The attackers attempted to gain access to process control networks

Jun 29, 2013 07:43 GMT  ·  By

Critical infrastructure continues to be targeted by cybercriminals. According to the US Industrial Control Systems Cyber Emergency Response Team’s (ICS-CERT) latest report, over 200 cyber security incidents have been reported across all critical infrastructure sectors in the first half of fiscal year 2013.

Of these attacks, 53% targeted the energy sector, followed by the manufacturing sector, which reported 17% of the incidents.

Watering hole attacks, SQL Injection, and spear phishing were the most common techniques utilized by the attackers.

As an example, ICS-CERT highlights one February attack against a gas compressor station. The attackers reportedly attempted to access the company’s process control network by launching brute-force attacks.

After being notified of the attack, ICS-CERT posted a number of 10 IP addresses on the US-CERT secure portal to warn other critical infrastructure asset owners to watch out for similar malicious activities.

Shortly after, other critical infrastructure owners started reporting similar incidents and a total of 39 new malicious IP addresses were identified.

None of the attempts was successful, but the incidents highlight the need for constant vigilance, ICS-CERT warns.

Lila Kee, North American Energy Standards Board member and GlobalSign chief product and marketing officer, highlights the fact that the critical infrastructure needs to prepare itself for such targeted attacks.

“The recent report by the DHS ICS-CERT is further proof that malicious actors see the energy sector as a target that is ripe with opportunity and one that is still quite susceptible to being exploited,” Kee told Softpedia in a mailed statement.

“The report notes that the first half of 2013 yielded 200 brute-force cyberattacks, surpassing 2012’s total of 198 attacks. Although attacks on major gas and electric systems are nothing new to those in the industry, these facts serve as evidence that low-level criminals, all the way up to state-sponsored groups see the value in compromising our nation’s critical infrastructure,” she added.

“This is no longer just speculative noise that causes fear uncertainty and doubt (FUD),” Kee said.

“The documented frequency and intensity of these attacks tells us that we have entered a new era that requires the energy sector, and every other CNI owner to follow US-CERT recommendations and report cyber incidents quickly as secure information sharing is a key method in responding to cyber attacks.

“Although the North American Energy Standards Board has done a fantastic job by drafting and recommending security standards, it is necessary that the critical infrastructure as a whole implement these standards to best apply preventative measures that prepare for the ever-increasing number and methods of targeted attacks.”

Tommy Stiansen, CTO and co-founder of Norse – a Silicon Valley startup providing live intelligence on attack IPs that customers use to defend against attacks before they do damage – believes that the answer to the challenge lies in live intelligence.

“While it certainly isn’t a surprise that energy sector players are under attack from malicious IPs, what is shocking is the assumption that there are only 49 IPs that critical infrastructure providers need to be concerned with,” Stiansen told us.

“The Norse Live Threat Intelligence Platform, which continuously gathers global cyberattack information, interacts with over 100 million malicious and high risk IP addresses each day. Based on attack patterns and targets we observe, there are thousands, or even tens of thousands that this industry needs to worry about,” he noted.

“Unfortunately, neither the government, nor the victims, are prepared to respond to the onslaught of attacks happening right now. The fact that these IP addresses have now been publicized means the cybercriminals will invariably change them before these organizations are able to react,” the expert explained.

“Today cybercriminals can change the launch points of their attacks so easily that these types of static IP blocklists are ineffective. Live intelligence is really the only effective solution for IP based threat blocking.”