America’s water and power utilities under daily cyber-attack. America’s utilities face constant cyber-espionage and denial-of-service attacks against industrial-control systems (ICS), according to the team of specialists from the U.S. Department of Homeland Security (DHS) who are called to investigate the worst cyber-related incidents at these utilities.
DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) assisted utilities in network and forensics analysis on seventeen (17) major cases in 2011. Seven (7) of the security incidents originated as spear-phishing attacks via e-mail against utility personnel.
An ICS-CERT leader said 11 of the 17 incidents were very “sophisticated,” signaling a well-organized “threat actor.” She said DHS believes that in 12 of the 17 cases, if only the compromised utility had been able to practice the most basic type of network security for corporate and industrial control systems, they would likely have detected or fended off the attack.
One of the basic problems observed at utilities is that “a lot of folks are using older systems previously not connected to the Internet,” she said. In a panel at the GovSec Conference, ICS-CERT's leaders candidly presented a bleak assessment of why America's utilities have a hard time maintaining security, and why it's getting worse.
Background: [Links to Networkworld article are now 404] America's critical infrastructure-response system is broken
She also noted that the hacktivist group Anonymous is becoming more interested in ICS and it's a threat that should be taken seriously.
Kevin Helmsley, another ICS-CERT leader said the count of “incident tickets” related to reported incidents at water and power-generating utilities is going up. While only 9 incidents were reported in 2009, in 2011 this grew to 198 incident tickets.
Outside researchers will from time to time discover vulnerabilities in ICS-related products, and Helmsley noted that older ICS equipment that is hard to bring up to date is a big issue.
He said he knew of one GE product that was 20 years old and still in use and "riddled with problems." But some of the ICS equipment is very expensive and owners want to maximize their investments, he pointed out. "Sometimes the product is no longer being maintained by the vendor and they don't release a patch. But that doesn't mean it's not being used." Sometimes the bad guys do release exploit code for these vulnerable products, he noted.
Just over 40 percent came from water-sector utilities, with the rest from various energy, nuclear energy, and chemical providers. He said in many cases the attacks do not seem to be coming directly through the Internet via Internet Service Providers, for example, but are often traced to outside companies that provide services to the attacked utilities, raising the question of compromises there.
Source: [Link to Networkworld article is now 404; however it was 040412-dhs-cyberattack-25946]