More than half of the cybersecurity incidents reported to the Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) involved sophisticated actors or advanced persistent threats (APT), according to new data released in an ICS-CERT report.
Of the 245 incidents reported to ICS-CERT in Fiscal Year 2014, roughly 55 percent involved an APT, a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time.
ICS-CERT indicated that economic espionage and reconnaissance are among the reasons industrial systems have been targeted by sophisticatedactors. Other actor types included hacktivists, insider threats and criminals.
The reported incidents covered a large range of threats and measures to gain access to both business and control systems infrastructure, including exploitation of zero-day vulnerabilities in control system devices and software and unauthorized access and exploitation of Internet facing ICS/Supervisory Control and Data Acquisition (SCADA) devices.
Other incidents included malware infections within air-gapped control system networks, SQL injection via exploitation of Web application vulnerabilities, network scanning and probing, lateral movement between network zones, targeted spear-phishing campaigns, and strategic web site compromises (i.e. watering hole attacks).
“The majority of incidents were categorized as having an “unknown” access vector. In these instances, the organization was confirmed to be compromised; however, forensic evidence did not point to a method used for intrusion because of a lack of detection and monitoring capabilities within the compromised network,” ICS-CERT reported.
Over the past year, ICS-CERT and the FBI have responded to a number of sophisticated cyber exploitation campaigns against US critical infrastructure. The most notable of these campaigns were Havex and Black Energy malware, both of which have gained access to industrial controls systems used to operate US critical infrastructure.
“ICS-CERT is highly concerned because the sophistication of the threat actors and exploitation techniques used represent an elevated level of risk for critical infrastructure asset owners and operators,” the report stated.
Homeland Security Today previously reported that an ongoing Russian hacking campaign has been active since 2011 used a variant of Black Energy malware to compromise numerous industrial control systems environments.
A DHS ICS-CERT Bulletin indicated no attempt has been made to activate the malware to “damage, modify or otherwise disrupt” the industrial control process. If unleashed, however, the malware could shut down most of the nation’s critical infrastructure, including pipelines, nuclear power plants, wind turbines and water treatment plants.
In another example, Homeland Security Today reported that Iranian hackers penetrated the computer networks of government agencies and major critical infrastructure companies in the United States and 15 other countries over the past two years in a campaign that could eventuallycause physical damage, according to a report by cybersecurity company Cylance.
Targets have included some of the most sensitive global critical infrastructure companies across the globe, including: military, oil and gas, energy and utilities, transportation, hospitals, telecommunications, technology, education, aerospace, defense contractors, chemical, companies and governments.
“Unfortunately, many critical infrastructure organizations are unable to secure their complex environments against modern attacks. They fall victim to the “glue flu," a malaise of feeling stuck, not wanting to change the status quo for fear they will find problems that they have no idea how to prevent. This ‘security anaphylaxis’ spells real disaster,” the Cylance report concluded.
The ICS-CERT report underscored continued threats against US critical infrastructure. ICS-CERT noted that the245 cyber incidents represent only the number of incidents reported to ICS-CERT and not the total number of attacks on US critical infrastructure. Many cyber incidents go unreported.
In response, ICS-CERT and the FBI kicked off an “Action Campaign” to conduct classified briefings for private sector critical infrastructure stakeholders across the country. 1,600 participants involved in the protection of critical infrastructure have attended the briefings.
“ICS-CERT recognizes that outreach activities in the form of risk and mitigation briefings play a key role in mitigating the overall risk to critical infrastructure,” said ICS-CERT. “ICS-CERT will continue to conduct briefings as needed to provide asset owners with the most up-to date information on emerging threats and security measures that can be deployed to help thwart cyber-attacks and reduce risk.”