DHS alert: Heartbleed may have been used against industrial control systems

http://www.csmonitor.com/World/Security-Watch/Cyber-Conflict-Monitor/2014/0411/DHS-alert-Heartbleed-may-have-been-used-against-industrial-control-systems



Specifically, there are unconfirmed reports that the Heartbleed cybervulnerability has been used to attack encrypted communications systems of these control systems. DHS is investigating.

DHS alert: Heartbleed may have been used against industrial control systems
By Mark Clayton, Staff writer / April 11, 2014

The threat from the cybervulnerability dubbed Heartbleed reaches well beyond Web businesses and social networks into the industrial systems that power the US economy, apparently including those used to operate the US power grid.

Unconfirmed reports that Heartbleed has already been used to attack encrypted communications systems of US industrial control systems are being investigated, the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) announced in an alert Friday.

“ICS-CERT is aware of reports of attempted exploitation and is in the process of confirming these reports,” read the alert. “ICS-CERT continues to monitor the situation closely and encourages entities to report any and all incidents regarding this vulnerability to DHS.”

At the same time, industrial firewall-maker Innominate Security Technologies AG of Berlin on Friday informed its customers in an e-mail that some of its firmware products used in industrial firewall systems were vulnerable to Heartbleed attacks. Innominate’s industrial firmware is used by several US industrial cybersecurity companies, but it may not be too widespread, some cybersecurity experts said.