On Friday 11 April, the U.S. Department of Homeland Security (DHS) warned of attackers potentially exploiting critical, unpatched systems impacted by the vulnerability.
Larry Zelvin, Director of DHS' National Cybersecurity and Communications Integration Center (NCCIC) announced the department's efforts to educate the public of related threats.
“When a cyber security industry report was published three days ago about a vulnerability known as “Heartbleed” – affecting websites, email, and instant messaging – that can potentially impact internet logins and personal information online by undermining the encryption process, the Department's U.S. Computer Emergency Readiness Team (US-CERT) immediately issued an alert to share actionable information with the public and suggested mitigation steps,” Zelvin wrote on a DHS blog.
“Subsequently, our Industrial Control System-Cyber Emergency Response Team (ICS-CERT) published information and reached out to vendors and asset owners to determine the potential vulnerabilities to computer systems that control essential systems – like critical infrastructure, user-facing, and financial systems,” he added.
In a Wednesday alert, ICS-CERT, in particular, advised that critical infrastructure organisations (like energy, utilities or financial services companies) should limit network exposure for all control system devices, and check that they are not accessible via the internet. In addition, users were told to isolate control system networks and devices behind firewalls from their business networks.
“Any system that may be affected by this vulnerability should regenerate any credential information (secret keys, passwords, etc.) with the assumption that an attacker has already used this vulnerability to obtain those items,” ICS-CERT said.
In a Friday interview with SCMagazine.com, Ernest Wohnig III, SVP of the critical infrastructure security division at Virginia-based consulting firm System 1, addressed the Heartbleed bug's expansive impact.
“The OpenSSL code is basically everywhere; it's ubiquitous across the net,” Wohnig said. “We're not just talking about a few customer-facing servers, we are talking about code [impacting] PCs, firewalls and phones, and even some VPN [virtual private network] software. When you start talking about something of that level of exposure and magnitude, it's very concerning,” he said.
Wohnig later added that “your creative adversary could use this effectively, in concert with other techniques, to attack the true crown jewels of operational processes in critical infrastructure."
This article was first published on the US SC Magazine site.