DHS alert: Heartbleed may have been used against industrial control systems
Specifically, there are unconfirmed reports that the Heartbleed cybervulnerability has been used to attack encrypted communications systems of these control systems. DHS is investigating.
Specifically, there are unconfirmed reports that the Heartbleed cybervulnerability has been used to attack encrypted communications systems of these control systems. DHS is investigating.
The threat from the cybervulnerability dubbed Heartbleed reaches well beyond Web businesses and social networks into the industrial systems that power the US economy, apparently including those used to operate the US power grid.
Unconfirmed reports that Heartbleed has already been used to attack encrypted communications systems of US industrial control systems are being investigated, the US Department of Homeland Security鈥檚 Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) announced in an alert Friday.
鈥淚CS-CERT is aware of reports of attempted exploitation and is in the process of confirming these reports,鈥 read the alert. 鈥淚CS-CERT continues to monitor the situation closely and encourages entities to report any and all incidents regarding this vulnerability to DHS.鈥
At the same time, industrial firewall-maker Innominate Security Technologies AG of Berlin on Friday informed its customers in an e-mail that some of its firmware products used in industrial firewall systems were vulnerable to Heartbleed attacks. Innominate鈥檚 industrial firmware is used by several US industrial cybersecurity companies, but it may not be too widespread, some cybersecurity experts said.
Still, users of the vulnerable versions of the Innominate firmware were 鈥渟trongly recommended to update the device鈥 with a new, patched version and change the encryption key of the device, the company said in its release.
Among electric utilities, chemical plants, and other critical infrastructure companies using certain encrypted communications to communicate with their most sensitive industrial processes, Heartbleed holds potential to lay bare encrypted communications between the company鈥檚 central controllers and vital but often far-flung processes 鈥 ranging from substations to refineries to chemical plants.
But at this point, the extent to which vulnerable versions of OpenSSL encryption software have been deployed in industrial settings isn鈥檛 clear. The trend in recent years, experts say, has been to replace telephone connections with Internet connections protected by such encryption.
鈥淭he impact of the Heartbleed vulnerability on the cyber security of critical infrastructure (where it involves industrial control systems) is minimal,鈥 writes Ralph Langner, an industrial control systems expert who first identified Stuxnet as a cyberweapon, in an e-mail. 鈥淭he majority of this infrastructure still uses non-encrypted and non-authenticated protocols鈥 鈥 a far worse vulnerability that may nevertheless lower the Heartbleed problem in the pecking order of industrial cybervulnerabilities.
There鈥檚 also the question of how widespread the Heartbleed vulnerability is across the industrial control systems landscape. A snapshot of potentially affected Innominate-related equipment using the SHODAN search engine, which indexes industrial control systems, revealed that 1,500 or so systems worldwide are affected, with just over 200 US systems.
That鈥檚 not many. Yet it鈥檚 too soon to breathe easy, says Robert Radvanovsky, a cybersecurity researcher and co-founder of Infracritical, a think tank focused on shoring up cyberweaknesses in critical infrastructure.
鈥淚t鈥檚 still very unclear just what type of systems are vulnerable to Heartbleed, and there will be many other systems not listed by SHODAN,鈥 he says. 鈥淩ight now the numbers look small, but it would be a mistake to take it easy.鈥
Other cybersecurity researchers in the industrial control system community remain concerned. Compared with the recent worries about the widespread use of the now-vulnerable Windows XP operating system in industrial settings, 鈥渢his is a bigger deal,鈥 says Adam Crain, a partner in Automatak, a security-focused industrial control system developer in Raleigh, N.C.
He cautions against assuming that the Heartbleed vulnerability is confined, noting that a key protocol used widely in the electric utility industry employs various versions of the OpenSSL protocol.
鈥淚 have already found an implementation that uses the affected OpenSSL鈥 software, he says in an e-mail interview. 鈥淚 suspect many of the implementations will need to be patched.鈥
Also emerging Friday were reports indicating that nation-states鈥 intelligence agencies 鈥 with their extensive cyberresources 鈥 might have known about the vulnerability for some time. This suggested to some that it was used to invade vital systems.
Bloomberg reported Friday that the National Security Agency has been actively exploiting the vulnerability for two years. That report was flatly denied by the Obama Administration in a subsequent New York Times account. Separately, other reports suggested that botnet-based Heartbleed-based attacks may have been ongoing for some time. Such an activity 鈥渕akes a little more sense for intelligence agencies than for commercial or lifestyle malware developers,鈥 the Electronic Frontier Foundation, a San Francisco-based Internet watchdog group, noted on its website.
If indeed intelligence agencies have been exploiting Heartbleed in industrial systems, it鈥檚 a serious issue, even if more obvious vulnerabilities are slathered across the industrial control system space, says Jake Brodsky, a cybersecurity expert who chairs an industrial communications protocol users group.
鈥淚鈥檓 not sure of the full extent of this, and, yes, there are lots of people who will say there are bigger problems,鈥 he says. 鈥淚t鈥檚 really unlikely that you鈥檒l see anyone doing this, exploiting OpenSSL in the industrial control systems, except, perhaps, a nation-state. That鈥檚 what should worry us.鈥