ICS-CERT: Attacks on Rise

Friday, June 29, 2012 @ 04:06 PM gHale

By Gregory Hale
In an environment where companies are averse to revealing details on whether or not they suffered a cyber incident, a small indicator showing the growth of attacks comes from ICS-CERT with nine reported incidents in 2009, to 41 in 2010 to 198 last year.

In ICS-CERT’s first year, the organization recorded nine cyber incidents, four of which were actual incidents. Two of those resulted in sending out onsite response teams, while two others ended up treated remotely. Reports came in from the energy, water, dams and a cross-sector.

Cyber Secure Device Certification
Robustness Testing: Saves Lives, Money
Siemens CERT Gains Achilles Status
Security First; Not in Smart Grid

“The ICS-CERT report represents an important metric for cyber security of control system,” said Kim Legelis, vice president at Industrial Defender. “By reporting a four-fold increase of incidents, the ICS-CERT shines the light on the need for control systems operators to be vigilant with respect to cyber security.

In 2010, there were 41 incident reports with eight resulting in onsite response teams, while an additional seven incidents involved remote analysis, according to a report issued by ICS-CERT.

The industries involved also grew with energy, water, dams, nuclear, chemical, government, critical infrastructure and cross-sector.

ICS-CERT received multiple reports of secure shell (SSH) brute force attacks attempting to access ICS and critical infrastructure companies who operate industrial control systems (ICS).

These incidents marked an increased awareness of the attack potential and attractiveness of targeting ICS’, according to the ICS-CERT report.

Multiple spear-phishing incidents also ended up reported that year. That is important to remember because spear phishing remains a big threat for most companies and organizations.

“One particularly interesting aspect of the report is the noted increase in spear phishing attacks,” Legelis said. “Spear phishing has long been used by attackers in other industries to provide an internal beachhead from which an organization can be infiltrated. Because social engineering attacks rely on the ability to mislead employees into unknowingly providing an entry point for attackers, they make attack prevention extremely difficult. ICS cyber security professionals are relying alternative methods to combat risks. Many have found logging and security monitoring technologies essential for detection, while advances in white listing can protect critical systems from malware infection and data exfiltration.”

Other threats from 2010 include:
Mariposa infections in Critical Infrastructure and Key Resources (CIKR). Defense Intelligence identified the Mariposa botnet in May 2009. Although the primary command and control (C2) infrastructure went down in December of that year, ICS-CERT continued to receive malware infection reports into early 2010, at least one of which resulted in an onsite incident response to determine whether the malware had breached the control system network. The operations executed by the botnet were diverse, in part because third parties could rent out parts of the botnet. Confirmed events include denial-of-service attacks, email spam, theft of personal information, and changing the search results a browser would display in order to show advertisements and pop-up ads.

Stuxnet. Stuxnet, the first ever malware specifically written to target ICS, was discovered in 2010. ICS- CERT analyzed the malware and its impacts to control systems in coordination with various government agencies, law enforcement, industry, and other organizations such as Symantec, Microsoft, CERT Bund, Siemens, and various sector ISACs (i.e., Energy, Chemical, Nuclear, Dams, Water, Transportation).

In 2011, ICS-CERT received 198 reports of incidents. Of those 198, seven resulted in the deployment of onsite incident response teams. An additional 21 incidents involved analysis efforts to identify malware and techniques used by attackers.

In addition, even more sectors were a part of the attack scenario in the year with energy, water, dams, nuclear, chemical, government, critical infrastructure, cross-sector, communications, transportation, information technology also joining in to name a few.

Quite a few of the Internet facing control systems employed a remote access platform from the same vendor, configured with an unsecure authentication mechanism. ICS-CERT coordinated with the vendor to mitigate the authentication vulnerability and also took on the task of identifying and notifying the affected asset owners.

In all cases, ICS-CERT will work with reporting organizations to help determine if the control network was compromised and provides mitigations to detect and mitigate the activity.

Some examples include:
• ICS-CERT worked with several companies that were part of the Night Dragon attacks, first reported in February 2010, targeting global oil, energy, and petrochemical companies. Hackers moved deliberately through networks, trolling for sensitive data and intellectual property.
• ICS-CERT worked with several organizations impacted by the Nitro attacks, where companies involved in research and development of chemical compounds and materials were the targets of sophisticated attacks. Reports indicated the attackers gathered data from across the victim networks and moved it to internal staging servers to make data exfiltration more efficient.

These incidents highlight the activity of sophisticated threat actors and their ability to gain access to system networks, avoid detection, use advanced techniques to maintain a presence, and exfiltrate data. ICS-CERT also collaborated with the international cyber security community working with over 30 different countries and, in most cases, interfacing directly with the international Computer Emergency Response Teams (CERTs) to coordinate responses and reach out to affected organizations and vendors.

Leave a Reply

You must be logged in to post a comment.