The recent cyber attack on the Ukrainian power grid, as well as therevelation that Iranian hackers penetrated a New York hydroelectric dam in 2013, have raised serious concerns over the vulnerability of US critical infrastructure.
Amid these concerns, the Department of Homeland Security’s (DHS) Industrial Control Systems Cybersecurity Emergency Response Team (ICS-CERT) issued an alert last week indicating that cyber attacks on the nation’s critical manufacturing sector nearly doubled in fiscal year 2015. Many more went unreported or undetected.
According to the alert, between October 2014 and September 2015, ICS-CERT investigated 97 reported cyber incidents across these sectors, representing a third of the 295 reported incidents targeting critical infrastructure for the fiscal year. The Energy Sector came in second with 46 incidents, followed by the Water and Wastewater Systems Sector with 25.
The Critical Manufacturing sector includes a number of core industries essential to the economic prosperity of the US. These include the manufacturing of primary metal, machinery, electrical equipment, and transportation equipment, such as vehicles and aviation and aerospace parts.
ICS-CERT attributed the rise in cyber attacks to a widespread spear-phishing campaign that primarily targeted critical manufacturing companies along with limited targets in other sectors. Of the known initial infection vectors in FY 2015, spear phishing represented 37 percent of the total incidents.
“Being relatively easy to execute and demonstrably effective, spear phishing continues to be a common method of initial access against critical infrastructure targets,” ICS-CERT’s report stated.
Shortly before the report was published, Marty Edwards, head of ICS-CERT, warned critical infrastructure specialists at a conference in Miami of an increase in attacks on industrial control systems networks.
“We see more and more that are gaining access to that control system layer," Edwards told attendees at the S4 conference, Reuters reported.
Edwards attributes the rising number of cyber attacks to more control systems being directly connected to the Internet. Edwards said, “I am very dismayed at the accessibility of some of these networks…they are just hanging right off the tubes.”
The ICS-CERT report underscored continued threats against US critical infrastructure, reinforcing the need for asset owners and operators to focus on security fundamentals.
A joint publication by DHS, the National Security Agency, and the Federal Bureau of Investigation, “Seven Steps to Effectively Defend Industrial Control Systems,” and ICS-CERT’s “Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies,” provide a number of strategies to counter common exploitable weaknesses in industrial control systems.
These steps include implementing application whitelisting, ensuring proper configuration and patch management, reducing the attack surface area, building a defendable network, managing authentication, implementing secure remote access, and actively monitoring for adversarial penetration and executing a prepared response.
The paper concludes, “Defense against the modern threat requires applying measures to protect not only the perimeter but also the interior.”