The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) was formally inaugurated in November 2009 as a means of enhancing government collaboration with companies that control critical components of national infrastructure, including energy grids, water treatment facilities and nuclear plants. The organization recently released a comprehensive review of its first 26 months in operation, revealing a sharp rise in the amount of reported cyberattacks in that time.
According to the ICS-CERT report, four confirmed cyberattacks were reported during the final two months of 2009, with two ultimately requiring the deployment of on-site response teams. One of these cases involved a municipal water treatment plant at which investigators determined there was no evidence of malicious activity. The other concluded with a similar outcome, though both facilities were presented with a list of recommended steps for improving their network security postures.
In 2010, ICS-CERT received reports of 41 confirmed cyberattacks from critical infrastructure asset managers with eight requiring on-site visits. Four of the incidents involved successful spear phishing campaigns that led to the exfiltration of limited but sensitive data. However, perhaps the most serious case centered on a nuclear facility in which traces of the Mariposa botnet were discovered.
The following year may have been the clearest indicator of evolving cybercriminal priorities, as 198 confirmed attacks were reported to ICS-CERT in 2011. Luckily, just seven of these incidents merited deployment of on-site response teams. However, two took place within government facilities, with one event resulting in the temporary loss of backup power.
Despite these concerning details, officials recognize the significance of the conversation that ICS-CERT has started.
"Incident response is an essential part of cybersecurity. DHS has made a consistent effort to work with public- and private-sector partners to develop trusted relationships and help asset owners and operators establish policies and controls that prevent incidents," DHS spokesman Peter Boogaard told CNN. "The number of incidents reported to DHS' ICS-CERT has increased partly due to this increased communication."
After comparing and contrasting the 17 incidents that required on-site interventions, ICS-CERT security analysts discovered some notable commonalities. For instance, spear phishing was the most common attack vector, with seven cases triggered by malicious links or attachments in employee emails. Additionally, all but six of the attacks were perpetrated by what officials categorized as "sophisticated threat actors" who were well-versed in several advanced techniques.
Unfortunately, situational awareness was often as such that hackers may not have even had to call upon their most expert skills.
"In 12 of 17 cases, implementation of security recommended practices, such as login limitations and segmenting networks with properly configured firewalls, could have deterred the attack, significantly reduced the time to detect the attack or at least reduced the impact of the incident," the report stated.
Room for improvement
Not surprisingly, ICS-CERT investigators pointed to threat detection as the most important layer of defense and suggested much progress was needed in this area. In fact, asset owners were originally notified of potential anomalies by external organizations or third-party service providers in five of the 17 most serious cases. Additionally, 10 organizations could have likely sidestepped disaster by employing "ingress/egress filtering" of IP addresses or domain names that were previously known to be malicious.
To bring prevention, detection and response performances up to par, report authors advised utility managers to allocate their attention equally across people, processes and technologies. While there will be no substitute for the latest tools and mechanisms, an informed workforce may be the most valuable asset considering common employees are often the trigger for data security lapses or the first audience to cybercriminal bait.
Security News from SimplySecurity.com by Trend Micro