The Cyber Risk Report For June 29 to July 5 covered the story of an insider attack at a Dallas, Texas (United States) hospital. The attacker, Jesse “GhostExodus” McGraw, allegedly was able to leverage his position as a night security guard at the hospital to gain physical access to heating, ventilation, and cooling (HVAC) control systems and manipulate those systems. The intrusion was discovered when security researcher Robert Wesley McGrew from Mississippi State University discovered screenshots taken from the control systems. McGrew approached the United States Federal Bureau of Investigation (FBI) with this evidence, who then took action against the security guard. The guard was recently indicted by the FBI under felony charges of “transmitting a malicious code” according to the Department of Justice press release.
McGrew, a supervisory control and data acquisition (SCADA) systems security researcher, realized the seriousness of the threat, leading to the notification of law enforcement authorities of his findings. Significant danger to the facility could have occurred if the HVAC infrastructure could have been changed in such a way to compromise pharmaceutical storage or stress the health of patients within the medical facility.Even when considering that the guard had physical access to some areas of the hospital, how was he able to accomplish this intrusion? Was this the result of weak hiring processes? Should McGraw not have been hired? And what lessons can we learn from this intrusion so that the incident is not repeated?
First, it is unlikely that rooms where the facility’s SCADA systems are kept had separate lock or card access, and may not have had accounting of who gained access to those rooms and when. Businesses are advised to carefully restrict access to rooms containing control systems, and maintain records of room access. Access records both serve as a deterrent of activity and provide identification after an incident may occur. Employees may be less likely to perform attacks in areas they know are being watched.
Access to SCADA control systems should also be taken into account as part of the security checks during the hiring processes and contracting services. The systems may not be accounted for when assigning access controls, potentially granting contracted employees too much access as a result. Businesses are also advised to carefully vet contracted security companies and their employees, or otherwise insulate access where necessary.
Although at an additional cost, increasing the number of security guards may introduce a system of checks where security guards can watch one another. By rotating a series of guards, the opportunity for improper activity is reduced, and the likelihood of the guards cooperating in order to take advantage of their access is reduced. A rotation and increased number of guards reduces the chance that one individual can conduct attacks.
Businesses should also regularly test their own security systems. By performing penetration tests and security assessments, sites can check their defenses against both insider threats and external attacks. Defense exercises can help identify likely vectors or gaps in defenses, and determine the viability of in-place defenses against common attacks. Physical security tests, along with network security testing, should be part of regular evaluations.
Physical threats to SCADA control systems should be taken just as seriously as threats to other exposed systems in common areas. Even if secured behind locked doors, physical threats to these systems are present, as demonstrated by the efforts of Mr. McGraw. Because these systems are often locked away, disconnected from the network, and out of sight, it is all too easy to forget about them. We should be well served to keep them in mind.
Thanks to Wesley McGrew for his comments, as well as input from colleagues within Cisco.