Infrastructure protectionSharp increase in cyberattacks on U.S. critical infrastructure

Published 3 July 2012

The number of reported cyberattacks on U.S. critical infrastructure increased sharply – from 9 incidents in 2009 to 198 in 2011; water sector-specific incidents, when added to the incidents which affected several sectors, accounted for more than half of the incidents; in more than half of the most serious cases, implementing best practices such as login limitation or properly configured firewall, would have deterred the attack, reduced the time it would have taken to detect an attack, and minimize its impact

2012 saw a marked increase in cyberattacks against ICSs // Source: radio.gov.pk

A new report from the U.S. Industrial Control System Cyber Emergency Response Team (ICS-CERT) says that there has been a sharp increase in attacks on U.S. critical infrastructure between 2009 to 2011. The number of critical infrastructure incident reports ICS-CERT handled:

  • 2009: 9 incident reports
  • 2010: 41 incident reports
  • 2011: 198 incident reports

Dark Matterreports that Of those 198, seven resulted in the deployment of onsite incident response teams from ICS-CERT, and twenty-one of the other incidents involved remote analysis efforts by the Advanced Analytics Lab.

The report notes that water sector-specific incidents, when added to the incidents which affected several sectors, accounted for more than half of the incidents. The report notes that that this is the result of the larger number of Internet-facing control system devices reported by independent researchers. 

Kim Legelis, vice president of marketing at Industrial Defender, told Dark Matter that the magnitude of the increase was surprising. “While those of us close to critical infrastructure cyber security were aware of the escalating nature of the threat landscape, the level that this report validates was more severe than expected….  In addition, the report provides a baseline to compare future reports and incidents to in the future.”

Despite the sharp increase in the number of attacks, the report notes: “No intrusions were identified directly into control system networks,” the report states. “However, given the flat and interconnected nature of many of these organization’s networks, threat actors, once they have gained a presence, have the potential to move laterally into other portions of the network, including the control system, where they could compromise critical infrastructure operations.”

The report says that in the seventeen onsite assessment ICS-CERT officials had to perform during the 2009-11 period – that is, in the seventeen most serious incidents – implementing best practices such as login limitation or properly configured firewall, would have deterred the attack, reduced the time it would have taken to detect an attack, and minimize its impact.

Risk management and assessment is still an art, not a science,” says Lamar Bailey, director of security research and development at nCircle, told Dark Matter. “We need a lot more collaboration between IT and security organizations to dramatically improve the accuracy of risk assessments.”

— Read more in ICS-CERT Incident Response Summary Report