Over the past half day, a report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) stating that cyber incidents jumped from 41 in 2010, to a stunning 198 in 2011, has sent industry watchers into a frenzy. What could cause such a massive rise? Putting those figures into perspective, only 9 incidents were reported in 2009, the year that ICS-CERT was established.
From 9, to 41, to 198 is quite the growth curve. However, the simple numbers don’t tell the whole story. Another helpful figure is the percentage of those incidents that required the ICS-CERT team to go onsite to deal with an incident. In 2011: 7. That’s down from 2010’s 8 onsites.
The Advanced Analytics Lab (AAL) did involve itself in a total of 21 cases helping to provide analysis of the incident. It’s hard to not wonder if part of the large rise in incidents is not due to a massive growth of total attacks, but is in fact partially drive by better reporting and detection.
In the last year, of the 198 incidents some 41% involved the water sector. When incidents that included multiple infrastructure genres are totaled, the water sector was part of more than half. Why is that the case? From the ICS-CERT’s reported, the large percentage resulted from
“a large number of Internet facing control system devices […] Many of these Internet facing control systems employed a remote access platform from the same vendor, configured with an unsecure authentication mechanism. ICS-CERT coordinated with the vendor to mitigate the authentication vulnerability and also took on the task of identifying and notifying the affected asset owners. ICS-CERT provided them with details of the risks associated with weak boundary protection practices and assisted with mitigation strategies.” [Bold: TNW]
When that information is taken into account, it’s almost a wonder that there are not more total incidents. From the look of that paragraph, these water sector installations were running insecure software in an lax fashion with little or no plan to handle any sort of problem. It almost feels akin to running a Windows XP system without any sort of malware protection.
Returning to the year as a whole, several of the incidents that led to onsite help were not attacks at all, but instead simple user error and incompetence. I quote:
The ICS-CERT incident response team performed throughout analysis of the infected host and of the associated malware. Analysis concluded that an infection of the remote terminal server had occurred and that the infection was non-targeted and consistent with crimeware, not a sophisticated threat.
The ICS-CERT incident response team performed a security assessment of the government facility’s control systems network and collected log files and other digital artifacts for further analysis. ICS-CERT confirmed through analysis that there was no evidence of a cyber incident that resulted in the malfunction of the PLC and the resultant impact to non-vital services.
A government organization requested support from the ICS-CERT to investigate suspicious cyber activity involving their internally-managed building management control systems. ICS-CERT provided on-site support and conducted analysis detected no evidence of malicious cyber activity.
Initial reporting indicated that a pump had failed as result of changes made in the control systems environment. ICS-CERT conducted analysis and interviews with the organization (and their support contractors) and determined that the unauthorized login was in fact an authorized user logging into the control system while on personal business in a foreign country for legitimate business purposes.
That is 4 of the 7 incidents that generated an onsite visit from the ICS-CERT. Running the risk of sounding flippant, it seems logical that the incidents that appeared the most dangerous, or deliberate, would generate onsite visits. Lesser cases could be managed by the AAL, or simply deferred. Therefore, to have 4 of the 7 be error on the order that is above listed makes the 198 incident figure appear to be a bit stuffed.
Moving on, here are the incidents that are worrisome, and real:
ICS-CERT analyzed multiple digital artifacts, including three malware samples and detected evidence of a sophisticated threat actor; the point of entry appeared to have been an employee opening a PDF attachment of a spoofed industry-specific newsletter, which contained the malware.
ICS-CERT deployed an incident response team to an electric utility that had been targeted by a broader spear-phishing campaign. ICS-CERT conducted analysis on three suspected malicious PDF files provided by the organization. From this analysis, ICS-CERT determined that two of the PDF files were known malicious and made requests to known malicious domains
Based on the indicators discovered, ICS-CERT concluded that a sophisticated adversary compromised multiple machines and uploaded tools onto the network. Review of the network topology showed that the organization had a flat network and lacked other defensive technologies for a secure system.
Read that last paragraph again – it details a real issue, from an actual threat that worked because completely insufficient security systems were in place. That’s perhaps the most worrisome element of this report, the gross incompetence of infrastructure elements to keep their doors closed and their digital hatches battened.
In Congress at the moment there is a struggle between two perspectives. One states that mandatory cybersecurity standards should be placed on critical infrastructure. The other view is that any such regulation is unacceptable. Given the findings of this report, you have to wonder if a stiffening of the rules that our water and power system must obey would be such a bad thing.
Top Image Credit: fhemerick