Of 257 cyber incidents reported by asset owners or trusted partners to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in 2013, an overwhelming 56% occurred in the energy sector, exceeding all incidents reported in other sectors combined.
Notably, ICS-CERT last year responded to a “major cyber intrusion campaign” from an “emerging threat actor” that targeted 40 critical infrastructure organizations, a majority that were in the energy sector, the organization says in a recent report.
The hike in reported incidents from the energy sector could be attributed to an increase in awareness and reporting, ICS-CERT says. Yet, many more incidents likely occurred and were not voluntarily reported or detected due to a lack of sufficient detection of logging capabilities, ICS-CERT says.
The majority of the 257 incidents reported in 2013 (see infographic) by asset owners or trusted partners to ICS-CERT were initially detected in business networks, and include the unauthorized access of Internet facing devices, scanning and probing of publicly accessible assets, malware transfer via removable media, exploitation of software/hardware vulnerabilities, and spear-phishing attacks.
(click for larger PDF file)
“Common motivations include data exfiltration of intellectual property, reconnaissance and industrial espionage, economic sabotage, and positioning for possible future exploitation or attack activity,” ICS-CERT says.
The report describes the recent development in assessment capabilities of control system network traffic called a “Network Architecture Verification and Validation (NAVV).” Performed in November 2013 at a nuclear power plant as an extension of a scheduled network architectural review, the NAVV tool captured more than 60 GB of network traffic from its isolated network and identified where network traffic was attempting to connect to devices or external addresses. “Fortunately the security devices denied the connections,” ICS-CERT said.
ICS-CERT urged asset owners to “remain vigilant of today’s cyber threats in an ever evolving landscape” and to report incidents so that they can be shared (anonymized) for greater awareness.
—Sonal Patel, associate editor (@POWERmagazine, @sonalcpatel)