Think Information. Think Security.
Over the past half day, a report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) stating that cyber incidents jumped from 41 in 2010, to a stunning 198 in 2011, has sent industry watchers into a frenzy. What could cause such a massive rise? Putting those figures into perspective, only 9 incidents were reported in 2009, the year that ICS-CERT was established.

From 9, to 41, to 198 is quite the growth curve. However, the simple numbers don’t tell the whole story. Another helpful figure is the percentage of those incidents that required the ICS-CERT team to go onsite to deal with an incident. In 2011: 7. That’s down from 2010′s 8 onsites.

The Advanced Analytics Lab (AAL) did involve itself in a total of 21 cases helping to provide analysis of the incident. It’s hard to not wonder if part of the large rise in incidents is not due to a massive growth of total attacks, but is in fact partially drive by better reporting and detection.

In the last year, of the 198 incidents some 41% involved the water sector. When incidents that included multiple infrastructure genres are totaled, the water sector was part of more than half. Why is that the case? From the ICS-CERT’s reported, the large percentage resulted from

 ”a large number of Internet facing control system devices [...] Many of these Internet facing control systems employed a remote access platform from the same vendor, configured with an unsecure authentication mechanism. ICS-CERT coordinated with the vendor to mitigate the authentication vulnerability and also took on the task of identifying and notifying the affected asset owners. ICS-CERT provided them with details of the risks associated with weak boundary protection practices and assisted with mitigation strategies.” [Bold: TNW]

When that information is taken into account, it’s almost a wonder that there are not more total incidents. From the look of that paragraph, these water sector installations were running insecure software in an lax fashion with little or no plan to handle any sort of problem. It almost feels akin to running a Windows XP system without any sort of malware protection.
Returning to the year as a whole, several of the incidents that led to onsite help were not attacks at all, but instead simple user error and incompetence.
That is 4 of the 7 incidents that generated an onsite visit from the ICS-CERT. Running the risk of sounding flippant, it seems logical that the incidents that appeared the most dangerous, or deliberate, would generate onsite visits. Lesser cases could be managed by the AAL, or simply deferred. Therefore, to have 4 of the 7 be error on the order that is above listed makes the 198 incident figure appear to be a bit stuffed.

Moving on, here are the incidents that are worrisome, and real:

 ICS-CERT analyzed multiple digital artifacts, including three malware samples and detected evidence of a sophisticated threat actor; the point of entry appeared to have been an employee opening a PDF attachment of a spoofed industry-specific newsletter, which contained the malware.

ICS-CERT deployed an incident response team to an electric utility that had been targeted by a broader spear-phishing campaign. ICS-CERT conducted analysis on three suspected malicious PDF files provided by the organization. From this analysis, ICS-CERT determined that two of the PDF files were known malicious and made requests to known malicious domains

Based on the indicators discovered, ICS-CERT concluded that a sophisticated adversary compromised multiple machines and uploaded tools onto the network. Review of the network topology showed that the organization had a flat network and lacked other defensive technologies for a secure system.

In Congress at the moment there is a struggle between two perspectives. One states that mandatory cybersecurity standards should be placed on critical infrastructure. The other view is that any such regulation is unacceptable. Given the findings of this report, you have to wonder if a stiffening of the rules that our water and power system must obey would be such a bad thing.

Cross-posted from: Insider

Leave a Reply.