04:57 PM
Connect Directly

U.S. Critical Infrastructure Cyberattack Reports Jump Dramatically

A new report from ICS-CERT shows the number of reported incidents increased from 9 to 198 between 2009 and 2011

U.S. critical infrastructure companies saw a dramatic increase in the number of reported cyber-security incidents between 2009 and 2011, according to a new report from the U.S. Industrial Control System Cyber Emergency Response Team (ICS-CERT).

In 2009, ICS-CERT fielded 9 incident reports. In 2010, that number increased to 41. In 2011, it was 198. Of those 198, seven resulted in the deployment of onsite incident response teams from ICS-CERT, and 21 of the other incidents involved remote analysis efforts by the Advanced Analytics Lab. Incidents specific to the water sector, when added to those that impacted multiple sectors, accounted for more than half of the incidents due to a larger number of Internet-facing control system devices reported by independent researchers, according to the report.

Though not all of the reports turned out to be actual cyber-attacks, the magnitude of the increase is somewhat surprising, says Kim Legelis, vice president of marketing at Industrial Defender.

"While those of us close to critical infrastructure cyber security were aware of the escalating nature of the threat landscape, the level that this report validates was more severe than expected," she says. "In addition, the report provides a baseline to compare future reports and incidents to in the future."

All totaled, ICS-CERT performed 17 onsite assessments during 2009, 2010 and 2011, including seven last year. The most common attack vector for network intrusion was spear-phishing, which accounted for seven of the 17 incidents. "Sophisticated threat actors" were tied to 11 of the incidents, with the goal in several cases being the theft of data.

"No intrusions were identified directly into control system networks," the report states. "However, given the flat and interconnected nature of many of these organization’s networks, threat actors, once they have gained a presence, have the potential to move laterally into other portions of the network, including the control system, where they could compromise critical infrastructure operations."

Tellingly, in 12 of the 17 cases, implementing of security best practices such as login limitations and properly configured firewalls could have deterred the attack, minimized the time it took to detect it or reduced its impact, ICS-CERT reports. Just last week, ICS-CERT advised that multiple systems have been observed "with default usernames and passwords" were accessible via the Internet. Those systems included the Echelon i.LON product, which is deployed in motors, pumps, valves, sensors and other control devices.

According to ICS-CERT, ten organizations in those 17 cases could have detected an intrusion by using ingress/egress filtering of known bad IP addresses or domain names. In three of the 17, asset owners had been notified of a cyber-attack or intrusion by external organizations, and in two additional cases, the incident had been identified by a hired third party such as a consultant or an integrator.

"Risk management and assessment is still an art, not a science," says Lamar Bailey, director of security research and development at nCircle. "We need a lot more collaboration between IT and security organizations to dramatically improve the accuracy of risk assessments."

To deal with spear-phishing, Norman Sadeh of Wombat Security Technologies suggests companies develop a security training program that involves sending mock phishing emails to employees.

“At the moment employees fall for the simulated attack, a unique teachable moment is created where the employee is humbled and now open to learning," says Sadeh, chief scientist at Wombat. "Just-in-time training explains what they did wrong, what the criminals are after, and how to avoid similar attacks in the future."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.