Infrastructure Incidents on the RiseICS-CERT Reports 190 Incidents in 2011, Up from 9 in 2009
The nation's critical IT infrastructure has experienced a significant uptick in reported cyber incidents. The overall numbers, though, seem relatively small when the entire universe of cyber incidents is considered. Yet, they suggest the IT systems the United States economy and society rely on to function are increasingly at risk.
In a new study from the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, the number of incidents reported to ICS-CERT reached 190 in 2011, up from 41 in 2010 and nine in 2009, the year the reporting system began. DHS doesn't contend that all incidents have been reported. No specific infrastructure operator of system was identified.
The report comes as the Senate may take up later this month a contentious cybersecurity bill, backed by the White House but opposed by most Republicans, which would provide some IT security regulation of infrastructure providers whose IT systems are deemed critical to the national wellbeing. Industries the ICS-CERT monitors include chemical, communications, critical manufacturing, energy, government, information technology, nuclear, water and transportation.
In 2011, the water sector represented more than half of the reported incidents, when cross-sector organizations are factored in, because they employed the same remote access platform that was configured with an unsecure authentication mechanism, ICS-CERT reports.
ICS-CERT also responded to multiple incidents involving sophisticated and targeted spear-phishing campaigns against asset owners in the chemical, energy, government and nuclear sectors. In some instances, the report says, e-mails were convincingly crafted and appeared to be from corporate executives or other trusted sources in an attempt to lure users into opening malicious attachments or links. Once systems are compromised, attackers often map out networks in order to perform a variety of functions including stealing credentials, exfiltrating sensitive financial, research and operational information, and establishing multiple footholds to maintain persistent presence for future operations.
ICS-CERT conducted onsite visits to investigate 17 of the 248 reported incidents over the three years and determined the most common infection vector for network intrusion was spear-phishing e-mails with malicious links or attachments, accounting for 41 percent of the incidents probed. At least one incident involved an infection from a removable USB device.
Sophisticated threat actors were present in 11 of the 17 incidents, including the spear-phishers. The primary motive for the incidents: data exfiltration. "No intrusions were identified directly into control system networks; however, given the flat and interconnected nature of many of these organization's networks, threat actors, once they have gained a presence, have the potential to move laterally into other portions of the network, including the control system, where they could compromise critical infrastructure operations," the report says.
In all but five of the investigated incidents, ICS-CERT says, implementing recommended security best practices - login limitations and segmenting networks with properly configured firewalls, for instance - could have deterred the attack, reduced significantly the time to detect the attack or at least reduced the impact of the incident.
Most of the organizations studied didn't provide adequate detection methods to quickly identify intrusions and implement mitigation and recovery procedures. ICS-CERT says 10 organizations could have detected the intrusion by using ingress/egress filtering of known bad IP addresses or domain names.
"Many organizations did not have sufficient logging capabilities enabled and were unable to provide valuable log data for analysis," the report says. "In some cases, the forensic images that were sent to the AAL (advanced analytics lab) for analysis were created long after the event occurred. By then, important timestamps had been overwritten and a reliable timeline could not be established. Similarly, running antivirus scanning after an intrusion can overwrite timestamps."
ICS-CERT identified three common trends in operational security gaps in control systems environments when it fed data from onsite assessments into DHS's Cybersecurity Evaluation Tool:
- People: Staff at all levels of an organization can contribute to cybersecurity gaps. "Personnel may not believe the threat is credible or they don't see themselves as a target or they lack the knowledge and capabilities to implement adequate protective measures," the report says.
- Process: Many organizations demonstrate insufficient incident response planning to restrain cyber events, detect intrusions and preserve forensic data for analysis and recovery strategies. They also lack policies for moving security operations from a tactical level to a core business competency across business functions.
- Technology: Control-systems-environments risk assessments do not identify most significant technical risks and potential impacts to operations that would support the business case for investing in cybersecurity. In addition, lack of security management framework that results in an inconsistent tactical security posture and patch management policies. Too often, organizations improperly allow uncontrolled user logons and network access by vendors.
ICS-CERT sees sophisticated and targeted cyber intrusions against industrial control systems across multiple critical infrastructure sectors to increase in the coming year. To address this situation, ICS-CERT published a paper that provides targeted cyber intrusion detection and mitigation strategies."Unfortunately, a simple and prescriptive remedy that can be applied uniformly to every organization does not exist," the paper says. "However, basic principles and recommendations exist that are essential to maintaining a sound network security posture and that will provide the necessary capabilities to respond to an incident."