DHS report confirms spike in critical infrastructure cyberattacks
DHS has confirmed a spike in cyberattacks targeting critical infrastructure.
The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) was formally inaugurated in November 2009 as a means of enhancing government collaboration with companies that control critical components of national infrastructure, including energy grids, water treatment facilities and nuclear plants. The organization recently released a comprehensive review of its first 26 months in operation, revealing a sharp rise in the amount of reported cyberattacks in that time.
Confirmed dangers
According to the ICS-CERT report, four confirmed cyberattacks were reported during the final two months of 2009, with two ultimately requiring the deployment of on-site response teams. One of these cases involved a municipal water treatment plant at which investigators determined there was no evidence of malicious activity. The other concluded with a similar outcome, though both facilities were presented with a list of recommended steps for improving their network security postures.
In 2010, ICS-CERT received reports of 41 confirmed cyberattacks from critical infrastructure asset managers with eight requiring on-site visits. Four of the incidents involved successful spear phishing campaigns that led to the exfiltration of limited but sensitive data. However, perhaps the most serious case centered on a nuclear facility in which traces of the Mariposa botnet were discovered.
The following year may have been the clearest indicator of evolving cybercriminal priorities, as 198 confirmed attacks were reported to ICS-CERT in 2011. Luckily, just seven of these incidents merited deployment of on-site response teams. However, two took place within government facilities, with one event resulting in the temporary loss of backup power.
Despite these concerning details, officials recognize the significance of the conversation that ICS-CERT has started.
"Incident response is an essential part of cybersecurity. DHS has made a consistent effort to work with public- and private-sector partners to develop trusted relationships and help asset owners and operators establish policies and controls that prevent incidents," DHS spokesman Peter Boogaard told CNN. "The number of incidents reported to DHS' ICS-CERT has increased partly due to this increased communication."
Common ties
After comparing and contrasting the 17 incidents that required on-site interventions, ICS-CERT security analysts discovered some notable commonalities. For instance, spear phishing was the most common attack vector, with seven cases triggered by malicious links or attachments in employee emails. Additionally, all but six of the attacks were perpetrated by what officials categorized as "sophisticated threat actors" who were well-versed in several advanced techniques.
Unfortunately, situational awareness was often as such that hackers may not have even had to call upon their most expert skills.
"In 12 of 17 cases, implementation of security recommended practices, such as login limitations and segmenting networks with properly configured firewalls, could have deterred the attack, significantly reduced the time to detect the attack or at least reduced the impact of the incident," the report stated.
Room for improvement
Not surprisingly, ICS-CERT investigators pointed to threat detection as the most important layer of defense and suggested much progress was needed in this area. In fact, asset owners were originally notified of potential anomalies by external organizations or third-party service providers in five of the 17 most serious cases. Additionally, 10 organizations could have likely sidestepped disaster by employing "ingress/egress filtering" of IP addresses or domain names that were previously known to be malicious.
To bring prevention, detection and response performances up to par, report authors advised utility managers to allocate their attention equally across people, processes and technologies. While there will be no substitute for the latest tools and mechanisms, an informed workforce may be the most valuable asset considering common employees are often the trigger for data security lapses or the first audience to cybercriminal bait.
Security News from SimplySecurity.com by Trend Micro
Spotlight
Cloud Computing
- Cloud security group develops third-party certification program
- US makes large investment in cyber weaponry
- Wall Street has data security concerns over Bloomberg reporting
- Security in backups means more than just encryption
Virtualization
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Internet Safety
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Vulnerabilities & Exploits
CTO Insights
First Line of Defense
Newsletter
Stay up to date with the latest news and information on online threats.
Recent News
- DHS needs better sharing plan, experts say
- Cloud security group develops third-party certification program
- US makes large investment in cyber weaponry
- SEC may ask for more information after cyberattacks
Tag Cloud
cloud cloud computing cloud computing security Cloud Security Compliance & Regulations Consumerization Current News cybercrime Data Privacy data security Encryption Government Policy Internet Protection Internet Safety Internet Safety - DO NOT USE Internet Security Malware Mobile Security Mobility Policy Policy - DO NOT USE Privacy Privacy & Policy Private Cloud Public Cloud Reports Research Spotlight threat intelligence threat research Trend Labs Underground Economy virtualization Vulnerabilities Vulnerabilities - DO NOT USE web security web threats
Comments
No comments yet