Two Overlooked Cyber Risks
By Jeremiah Talamantes, RedTeam Security
Electric utilities have a wide range of new cyber threats that require active planning, from phishing attacks on employees to advanced malware like Black Energy to vulnerabilities in their supply chain. There is one risk that is often overlooked: open source intelligence or OSINT.
OSINT is a term used to describe online reconnaissance methods used by criminal hackers to glean highly-sensitive information from a target-like a power grid operator-without having to actually break into the computer network. This information may include data files accidentally uploaded to the public Web, back-end Web pages indexed on public search engines or industrial control system (ICS) devices with Internet connectivity.
|This screenshot doesn’t show any ICS systems, but illustrates an example of Shodan. This shows a camera that has been compromised, probably with just default creds, and shows a server room. Anyone can view the camera.|
For cybercriminals, OSINT can be an easy way to steal information from a company or to find a vulnerability that will enable him or her to breach the computer network or industrial control system.
|Visual map of all SCADA systems recognized by Shodan. You can zoom in and click on any of the little dots to find out more information (ie: IP address, firmware, location, etc).|
A good example of the threat posed by OSINT is the 2013 hack of a New York dam. In that case, an Iranian hacker used advanced Web search techniques to locate a vulnerable network port on the dam, which then allowed him to gain remote access to its sluice gate controls. Fortunately, the dam’s systems were taken offline for routine maintenance, but had they not been, the hacker might have been able to sabotage it.
|This screenshot shows a basic query for SCADA systems within Shodan. There are thousands of pages of these results.|
Power grid owners/operators expose themselves to such risk in a few ways: (1) by allowing ICS devices to connect to the public Web; (2) failing to patch security vulnerabilities in any system or device with a public Web connection; and (3) accidentally storing or linking sensitive data files to the Internet.
Utility executives should know the following about OSINT risk:
1. Online Reconnaissance
Just as military planners engage in aerial reconnaissance before launching an attack, or burglars may case a store before breaking in, cybercriminals also do their own form of pre-planning, through online reconnaissance.
Online reconnaissance can involve a variety of activities, but typically criminal hackers rely on “Google dorking,” or advanced queries in a public search engine like Google, and a specialized ICS search engine known as Shodan.
What criminal hackers are looking for is any type of information that will make their jobs easier. For instance, state-sponsored hacking groups ultimately want to gain a foothold on the internal systems of power grid operators, so they will hunt for any vulnerable network devices that are exposed to the Internet. Financially motivated cybercriminals may search for employee email lists in order to carry out phishing campaigns; they could even try to find quarterly earnings reports before they are officially announced. Hacktivists may look for any private information on company executives they could use for “doxing” purposes.
The bottom line for grid operators is that online reconnaissance is widely used by criminal hackers. This type of probing is conducted against your organization every week, if not every day.
2. Google Dorking
Advanced queries in a public search engine like Google or Bing will bring up all sorts of data that companies don’t even realize has been publicly exposed.
Known as Google dorking, this method is widely used by almost every type of hacker, from the highly sophisticated state-sponsored teams to bored teenagers working from home basements. Dorking is a technique that has been around for many years, and there are numerous online tutorials and resources that can help.
Here are two examples of Google dorks for SCADA systems:
intitle:”Miniweb Start Page”
Electric grid operators need to be cognizant of this risk because Google dorking could be used to locate a wide range of sensitive data on their organizations, such as network configurations, settings and software versions, personnel records, usernames/password lists and bank account details. While the real threat from Google dorking comes from the more advanced groups like nation-state hackers and organized crime, who may use this information to attack the network, executives should not discount the potential for harm by low-level attackers as well-particularly if they can retrieve sensitive company documents that have been accidentally indexed on public search engines.
Over the last 10 years, a number of online tools and resources have become available for security researchers and hackers. One of the most significant of these for the U.S. energy sector is Shodan (www.shodan.io).
Shodan is a specialized search engine that allows anyone to look for Internet-connected devices at industrial facilities and other businesses. These devices include ICS equipment, routers, servers and much more. This makes it extremely easy for a cybercriminal to see an electric operator’s exposed online footprint and any vulnerabilities it may have within its network.
In fact, a 2015 study by Kaspersky Labs found that U.S. industrial operators are widely exposed to the Internet because of ICS devices. Using Shodan, the researchers found that 30.5 percent of all discovered ICS devices worldwide were traced back to U.S. critical infrastructure companies (over two times higher than the next worst country, Germany). In addition, 92 percent of these ICS devices contained insecure protocols, making them vulnerable to hackers.
Shodan is constantly indexing the world’s connected devices, so expect that any errant exposure at your facility will be captured in real time by this service.
4. Information Auditing:
Power grid operators need to conduct thorough information audits to determine exactly how their operations are exposed to the Internet and to eliminate this type of open source data as much as possible.
The first step is to identify your company’s most important assets. What types of data, if they fell into the wrong hands, would seriously damage your organization?
There are many types of company data that should not be discoverable on the public Internet-from executives’ email addresses to the software version of an ICS device. In order to make this process more manageable, however, companies should focus their efforts initially on the most severe online exposures. This includes anything that would enable an attacker to: (1) breach the network, (2) takeover financial accounts, (3) steal the identities of customers or employees or (4) in some other way harm the company’s critical operations.
To this end, electric grid operators will be looking for such things as: publicly discoverable ICS devices with unpatched security flaws or other known vulnerabilities; network settings and other technical details; usernames/passwords; employee or customer personally identifiable information (PII); and bank account details.
The information audit should be conducted by an internal or external team that is well versed in both Google dorking techniques and the Shodan search engine, as they will need to simulate a variety of advanced queries that could be run against the organization. For instance, using Google dorks, they will want to check for discoverable files like Microsoft Word, Excel, email, database and text files, which are often associated with data caches; key terms like “SSN,” “admin,” “password,” etc. They should also use Google dorks to query sets that would identify vulnerabilities in the website like code injection attacks. Using Shodan, the team will want to check for exposed devices with insecure protocols (ex: HTTP, Modbus, Siemens S7, EtherNet/IP, DNP3, etc.), outdated versions of software or firmware, etc.
5. Recommended Mitigation Steps:
Due to the high risk of network compromises from unsecured ICS devices and sensitive information disclosures, it is critical for all electric grid operators to be aggressive with remediating any found exposures and to prevent these from occurring in the first place.
The first priority is with the ICS devices themselves. If the security team discovers any vulnerable network points that have been exposed to the public Web, it should immediately attempt to disconnect those devices or disable remote access functions (unless this would pose a direct threat to critical operations at the facility). It is then recommended for the security team to undertake a review of those devices and any other networks/systems they were connected to within the company, to look for evidence of intrusions or malware. If no anomalous activity is found, the devices should be updated to the latest software/firmware versions and reconnected to the company’s network. Ideally, ICS equipment should be air-gapped from the Internet, with remote access or any other Web connectivity permanently disabled. If, however, the devices must have web connectivity, it is imperative that their settings be changed to make them as secure as possible.
In addition, companies need to be more proactive about securing new ICS devices from the moment they are added to the network. The security team should evaluate all ICS products to check for any known common vulnerabilities and exposures (CVE) and ICS-CERT device warnings, as well as the manufacturer’s security track record and current security processes. All ICS devices should be actively monitored by the internal or external security teams on an ongoing basis to check for any signs of unusual activity.
When sensitive company data is discovered through Google dork audits, the security team should immediately disable the URLs for those documents or Web pages. Depending on the type or extent of disclosed information, the company also might want to consider taking the entire public-facing website offline until it has been fully cleansed of all sensitive data. Strict security policies and a review process should be in place whenever adding new sensitive data files to the company’s website or intranet sites to ensure that the information is properly protected against unauthorized access.
Power grid owners/operators cannot afford to overlook the security risks posed by open source intelligence leaks. The electric industry has many types of sensitive data that might find its way on the public Web, from connected ICS devices to personnel records. If left unaddressed, these unintentional disclosures can expose the company to cyberattacks and data theft. By engaging in regular information audits, remediation and proactive security planning, electric utlities can dramatically reduce their risk.
Jeremiah Talamantes managing partner of RedTeam Security, is a cybersecurity advisor to the energy sector and other critical infrastructure industries. His company provides penetration testing, social engineering and red teaming services to test the security of power grid companies’ front-office computer networks, industrial control systems and physical security protections against real-world criminal attack scenarios, ranging from cyberattacks and insider threats to physical intrusions. Jeremiah has over 20 years of experience in the IT security industry. He is an adjunct professor at Norwich University and author of “The Social Engineer’s Playbook: A Practical Guide to Pretexting.” Learn more at www.redteamsecure.com.