Incidents Down; APTs on Rise

Wednesday, March 18, 2015 @ 05:03 PM gHale

By Gregory Hale
While reported security incidents are down from last year, the percentage of advanced persistent threats (APTs) hovering over the industry remains ominous.

Security incident reports are down from the previous year, according to analysis just released by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in its quarterly ICS-Monitor bulletin.

Security: A Presidential Mandate
Malware Focuses on U.S. Attacks
Users Remain Security’s Weakest Link
Finding a Balance: Managing OT Cyber Risk
Employee Training Boosts Security

In Fiscal Year 2014, ICS-CERT received and responded to 245 incidents reported by asset owners and industry partners, it reported in the bulletin. That number is down from Fiscal Year 2013 which had 257.

While the decline is small, it is interesting to note in this era of sophisticated attacks and a push for more cooperation and transparency between the government and industry, the number of reported incidents is down.

The report also went on to say the “ICS vendor community may be a target for sophisticated threat actors for a variety of reasons, including economic espionage and reconnaissance. Of the total number of incidents reported to ICS-CERT, roughly 55 percent involved advanced persistent threats (APT) or sophisticated actors.”

“In the report what worried me was also the increase of an APT in the figures (about 55 percent) which might indicate that others have been compromised and as yet do not know it,” said Graham Speake, vice president and chief product architect at NexDefense, Inc.

“As always with these figures there are ‘lies, damned lies, and statistics’ and trying to compare year on year is difficult, if not impossible,” Speake said. “If the trend in advanced threats is growing, then the number and severity of incidents (discovered or not) will increase. An APT today, gets added in something like Metasploit tomorrow and then becomes just another point and click tool.

The Energy Sector led all others again in 2014 with the most reported incidents, with 65. Although that number is down from the previous year’s 145.

Incidents reported by the Critical Manufacturing Sector totaled 78, some of which were from control systems equipment manufacturers. This year’s number is up from the 38 the previous year.

The scope of incidents encompassed a vast range of threats and observed methods for attempting to gain access to business and control systems infrastructure, the report said, including but not limited to:
• Unauthorized access and exploitation of Internet facing ICS/Supervisory Control and Data Acquisition (SCADA) devices
• Exploitation of Zero Day vulnerabilities in control system devices and software
• Malware infections within air-gapped control system networks
• SQL injection via exploitation of web application vulnerabilities
• Network scanning and probing
• Lateral movement between network zones
• Targeted spear-phishing campaigns
• Strategic web site compromises (a.k.a., watering hole attacks)

The 245 incidents are only what ended up reported to ICS-CERT, either by the asset owner or through relationships with trusted third-party agencies and researchers. Many more incidents occur in critical infrastructure that end up not reported. ICS-CERT is continuing its effort to encourage asset owners to report malicious activity that has had an impact on their organization even if the company does not need assistance.

Sharing Goes Both Ways
“ICS-CERT has encouraged collaboration but I think most entities are still reticent to share info unless regulation forces them to,” Speake said. “Additionally, companies are starting to invest in security – not in a huge way, but at least in setting up some people trained in security who are more aligned to the OT side of the house. With regulated industries, NERC CIP in particular is ensuring people are trained and security measures in place. This may be preventing some attacks from becoming successful and hence not reported.”

ICS-CERT said in its report it can provide situational awareness information about similar or related incidents and share data regarding the threat actor’s techniques and tactics. ICS-CERT will also provide incident response services at the asset owner’s request. All sensitive or proprietary information reported to ICS-CERT remains protected from disclosure under the Protected Critical Infrastructure Information (PCII) program.

Work needs to happen in the sharing department or there will be a dearth of information coming from either end.

“As an industry we cannot give up on information sharing as it does hold the potential to provide great benefits,” Speake said. “But information sharing does involve sharing information in two directions and ICS-CERT and other agencies often share with some and not others.”

Leave a Reply

You must be logged in to post a comment.