Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/29/2012
04:57 PM
50%
50%

U.S. Critical Infrastructure Cyberattack Reports Jump Dramatically

A new report from ICS-CERT shows the number of reported incidents increased from 9 to 198 between 2009 and 2011

U.S. critical infrastructure companies saw a dramatic increase in the number of reported cyber-security incidents between 2009 and 2011, according to a new report from the U.S. Industrial Control System Cyber Emergency Response Team (ICS-CERT).

In 2009, ICS-CERT fielded 9 incident reports. In 2010, that number increased to 41. In 2011, it was 198. Of those 198, seven resulted in the deployment of onsite incident response teams from ICS-CERT, and 21 of the other incidents involved remote analysis efforts by the Advanced Analytics Lab. Incidents specific to the water sector, when added to those that impacted multiple sectors, accounted for more than half of the incidents due to a larger number of Internet-facing control system devices reported by independent researchers, according to the report.

Though not all of the reports turned out to be actual cyber-attacks, the magnitude of the increase is somewhat surprising, says Kim Legelis, vice president of marketing at Industrial Defender.

"While those of us close to critical infrastructure cyber security were aware of the escalating nature of the threat landscape, the level that this report validates was more severe than expected," she says. "In addition, the report provides a baseline to compare future reports and incidents to in the future."

All totaled, ICS-CERT performed 17 onsite assessments during 2009, 2010 and 2011, including seven last year. The most common attack vector for network intrusion was spear-phishing, which accounted for seven of the 17 incidents. "Sophisticated threat actors" were tied to 11 of the incidents, with the goal in several cases being the theft of data.

"No intrusions were identified directly into control system networks," the report states. "However, given the flat and interconnected nature of many of these organization’s networks, threat actors, once they have gained a presence, have the potential to move laterally into other portions of the network, including the control system, where they could compromise critical infrastructure operations."

Tellingly, in 12 of the 17 cases, implementing of security best practices such as login limitations and properly configured firewalls could have deterred the attack, minimized the time it took to detect it or reduced its impact, ICS-CERT reports. Just last week, ICS-CERT advised that multiple systems have been observed "with default usernames and passwords" were accessible via the Internet. Those systems included the Echelon i.LON product, which is deployed in motors, pumps, valves, sensors and other control devices.

According to ICS-CERT, ten organizations in those 17 cases could have detected an intrusion by using ingress/egress filtering of known bad IP addresses or domain names. In three of the 17, asset owners had been notified of a cyber-attack or intrusion by external organizations, and in two additional cases, the incident had been identified by a hired third party such as a consultant or an integrator.

"Risk management and assessment is still an art, not a science," says Lamar Bailey, director of security research and development at nCircle. "We need a lot more collaboration between IT and security organizations to dramatically improve the accuracy of risk assessments."

To deal with spear-phishing, Norman Sadeh of Wombat Security Technologies suggests companies develop a security training program that involves sending mock phishing emails to employees.

“At the moment employees fall for the simulated attack, a unique teachable moment is created where the employee is humbled and now open to learning," says Sadeh, chief scientist at Wombat. "Just-in-time training explains what they did wrong, what the criminals are after, and how to avoid similar attacks in the future."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11529
PUBLISHED: 2020-04-04
Common/Grav.php in Grav before 1.6.23 has an Open Redirect.
CVE-2020-11527
PUBLISHED: 2020-04-04
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files.
CVE-2020-11528
PUBLISHED: 2020-04-04
bit2spr 1992-06-07 has a stack-based buffer overflow (129-byte write) in conv_bitmap in bit2spr.c via a long line in a bitmap file.
CVE-2020-11518
PUBLISHED: 2020-04-04
Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.
CVE-2020-5347
PUBLISHED: 2020-04-04
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses.