Energy sector cyberattacks jumped in 2012. Were utilities prepared?

The number of cyberattacks on the computer systems of power grid and gas pipeline companies rose in 2012, a federal report shows, as cyberspies zeroed in on the energy sector.

Yves Herman/Reuters/File
Members of the hacktivist group 'Anonymous' take part in a protest in central Brussels, in this January 2012 photo.
Rich Clabaugh/Staff

Cyberattackers zeroed in on computer systems run by power grid operators and natural gas pipeline companies last year, paying less attention to infiltrating networks belonging to water, chemical, and nuclear facilities, a new federal report shows.

Energy companies were clearly in the cyber bullseye in 2012, targeted in 41 percent of the malicious software attack cases reported to a special Department of Homeland Security (DHS) team that responds to cyberattacks on industrial computer networks.

The overall number of attacks remained flat at 198 incidents for the year, the same as 2011. But energy sector companies reported 82 cyberattacks last year, a sharp increase over the 31 cases reported in 2011, according to a report released last week by DHS's Industrial Control System-Cyber Emergency Response Team (ICS-CERT).

Among those energy-sector cyberattack cases, 23 involved oil and natural gas companies hit by a persistent months-long targeted spear-phishing campaign first reported by the Monitor in May. Also on the upswing were attacks on commercial manufacturing facilities that leaped to 19 last year from 2 in 2011.

Water systems were close behind among sectors most targeted, but still saw far fewer attacks compared with 2011. Cyberattacks reported on water plants fell to 19 incidents or 15 percent of last year's total compared with 81 attacks and a 41 percent share of the total when it was the largest single targeted sector in 2011.

Reported attacks on chemical companies also fell from nine to seven. Nuclear power and other facilities, which were in their own category separate from "energy," saw six reported incidents last year compared with 10 in 2011, the ICS-CERT report found.

What the numbers indicate is cyberspies focusing their efforts increasingly on the energy industry and less on everything else, experts say.

"Campaigns are widening to include a successful attack against a key supplier of energy control systems and attempts to compromise a sector security consortium," writes Michael Assante, former chief security officer at the North American Electric Reliability Council, whose member companies run the nations' power grid, in an online comment on the DHS report. "Energy will continue to be an attractive target."

Despite increasing awareness of the threat, companies that rely on computerized systems for production – especially those in the energy sector – have a long way to go to defend themselves against sophisticated cyberspies, who are practically unimpeded in their efforts to map networks, set up digital beachheads inside networks, and steal e-mail, data and passwords, experts in industrial control system security say.

"Unfortunately, most utilities just aren't prepared from a resources perspective for the coming threats," says Robert Huber, a principal at Critical Intelligence, a cybersecurity firm in Idaho Falls, Idaho, that specializes in protecting critical infrastructure. "They have neither the necessary people, nor the budget."

Debate has been rising over how best to protect "critical infrastructure" companies, including those that operate the power grid, gas pipelines, transportation, water, chemical, financial, and other networks. But awareness of the depth of the problem is giving at least some company officials a fresh perspective on the risks involved.

Over the past decade many companies have linked their Internet-connected business networks to the industrial control networks. While these connections allow company managers to tap real-time production data and lower costs, they also have created a point of entry for cyberattackers intent on gaining access to the control systems.

President Obama has promised to soon deliver a new executive order increasing federal agency oversight of cybersecurity involving industrial sectors if Congress does not act.

One example: In response to a distress call, ICS-CERT sent a rapid-response team to provide onsite support at a power generating plant "where both common and sophisticated malware had been discovered in the industrial control system environment."

The malware had been discovered when an employee, who routinely used a USB drive to back up control system configurations, asked the company IT staff to inspect his USB drive after experiencing problems with the drive’s operation. A scan with up-to-date antivirus software revealed three positive hits, including one sample "linked to known sophisticated malware." (Such infections spread by USB drive are believed to be the way that the cyberweapon Stuxnet infected Iran's nuclear fuel complex.)

After that, the ICS-CERT team found the same sophisticated malware on the two engineering workstations. A check of 11 other workstations showed them to be clear. But the two with the infection were so vital that, at the time, they could not be shut down to have the malware removed.

"The organization also identified during the course of the investigation that it had no backups for the two engineering workstations," the ICS-CERT report last week said. "Those workstations were vital to the facility operation and, if lost, damaged, or inoperable, could have a significant operational impact."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.