Companies that operate computerized industrial control systems at the heart of America's critical infrastructure have seen a three-year surge in cyberattacks, according to a new government report.
Emergency cyber-responders with the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), an arm of the Department of Homeland Security, reported a 20-fold leap in the number of incidents since the team was created in 2009, says the report, which was posted late Thursday night.
The number of incidents reported to ICS-CERT by the companies that own the vital equipment rose from nine in 2009 to 198 in 2011. The equipment includes operating valves and switches in power plants, refineries, chemical plants, and nuclear generating stations.
Some observers cautioned against panic over the size of the jump, saying the rate of increase is somewhat exaggerated because the government cybersquad was a new entity – meaning that reporting rose naturally over that period. It may take a few more years to establish a firm trend line, these experts said.
Indeed, the number of the most serious cases, requiring "flyaway teams" to swoop down at those companies' sites, involved just two visits in 2009, eight in 2010, and seven in 2011. That makes for a total of 17. Also, the number of cases involving analysis efforts by ICS-CERT, but not a site visit, were just 21 in 2011 – indicating that many incident reports were lesser threats or perhaps even false alarms.
While the attacks that ICS-CERT responded to do not appear to have directly targeted the control systems themselves, many were instead targeted attempts to steal confidential data, and they infiltrated businesses and networks connected to others that did control these vital systems.
"Sophisticated threat actors were present in 11 of the 17 incidents, including the actors utilizing spear-phishing tactics to compromise networks," the report says. "These threat actors were responsible for data exfiltration in several cases, which seems to have been the primary motive for intrusion. No intrusions were identified directly into control system networks."
Since direct attacks on industrial control systems are still apparently quite rare, some critics say that ICS-CERT seems to be scrambling to find a mission for itself. In the one case in 2010 involving a real control system attack – Stuxnet – the ICS-CERT and DHS were heavily criticized for being slow to respond.
But even as reporting has improved, the number of "exploits" or vulnerabilities identified in industrial control systems has exploded over the same period.
"Awareness of security issues has grown a lot in the last few years, and a lot of technology has been deployed to detect threats, so reporting is better," says Jacob Kitchel, senior manager of security and compliance at Industrial Defender, based in Foxborough, Mass. "But [industrial control system] security has become a hot topic, too. So criminals and hackers are becoming more curious about these systems and have begun poking and prodding them. It's a combination of these things."
In fact, there was a fivefold increase in incidents last year over 2010 – a period in the wake of Stuxnet. The world's first publicly known cyberweapon, Stuxnet was unleashed on Iran by the United States and Israel, news reports recently confirmed.
Stuxnet affected others, too. The report records just one 2010 incident involving a US manufacturing company whose industry systems were infected with the Stuxnet worm, prompting a flyaway team to visit it, the government report said. But Symantec, in its analysis of the cyberweapon's spread, estimated dozens of US cases of Stuxnet infections.
Eric Byres, a Canadian security expert, told the Monitor last year that a number of energy companies were infected with Stuxnet and required costly remediation to remove it.
In terms of cyberattacks overall, energy companies were one of the biggest targets, according to the government report. Electric utilities took 44 percent of the hits in 2010, with nuclear power companies at 12 percent.
Water purification systems were the largest single sector reporting incidents in 2011. Many of those incidents were apparently due to the system interfaces being featured on a specialized search engine called SHODAN, thus being ripe for identification and attack, the report found.
ICS-CERT teams were called for the 2009 "Night Dragon" attacks on energy companies, which targeted global oil, energy, and petrochemical companies. In those cases, hackers trolled company networks for sensitive data and valuable intellectual property.
That same year, ICS-CERT deployed a team to a nuclear power plant. There it found a piece of crimeware that had taken over 100 computers on the company's business network. How did it get there? An employee had used a USB drive from an industry trade show to load a report onto his laptop – and the Mariposa botnet virus was on it.
Other nuclear industry employees had also used the same infected USB drive at the industry event, investigators were told, so their laptops were probably infected, too. But even though ICS-CERT got the instructor’s name, contacted him to let him know about the infected drive, and asked for a list of attendees at the seminar for notification purposes, the instructor went it alone.
He "said that he would reach out to the entities himself to inform them of the malware," the report said. "Unfortunately, ICS-CERT was not able to verify if the companies were ever contacted and to what extent they may have been impacted."