The threat from the cybervulnerability dubbed Heartbleed reaches well beyond Web businesses and social networks into the industrial systems that power the US economy, apparently including those used to operate the US power grid.
Unconfirmed reports that Heartbleed has already been used to attack encrypted communications systems of US industrial control systems are being investigated, the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) announced in an alert Friday.
“ICS-CERT is aware of reports of attempted exploitation and is in the process of confirming these reports,” read the alert. “ICS-CERT continues to monitor the situation closely and encourages entities to report any and all incidents regarding this vulnerability to DHS.”
At the same time, industrial firewall-maker Innominate Security Technologies AG of Berlin on Friday informed its customers in an e-mail that some of its firmware products used in industrial firewall systems were vulnerable to Heartbleed attacks. Innominate’s industrial firmware is used by several US industrial cybersecurity companies, but it may not be too widespread, some cybersecurity experts said.
Still, users of the vulnerable versions of the Innominate firmware were “strongly recommended to update the device” with a new, patched version and change the encryption key of the device, the company said in its release.
Among electric utilities, chemical plants, and other critical infrastructure companies using certain encrypted communications to communicate with their most sensitive industrial processes, Heartbleed holds potential to lay bare encrypted communications between the company’s central controllers and vital but often far-flung processes – ranging from substations to refineries to chemical plants.
But at this point, the extent to which vulnerable versions of OpenSSL encryption software have been deployed in industrial settings isn’t clear. The trend in recent years, experts say, has been to replace telephone connections with Internet connections protected by such encryption.
“The impact of the Heartbleed vulnerability on the cyber security of critical infrastructure (where it involves industrial control systems) is minimal,” writes Ralph Langner, an industrial control systems expert who first identified Stuxnet as a cyberweapon, in an e-mail. “The majority of this infrastructure still uses non-encrypted and non-authenticated protocols” – a far worse vulnerability that may nevertheless lower the Heartbleed problem in the pecking order of industrial cybervulnerabilities.
There’s also the question of how widespread the Heartbleed vulnerability is across the industrial control systems landscape. A snapshot of potentially affected Innominate-related equipment using the SHODAN search engine, which indexes industrial control systems, revealed that 1,500 or so systems worldwide are affected, with just over 200 US systems.
That’s not many. Yet it’s too soon to breathe easy, says Robert Radvanovsky, a cybersecurity researcher and co-founder of Infracritical, a think tank focused on shoring up cyberweaknesses in critical infrastructure.
“It’s still very unclear just what type of systems are vulnerable to Heartbleed, and there will be many other systems not listed by SHODAN,” he says. “Right now the numbers look small, but it would be a mistake to take it easy.”
Other cybersecurity researchers in the industrial control system community remain concerned. Compared with the recent worries about the widespread use of the now-vulnerable Windows XP operating system in industrial settings, “this is a bigger deal,” says Adam Crain, a partner in Automatak, a security-focused industrial control system developer in Raleigh, N.C.
He cautions against assuming that the Heartbleed vulnerability is confined, noting that a key protocol used widely in the electric utility industry employs various versions of the OpenSSL protocol.
“I have already found an implementation that uses the affected OpenSSL” software, he says in an e-mail interview. “I suspect many of the implementations will need to be patched.”
Also emerging Friday were reports indicating that nation-states’ intelligence agencies – with their extensive cyberresources – might have known about the vulnerability for some time. This suggested to some that it was used to invade vital systems.
Bloomberg reported Friday that the National Security Agency has been actively exploiting the vulnerability for two years. That report was flatly denied by the Obama Administration in a subsequent New York Times account. Separately, other reports suggested that botnet-based Heartbleed-based attacks may have been ongoing for some time. Such an activity “makes a little more sense for intelligence agencies than for commercial or lifestyle malware developers,” the Electronic Frontier Foundation, a San Francisco-based Internet watchdog group, noted on its website.
If indeed intelligence agencies have been exploiting Heartbleed in industrial systems, it’s a serious issue, even if more obvious vulnerabilities are slathered across the industrial control system space, says Jake Brodsky, a cybersecurity expert who chairs an industrial communications protocol users group.
“I’m not sure of the full extent of this, and, yes, there are lots of people who will say there are bigger problems,” he says. “It’s really unlikely that you’ll see anyone doing this, exploiting OpenSSL in the industrial control systems, except, perhaps, a nation-state. That’s what should worry us.”