Newspaper article The Christian Science Monitor

DHS Alert: Heartbleed May Have Been Used against Industrial Control Systems

Newspaper article The Christian Science Monitor

DHS Alert: Heartbleed May Have Been Used against Industrial Control Systems

Article excerpt

The threat from the cybervulnerability dubbed Heartbleed reaches well beyond Web businesses and social networks into the industrial systems that power the US economy, apparently including those used to operate the US power grid.

Unconfirmed reports that Heartbleed has already been used to attack encrypted communications systems of US industrial control systems are being investigated, the US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) announced in an alert Friday.

"ICS-CERT is aware of reports of attempted exploitation and is in the process of confirming these reports," read the alert. "ICS-CERT continues to monitor the situation closely and encourages entities to report any and all incidents regarding this vulnerability to DHS."

At the same time, industrial firewall-maker Innominate Security Technologies AG of Berlin on Friday informed its customers in an e- mail that some of its firmware products used in industrial firewall systems were vulnerable to Heartbleed attacks. Innominate's industrial firmware is used by several US industrial cybersecurity companies, but it may not be too widespread, some cybersecurity experts said.

Still, users of the vulnerable versions of the Innominate firmware were "strongly recommended to update the device" with a new, patched version and change the encryption key of the device, the company said in its release.

Among electric utilities, chemical plants, and other critical infrastructure companies using certain encrypted communications to communicate with their most sensitive industrial processes, Heartbleed holds potential to lay bare encrypted communications between the company's central controllers and vital but often far- flung processes - ranging from substations to refineries to chemical plants.

But at this point, the extent to which vulnerable versions of OpenSSL encryption software have been deployed in industrial settings isn't clear. The trend in recent years, experts say, has been to replace telephone connections with Internet connections protected by such encryption.

"The impact of the Heartbleed vulnerability on the cyber security of critical infrastructure (where it involves industrial control systems) is minimal," writes Ralph Langner, an industrial control systems expert who first identified Stuxnet as a cyberweapon, in an e-mail. "The majority of this infrastructure still uses non- encrypted and non-authenticated protocols" - a far worse vulnerability that may nevertheless lower the Heartbleed problem in the pecking order of industrial cybervulnerabilities.

There's also the question of how widespread the Heartbleed vulnerability is across the industrial control systems landscape. A snapshot of potentially affected Innominate-related equipment using the SHODAN search engine, which indexes industrial control systems, revealed that 1,500 or so systems worldwide are affected, with just over 200 US systems. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.