Attacking such systems just got easier, for a number of reasons. One is that vulnerabilities are easier to spot. The search engine Shodan, dubbed the "Google for hackers," has made it easy to find turbines and breweries and large AC-systems that shouldn't be connected to the Internet but actually are. One project at the Freie Universität Berlin has enriched the Shodan data and put them on a map. The rationale of this "war map," as project leader Volker Roth called it tongue-in-cheek, is visualizing the threat landscape with colored dots, yellow for building management systems, orange for monitoring systems, and so on. The U.S. eastern sea board looks like a butt on a paintball range after a busy shooting session.
But so far, attackers have lacked either the necessary skill, intelligence, or malicious intention to use that map as a shooting range. That may be changing. While the more sophisticated ICS attacks are actually harder than meets the eye, many nation states as well as hackers are honing their skills. Some are also busy gathering intelligence; earlier this year, for example, the U.S. Army Corps of Engineers' National Inventory of Dams was breached, possibly from China. And any political crisis may change an attacker's intention and rationale to strike by cyber attack.
All of which keeps the federal government's main organization in charge of critical infrastructure protection busy. ICS-CERT employs between 80 and 100 staff, depending on contractors. Three of its activities stand out.
The first is incident response. At the request of asset owners, ICS-CERT can deploy so-called fly-away teams to meet with the affected organization. They'll review network topology, identify infected systems, image drives for analysis, and collect other forensic data. Last year, the government's control system experts responded to 177 incidents. That included 89 site visits and, in the most extreme cases, 15 deployments of on-site teams to respond to advanced persistent threat incidents in the private sector, the DHS told me. The fly-aways are controversial, with some critics pointing to a lack of focus and a waste of scarce government resources. One prominent critic is Dale Peterson of Digital Bond, a leading consultancy on critical infrastructure protection. "It doesn't scale," he says about the fly-away teams, "It's a band-aid." Still, a band-aid is better than no treatment at all.
The second main activity is keeping the operators vigilant and informed. ICS-CERT is doing this through vulnerability alerts and advisories: one recent alert, for instance, warned about a range of 300 medical devices that had hard-coded passwords, which could enable an attacker to gain remote access to surgical and anaesthesia devices or drug infusion pumps.