The report, titled DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems, indicates that the DHS has failed a security audit conducted by the agency's own Inspector General:

The objective of our audit was to determine whether adequate physical and logical access controls are in place to secure the cybersecurity program systems utilized by US-CERT and safeguard the data collected and disseminated by US-CERT. Specifically, we:

• Determined what and how cybersecurity data is collected and maintained by US-CERT
  
  
• Evaluated the adequacy of physical security controls implemented to protect NCSD’s cybersecurity program systems
  
  
• Determined whether US-CERT has implemented effective system security controls to safeguard the confidentiality, integrity, and availability of cybersecurity data.
  
  
• Determined whether the system documentation for DHS’ cybersecurity program systems has been completed in compliance with DHS and FISMA requirements

"Adequate security controls have not been implemented on the [Mission Operating Environment] to protect the data processed from unauthorized access, use, disclosure, disruption, modification, or destruction," the IG concluded.
The report indicates the DHS US-CERT is grappling with more than six hundred network vulnerabilities, with more two-hundred of them having been identified as critical.

"The results of our vulnerability assessments revealed that [National Cyber Security Division] is not applying timely security and software patches on the [Mission Operating Environment]," the report continued.

DHS indicated that the agency has implemented "a software management tool [to] automatically deploy operating-system and application-security patches and updates to mitigate current and future vulnerabilities," according to a statement by DHS spokeswoman Amy Kudwa.

US-CERT: Security Recommendations to Prevent Cyber Intrusion

Good practice guidelines to prevent cyber intrusion attacks

US-CERT is providing this Technical Security Alert in response to recent, well-publicized intrusions into several government and private sector computer networks. Network administrators and technical managers should not only follow the recommended security controls information systems outlined in NIST 800-53 but also consider the following measures. These measures include both tactical and strategic mitigations and are intended to enhance existing security programs.

Recommendations

• Deploy a Host Intrusion Detection System (HIDS) to help block and identify common attacks.
• Use an application proxy in front of web servers to filter out malicious requests.
• Ensure that the "allow URL_fopen" is disabled on the web server to help limit PHP vulnerabilities from remote file inclusion attacks.
• Limit the use of dynamic SQL code by using prepared statements, queries with parameters, or stored procedures whenever possible. Information on SQL injections is available at http://www.us-cert.gov/reading_room/sql200901.pdf.
• Follow the best practices for secure coding and input validation; use the secure coding guidelines available at: https://www.owasp.org/index.php/Top_10_2010 and https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/coding/305-BSI.html.
• Review US-CERT documentation regarding distributed denial-of-service attacks: http://www.us-cert.gov/cas/tips/ST04-015.html and http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf.
• Disable active scripting support in email attachments unless required to perform daily duties.
• Consider adding the following measures to your password and account protection plan.

Use a two factor authentication method for accessing privileged root level accounts.

Use minimum password length of 15 characters for administrator accounts.

Require the use of alphanumeric passwords and symbols.

Enable password history limits to prevent the reuse of previous passwords.

Prevent the use of personal information as password such as phone numbers and dates of birth.

Deploy NTLMv2 as the minimum authentication method and disable the use of LAN Managed passwords.

Use minimum password length of 8 characters for standard users.

Disable local machine credential caching if not required through the use of Group Policy Object (GPO).

Deploy a secure password storage policy that provides password encryption.

• If an administrator account is compromised, change the password immediately to prevent continued exploitation. Changes to administrator account passwords should only be made from systems that are verified to be clean and free from malware.
• Implement guidance and policy to restrict the use of personal equipment for processing or accessing official data or systems (e.g., working from home or using a personal device while at the office).
• Develop policies to carefully limit the use of all removable media devices, except where there is a documented valid business case for its use. These business cases should be approved by the organization with guidelines for their use.
• Implement guidance and policies to limit the use of social networking services at work, such as personal email, instant messaging, Facebook, Twitter, etc., except where there is a valid approved business case for its use.
• Adhere to network security best practices. See http://www.cert.org/governance/ for more information.
• Implement recurrent training to educate users about the dangers involved in opening unsolicited emails and clicking on links or attachments from unknown sources. Refer to NIST SP 800-50 for additional guidance.
• Require users to complete the agency's "acceptable use policy" training course (to include social engineering sites and non-work related uses) on a recurring basis.
• Ensure that all systems have up-to-date patches from reliable sources. Remember to scan or hash validate for viruses or modifications as part of the update process.

Researcher discovered ABB-branded transformer running an electricity substation

SCADA equipment Google-able

Most SCADA protocols do not use encryption or authentication, and they don't have access control built into them or into the device itself. This means that when a PLC has a web server, and is connected to the internet, anyone who can discover the internet protocol (IP) address can send commands to the device, and the commands will be performed.

If that RTU or PLC has large motors connected to it, pumping out water or chemicals, the equipment could be turned off. If it was a substation and the power re-closer switches were closed, we could break it open and create an [electricity] outage for an entire area or city. The bottom line is you could cause physical damage to whatever is connected to that PLC.

While SCADA security has been an issue for decades, as legacy systems have been connected to the internet and remote technologies have emerged, with the emergence of Stuxnet, a worm that spreads via holes in Windows, but specifically targets Siemens SCADA systems and uses other sophisticated methods. Experts theorise that Stuxnet was designed to sabotage Iran's nuclear development program.

However, Stuxnet has raised awareness in the general public and within companies running critical infrastructure systems, and scared some of them enough to beef up their security. Stuxnet created an interest in the community to learn more about vulnerabilities and SCADA systems. We've seen direct impact in our customers being able to get funding to secure their SCADA systems.

While Stuxnet appears to have run its course and had minimal impact, SCADA systems are at risk from vulnerabilities and exploits in general, the US ICS-CERT (Industrial Control System Computer Emergency Response Team).

Not only are Supervisory Control and Data Acquisition (SCADA) systems used to run power plants and other critical infrastructure lacking many security precautions to keep hackers out, operators also sometimes practically advertise their wares on Google search, according to a demo held yesterday during a Black Hat conference workshop.