ICS-CERT: Surge In Brute-Force Attacks Against Energy Industry

Incidents with energy sector in fiscal 2012 included advanced persistent threat (APT)-type attacks, and sophisticated as well as common malware, report says

Dark Reading Staff, Dark Reading

July 1, 2013

4 Min Read
Dark Reading logo in a gray background | Dark Reading

More than 200 cyberincidents were reported by critical infrastructure operators to the ICS-CERT between October of last year and May of this year -- more than half of which were in the energy sector, followed by the manufacturing industry.

The victim organizations were hit mostly by watering hole attacks, SQL injection, and spearphishing. In fiscal 2012 alone, 198 cyberincidents were reported to ICS-CERT, 41 percent of which were from the energy industry. Advanced persistent threat (APT)-type attacks, as well as sophisticated and common malware were among the threats, ICS-CERT said in its ICS-CERT Monitor report for April/May/June 2013, published on Friday.

Among the recent incidents handled by the ICS-CERT was a brute-force attack campaign against a gas compressor station operator that was later found to be targeting other critical infrastructure operators as well. ICS-CERT said the gas compressor station owner on Feb. 22 reported a jump in brute-force attack attempts on process control networks. The attack campaign, which began in January and subsided in early March, didn't result in any actual breaches, according to ICS-CERT.

ICS-CERT says it posted an alert on its secure portal about the attacks on the gas compressor plant, along with 10 IP addresses being used in the attacks.

"That alert elicited additional reports from critical infrastructure owners who, using the indicators in the alert, had discovered similar brute force attempts to compromise their networks. Those new reports yielded 39 new IP addresses, which ICS-CERT included in an update to the original alert (also posted on the secure portal)," ICS-CERT said in its report.

Gas compressor stations in the Midwest and Plains region were the main victims of the attempted attacks, ICS-CERT said, but there also were attacks against critical infrastructure business networks as well. "While none of the brute force attempts were successful, these incidents highlight the need for constant vigilance on the part of industry asset owners and operators. The ability to detect anomalous network activity and network intrusions early in an incident greatly increases the chance of a successful mitigation and resolution," the ICS-CERT report said.

ICS-CERT last week issued an alert on the dangers of default passwords in Internet-facing devices, a long-standing problem that's been the subject of security researchers for the past three years.

Some incidents in the water and commercial industry reports handled by ICS-CERT in fiscal 2012 had to do with Internet-connected devices that had weak or default passwords.

Lila Kee, North American Energy Standards Board member and GlobalSign chief product and marketing officer, says the new ICS-CERT report demonstrates how the energy sector is at risk of attack. "The report notes that the first half of 2013 yielded 200 brute-force cyberattacks, surpassing 2012's total of 198 attacks. Although attacks on major gas and electric systems are nothing new to those in the industry, these facts serve as evidence that low-level criminals, all the way up to state-sponsored groups, see the value in compromising our nation's critical infrastructure," Kee says.

Kee says the energy sector and other critical infrastructure sectors should be reporting cyberincidents quickly to enable secure information-sharing on attacks. "Although the North American Energy Standards Board has done a fantastic job by drafting and recommending security standards, it is necessary that the critical infrastructure as a whole implement these standards to best apply preventative measures that prepare for the ever-increasing number and methods of targeted attacks," Kee says.

While energy firms represented 53 percent of the 200 cyberincidents reported to ICS-CERT from October 2012 to May 2013, 17 percent of the reports came from the manufacturing sector.

Most of the incident response ICS-CERT conducts occurs remotely, analyzing malware, logs, hard drives, emails and other attack artifacts. ICS-CERT went on-site for five incidents in the first half of FY 2013 to investigate sophisticated attacks in the energy and critical manufacturing industries. "All of the onsite incident response engagements involved sophisticated threat actors who had successfully compromised and gained access to business networks," ICS-CERT said in its report.

In many of the on-site cases, ICS-CERT team analysis was inconclusive because the ICS networks didn't have sufficient logging and forensics data. "While onsite, ICS-CERT analysts examined networks and artifacts to determine if ICS networks were also compromised. Unfortunately, in many cases that analysis was inconclusive because of limited or non-existent logging and forensics data from the ICS network," the report said.

The full ICS-CERT Monitor report is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights