Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/1/2013
06:19 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

ICS-CERT: Surge In Brute-Force Attacks Against Energy Industry

Incidents with energy sector in fiscal 2012 included advanced persistent threat (APT)-type attacks, and sophisticated as well as common malware, report says

More than 200 cyberincidents were reported by critical infrastructure operators to the ICS-CERT between October of last year and May of this year -- more than half of which were in the energy sector, followed by the manufacturing industry.

The victim organizations were hit mostly by watering hole attacks, SQL injection, and spearphishing. In fiscal 2012 alone, 198 cyberincidents were reported to ICS-CERT, 41 percent of which were from the energy industry. Advanced persistent threat (APT)-type attacks, as well as sophisticated and common malware were among the threats, ICS-CERT said in its ICS-CERT Monitor report for April/May/June 2013, published on Friday.

Among the recent incidents handled by the ICS-CERT was a brute-force attack campaign against a gas compressor station operator that was later found to be targeting other critical infrastructure operators as well. ICS-CERT said the gas compressor station owner on Feb. 22 reported a jump in brute-force attack attempts on process control networks. The attack campaign, which began in January and subsided in early March, didn't result in any actual breaches, according to ICS-CERT.

ICS-CERT says it posted an alert on its secure portal about the attacks on the gas compressor plant, along with 10 IP addresses being used in the attacks.

"That alert elicited additional reports from critical infrastructure owners who, using the indicators in the alert, had discovered similar brute force attempts to compromise their networks. Those new reports yielded 39 new IP addresses, which ICS-CERT included in an update to the original alert (also posted on the secure portal)," ICS-CERT said in its report.

Gas compressor stations in the Midwest and Plains region were the main victims of the attempted attacks, ICS-CERT said, but there also were attacks against critical infrastructure business networks as well. "While none of the brute force attempts were successful, these incidents highlight the need for constant vigilance on the part of industry asset owners and operators. The ability to detect anomalous network activity and network intrusions early in an incident greatly increases the chance of a successful mitigation and resolution," the ICS-CERT report said.

ICS-CERT last week issued an alert on the dangers of default passwords in Internet-facing devices, a long-standing problem that's been the subject of security researchers for the past three years.

Some incidents in the water and commercial industry reports handled by ICS-CERT in fiscal 2012 had to do with Internet-connected devices that had weak or default passwords.

Lila Kee, North American Energy Standards Board member and GlobalSign chief product and marketing officer, says the new ICS-CERT report demonstrates how the energy sector is at risk of attack. "The report notes that the first half of 2013 yielded 200 brute-force cyberattacks, surpassing 2012's total of 198 attacks. Although attacks on major gas and electric systems are nothing new to those in the industry, these facts serve as evidence that low-level criminals, all the way up to state-sponsored groups, see the value in compromising our nation's critical infrastructure," Kee says.

Kee says the energy sector and other critical infrastructure sectors should be reporting cyberincidents quickly to enable secure information-sharing on attacks. "Although the North American Energy Standards Board has done a fantastic job by drafting and recommending security standards, it is necessary that the critical infrastructure as a whole implement these standards to best apply preventative measures that prepare for the ever-increasing number and methods of targeted attacks," Kee says.

While energy firms represented 53 percent of the 200 cyberincidents reported to ICS-CERT from October 2012 to May 2013, 17 percent of the reports came from the manufacturing sector.

Most of the incident response ICS-CERT conducts occurs remotely, analyzing malware, logs, hard drives, emails and other attack artifacts. ICS-CERT went on-site for five incidents in the first half of FY 2013 to investigate sophisticated attacks in the energy and critical manufacturing industries. "All of the onsite incident response engagements involved sophisticated threat actors who had successfully compromised and gained access to business networks," ICS-CERT said in its report.

In many of the on-site cases, ICS-CERT team analysis was inconclusive because the ICS networks didn't have sufficient logging and forensics data. "While onsite, ICS-CERT analysts examined networks and artifacts to determine if ICS networks were also compromised. Unfortunately, in many cases that analysis was inconclusive because of limited or non-existent logging and forensics data from the ICS network," the report said.

The full ICS-CERT Monitor report is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.