Energy Industry Top Attack Choice

Monday, July 1, 2013 @ 06:07 PM gHale


Over 50 percent of the 200 cyber incidents reported by critical infrastructure operators to the ICS-CERT between October of last year and May of this year came from the energy sector.

In all, over 75 percent of the incidents reported focused on the manufacturing automation sector.

RELATED STORIES
Cyber Report: Attackers on Network
SMBs Need Data Breach Awareness
Breach Discovery: 10 Hours
Security Breach Fantasy Land

The victim organizations ended up hit mostly by watering hole attacks, SQL injection, and spear phishing. In fiscal 2012 alone, 198 cyber incidents ended up reported to ICS-CERT, 41 percent of which were from the energy industry. Advanced persistent threat (APT)-type attacks, as well as sophisticated and common malware were top threats, ICS-CERT said in its ICS-CERT Monitor report for second quarter of 2013.

Among the recent incidents handled by the ICS-CERT was a brute-force attack campaign against a gas compressor station operator that ended up targeting other critical infrastructure operators. ICS-CERT said the gas compressor station owner on Feb. 22 reported a jump in brute-force attack attempts on process control networks. The attack campaign, which began in January and subsided in early March, didn’t result in any actual breaches, according to ICS-CERT.

ICS-CERT posted an alert on its secure portal about the attacks on the gas compressor plant, along with 10 IP addresses used in the attacks.

“That alert elicited additional reports from critical infrastructure owners who, using the indicators in the alert, had discovered similar brute force attempts to compromise their networks. Those new reports yielded 39 new IP addresses, which ICS-CERT included in an update to the original alert (also posted on the secure portal),” ICS-CERT said in its report.

Gas compressor stations in the Midwest and Plains region were the main victims of the attempted attacks, ICS-CERT said, but there also were attacks against critical infrastructure business networks as well. “While none of the brute force attempts were successful, these incidents highlight the need for constant vigilance on the part of industry asset owners and operators. The ability to detect anomalous network activity and network intrusions early in an incident greatly increases the chance of a successful mitigation and resolution,” the ICS-CERT report said.

While energy firms represented 53 percent of the 200 cyber incidents reported to ICS-CERT from October 2012 to May 2013, 17 percent of the reports came from the manufacturing sector.

Most of the incident response ICS-CERT conducts occurs remotely, analyzing malware, logs, hard drives, emails and other attack artifacts. ICS-CERT went on-site for five incidents in the first half of FY 2013 to investigate sophisticated attacks in the energy and critical manufacturing industries. “All of the onsite incident response engagements involved sophisticated threat actors who had successfully compromised and gained access to business networks,” ICS-CERT said in its report.

In many of the on-site cases, ICS-CERT team analysis was inconclusive because the ICS networks didn’t have sufficient logging and forensics data. “While onsite, ICS-CERT analysts examined networks and artifacts to determine if ICS networks were also compromised. Unfortunately, in many cases that analysis was inconclusive because of limited or non-existent logging and forensics data from the ICS network,” the report said.



Leave a Reply

You must be logged in to post a comment.