In 2009, ICS-CERT fielded 9 incident reports. In 2010, that number increased to 41. In 2011, it was 198. Of those 198, seven resulted in the deployment of onsite incident response teams from ICS-CERT, and 21 of the other incidents involved remote analysis efforts by the Advanced Analytics Lab. Incidents specific to the water sector, when added to those that impacted multiple sectors, accounted for more than half of the incidents due to a larger number of Internet-facing control system devices reported by independent researchers, according to the report.
Though not all of the reports turned out to be actual cyber-attacks, the magnitude of the increase is somewhat surprising, says Kim Legelis, vice president of marketing at Industrial Defender.
"While those of us close to critical infrastructure cyber security were aware of the escalating nature of the threat landscape, the level that this report validates was more severe than expected," she says. "In addition, the report provides a baseline to compare future reports and incidents to in the future."
All totaled, ICS-CERT performed 17 onsite assessments during 2009, 2010 and 2011, including seven last year. The most common attack vector for network intrusion was spear-phishing, which accounted for seven of the 17 incidents. "Sophisticated threat actors" were tied to 11 of the incidents, with the goal in several cases being the theft of data.
"No intrusions were identified directly into control system networks," the report states. "However, given the flat and interconnected nature of many of these organization’s networks, threat actors, once they have gained a presence, have the potential to move laterally into other portions of the network, including the control system, where they could compromise critical infrastructure operations."
Tellingly, in 12 of the 17 cases, implementing of security best practices such as login limitations and properly configured firewalls could have deterred the attack, minimized the time it took to detect it or reduced its impact, ICS-CERT reports. Just last week, ICS-CERT advised that multiple systems have been observed "with default usernames and passwords" were accessible via the Internet. Those systems included the Echelon i.LON product, which is deployed in motors, pumps, valves, sensors and other control devices.
According to ICS-CERT, ten organizations in those 17 cases could have detected an intrusion by using ingress/egress filtering of known bad IP addresses or domain names. In three of the 17, asset owners had been notified of a cyber-attack or intrusion by external organizations, and in two additional cases, the incident had been identified by a hired third party such as a consultant or an integrator.
"Risk management and assessment is still an art, not a science," says Lamar Bailey, director of security research and development at nCircle. "We need a lot more collaboration between IT and security organizations to dramatically improve the accuracy of risk assessments."
To deal with spear-phishing, Norman Sadeh of Wombat Security Technologies suggests companies develop a security training program that involves sending mock phishing emails to employees.
“At the moment employees fall for the simulated attack, a unique teachable moment is created where the employee is humbled and now open to learning," says Sadeh, chief scientist at Wombat. "Just-in-time training explains what they did wrong, what the criminals are after, and how to avoid similar attacks in the future."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.