US ICS-CERT releases data on industrial cyber-attacks

The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has revealed that US industrial control systems were hit by cyber-attacks at least 245 times over a 12-month period. The figure was included in a report by the ICS-CERT, which operates within the National Cybersecurity and Integration Center, a part of the Department of Homeland Security. The report covers the period between 1 October 2013 and 30 September 2014.

“ICS-CERT received and responded to 245 incidents reported by asset owners and industry partners,” the report said.

The energy sector accounted for the most incidents at 79, but perhaps the more alarming figure is that 65 incidents concerned cyber infiltration of the manufacturers of ICS hardware.

“The ICS vendor community may be a target for sophisticated threat actors for a variety of reasons, including economic espionage and reconnaissance,” the report said.

“Of the total number of incidents reported to ICS-CERT, roughly 55% involved advanced persistent threats (APT) or sophisticated actors. Other actor types included hacktivists, insider threats and criminals. In many cases, the threat actors were unknown due to a lack of attributional data.”

Incidents reported by sector.

The ICS-CERT did reveal, however, that some of its work related to hacks that used the Havex and Black Energy malware revealed during 2014.

“ICS-CERT has provided on-site and remote assistance to various critical infrastructure companies to perform forensic analysis of their control systems and conduct a deep dive analysis into Havex and Black Energy malware,” it said.

The ICS-CERT also acknowledged that it is highly likely that it was unaware of other incidents that will have occurred during the period.

“The 245 incidents are only what was reported to ICS-CERT, either by the asset owner or through relationships with trusted third-party agencies and researchers. Many more incidents occur in critical infrastructure that go unreported,” the report said.

Incidents reported by access vector.

The scope of incidents in terms of observed methods for attempting to gain access was quite large, including but not limited to:

• Malware infections within air-gapped control system networks
• SQL injection via exploitation of web application vulnerabilities
• Network scanning and probing
• Lateral movement between network zones
• Targeted spear-phishing campaigns
• Strategic website compromises (watering hole attacks)

The majority of incidents were categorised as having an ‘unknown’ access vector. In these instances, the organisation was confirmed to be compromised but forensic evidence did not point to a method used for intrusion because of a lack of detection and monitoring capabilities within the compromised network.

In the same period, ICS-CERT received 159 reports involving vulnerabilities in control systems components and coordinated them with researchers and vendors both in the United States and internationally. The majority of these vulnerabilities involved systems most commonly used in the energy sector, followed by critical manufacturing and water and wastewater. Authentication, buffer overflow and denial-of-service vulnerabilities were the most common vulnerability types discovered.