Cyber Incidents Down; Reporting Declines

Wednesday, July 8, 2015 @ 11:07 AM gHale

Reported cyber incidents to ICS-CERT are down for the first half of the fiscal year, but don’t think that is because there were fewer events, it could be because fewer organizations are reporting attacks.

In the first half of FY 2015 (October 2014 through April 2015), ICS-CERT responded to 108 cyber incidents on the critical infrastructure in the United States, according to a report in the ICS-CERT Monitor. As in previous years, the energy sector continues to lead all others with the most reported incidents, with electricity at 13 incidents, petroleum, 9, natural gas, 4, and miscellaneous, 3, totaling 28 percent. The water and critical manufacturing sectors came in second and third with incidents reported with 19 percent and 18 percent respectively.

Insider Attacks Rise, Unaware of Risk
Small Risk Converts to Big Problem
Ransomware Version Costs U.S. Big Bucks
Targeted Attacks on Rise: Report

Incident reporting is slightly below the pace for FY 2014.

ICS-CERT and DHS remained concerned, though, with the lower percentage of reporting directly by asset owners, the Monitor report said. Just over one-quarter of the reported incidents to ICS-CERT are coming directly from owners and operators, while federal partners, researchers, and open source media are the primary sources of reported incidents. In several cases, internal DHS analysis of data obtained through our partnerships in the cyber security community helped to uncover new incidents.

While reporting incidents to ICS-CERT is voluntary, the government entity encourages critical infrastructure stakeholders to contact them for assistance in responding to a malicious cyber event.

“We offer many services that are provided at no cost and will assist your organization in determining the depth of an intrusion as well as developing strategies for clean-up and recovery,” ICS-CERT officials said. “The reported information is kept confidential and protected from disclosure under the PCII Act. Your information is extremely useful for understanding the current threats facing critical infrastructure and developing defense strategies that can benefit others in reducing cyber risks to our nation.”

As of the mid-year report, spear-phishing continues to be an often used method of attack, since it is relatively easy to execute and remains effective.

Organizations should continue to emphasize, through training and awareness programs, the importance of not opening links in emails from unknown entities. Weak Authentication intrusions often end up related to a lack of network segmentation and strong logon requirements for the control system environment. Once an intruder has penetrated the corporate network, they are often able to move laterally into the control system environment if strong authentication requirements are not in place.

Network scanning and SQL injection attempts also remain popular as threat actors look for opportunities to exploit security vulnerabilities in web applications, the Monitor report said. Asset owners should ensure their network defensive measures address the weaknesses exploitable via these intrusion techniques.