DHS To Critical Infrastructure Owners: Hold On To Data After Cyber Attack
by Paul Roberts
The Department of Homeland Security Is Offering Organizations That Use Industrial Control Systems advice or mitigating the effects of cyber attacks. Among the agency’s recommendations: hold on to data from infected systems and prevent enemies from moving within your organization.
DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published a technical paper on cyber intrusion mitigation strategies on Friday. The document calls on critical infrastructure owners to take a number of steps to thwart attacks, or limit the damage they cause; among them: improving their ability to collect and retain forensic data, and to detect attempts by attackers to move laterally within their organization.
The document, a Technical Information Paper – or TIP, is merely guidance from ICS-CERT to critical infrastructure owners and is targeted at both enterprise and control system networks, DHS said. The agency is responding to a rising drum beat of news about vulnerabilities in SCADA and ICS software and attacks on industrial control systems (ICS) and SCADA systems in the U.S. and abroad. In recent weeks, the agency has warned of cyber threats to organizations that operate gas distribution pipelines.
The agency’s advise share similarities with advice offered by consulting firms like Mandiant, which specialize in responding to and cleaning up after so-called Advanced Persistent Threat (APT) style attacks. Critical infrastructure operators are advised to determine the extent of any breach, but not to repair or disinfect compromised systems until they can be studied and analyzed using forensic tools. ICS vendors, for example, are told not to patch or disinfect compromised systems using anti virus software until they have been assessed.
In the short term, ICS operators are urged to invest in technologies to help detect breaches, including IDS (intrusion detection system) and IPS (intrusion prevention system) and that can to pick up the signs of a breach. ICS operators should also discontinue practices like credential caching, which store domain credentials locally on machines and to adopt a “least privilege” model for granting permissions, so that compromised user accounts cannot be used to peruse a network or install other, malicious programs on a compromised system.
In the long term, investments in log management technology and application white listing programs that can spot unusual patterns of information and lock down user desktops are recommended. ICS operators also need to log and monitor their DNS (Domain Name System) infrastructure more closely to take not of any unusual DNS requests that could identify malware command and control activity.
DHS’s ICS-CERT works with ICS firms and vendors on security issues. It has been in the spotlight ever since the Stuxnet worm started making headlines in the Summer of 2010. It has occasionally caused controversy. In September, 2011, for example, ICS-CERT director Marty Edwards told attendees at a conference in Washington D.C. that his agency may start treating design-related security flaws differently from coding-related vulnerabilities. Some design-related flaws were “too big” to be described as “vulnerabilities,” he said.