Attacks/Breaches
6/29/2012
04:57 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

U.S. Critical Infrastructure Cyberattack Reports Jump Dramatically

A new report from ICS-CERT shows the number of reported incidents increased from 9 to 198 between 2009 and 2011

U.S. critical infrastructure companies saw a dramatic increase in the number of reported cyber-security incidents between 2009 and 2011, according to a new report from the U.S. Industrial Control System Cyber Emergency Response Team (ICS-CERT).

In 2009, ICS-CERT fielded 9 incident reports. In 2010, that number increased to 41. In 2011, it was 198. Of those 198, seven resulted in the deployment of onsite incident response teams from ICS-CERT, and 21 of the other incidents involved remote analysis efforts by the Advanced Analytics Lab. Incidents specific to the water sector, when added to those that impacted multiple sectors, accounted for more than half of the incidents due to a larger number of Internet-facing control system devices reported by independent researchers, according to the report.

Though not all of the reports turned out to be actual cyber-attacks, the magnitude of the increase is somewhat surprising, says Kim Legelis, vice president of marketing at Industrial Defender.

"While those of us close to critical infrastructure cyber security were aware of the escalating nature of the threat landscape, the level that this report validates was more severe than expected," she says. "In addition, the report provides a baseline to compare future reports and incidents to in the future."

All totaled, ICS-CERT performed 17 onsite assessments during 2009, 2010 and 2011, including seven last year. The most common attack vector for network intrusion was spear-phishing, which accounted for seven of the 17 incidents. "Sophisticated threat actors" were tied to 11 of the incidents, with the goal in several cases being the theft of data.

"No intrusions were identified directly into control system networks," the report states. "However, given the flat and interconnected nature of many of these organization’s networks, threat actors, once they have gained a presence, have the potential to move laterally into other portions of the network, including the control system, where they could compromise critical infrastructure operations."

Tellingly, in 12 of the 17 cases, implementing of security best practices such as login limitations and properly configured firewalls could have deterred the attack, minimized the time it took to detect it or reduced its impact, ICS-CERT reports. Just last week, ICS-CERT advised that multiple systems have been observed "with default usernames and passwords" were accessible via the Internet. Those systems included the Echelon i.LON product, which is deployed in motors, pumps, valves, sensors and other control devices.

According to ICS-CERT, ten organizations in those 17 cases could have detected an intrusion by using ingress/egress filtering of known bad IP addresses or domain names. In three of the 17, asset owners had been notified of a cyber-attack or intrusion by external organizations, and in two additional cases, the incident had been identified by a hired third party such as a consultant or an integrator.

"Risk management and assessment is still an art, not a science," says Lamar Bailey, director of security research and development at nCircle. "We need a lot more collaboration between IT and security organizations to dramatically improve the accuracy of risk assessments."

To deal with spear-phishing, Norman Sadeh of Wombat Security Technologies suggests companies develop a security training program that involves sending mock phishing emails to employees.

“At the moment employees fall for the simulated attack, a unique teachable moment is created where the employee is humbled and now open to learning," says Sadeh, chief scientist at Wombat. "Just-in-time training explains what they did wrong, what the criminals are after, and how to avoid similar attacks in the future."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web