Boom in cyber attacks on critical infrastructure reported in the US

ICS-CERT blames insecure remote access platform for water sector attacks

Cyber attacks on critical infrastructure in the US have rocketed over the past three years, according to a new report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

ICS-CERT, which is part of the Department of Homeland Security, received just nine incident reports in 2009, but that number leapt to 41 in 2010 and 198 in 2011.

"In 2011, ICS-CERT received 198 reports of incidents. Of those 198, seven resulted in the deployment of onsite incident response teams [and] an additional 21 incidents involved analysis efforts by the AAL [Advanced Analytics Lab] to identify malware and techniques used by the threat actors," stated the report.

It added: "Incidents specific to the water sector, when added to those that impacted multiple sectors, accounted for over half of the incidents due to a large number of internet- facing control system devices reported by independent researchers."

The report highlighted insecurities in an unnamed remote access software package as the cause of many attacks in the water industry in particular. "Many of those internet-facing control systems employed a remote access platform from the same vendor, configured with an unsecure authentication mechanism," it said.

It is not only the number of attacks that have mushroomed, but the range of targets, with chemical, nuclear, communications and even transport facilities facing attack in 2011. Email with malware attachments or links to compromised websites remain a common attack vector, highlighting the need for user education.

"Once compromised, attackers often map out networks in order to perform a variety of functions, including stealing credentials, ‘exfiltrating' sensitive information, such as financial, research or operational data, and establishing multiple footholds to maintain persistent presence for future operations."

The report highlights a number of concerted attacks on US infrastructure in recent years, including the Night Dragon attacks, which were first publicly reported in February 2010. These targeted global oil, energy and petrochemical companies. "Hackers moved deliberately through the victims' networks, trolling for sensitive data and intellectual property."

The Nitro attacks, also highlighted by the report, targeted companies involved in research and development of chemical compounds and materials. "Reports indicated that the attackers gathered data from across the victim networks and moved it to internal staging servers to make data exfiltration more efficient."

The US already has laws mandating minimum cyber security standards for critical infrastructure going through Congress. In the UK, similar measures are also under consideration.