Infrastructure protectionDHS: Industrial control systems subject to 200 attacks in 2012

A DHS report released last week revealed that industrial control systems, which are used to monitor and control critical infrastructure facilities, were hit with 198 documented cyberattacks in 2012, and that many of these attacks were serious.

Forty percent of those attacks were on energy firms, according to the Industrial Control Systems (ICS) and Cyber Emergency Response Team (CERT), which reviewed every incident. Water utilities came in second, with 15 percent of the attacks focused on them.

Some of the incidents occurred by security researchers using the Sentient Hyper-Optimized Data Access Network (SHODAN), a regularly updated directory of ports, to find exposed industrial control systems, but the majority were serious breaches, the report stated.

EWeekreports that SHODAN responded to more than twenty attacks on oil and natural gas firms and discovered that sensitive information on the supervisory control and data analysis (SCADA) systems was accessed by the attackers.

“Analysis of the targeted systems indicated that information pertaining to the ICS/SCADA environment, including data that could facilitate remote unauthorized operations, was exfiltrated,” the report stated.

Researchers and security professionals have focused for nearly a decade now on threats and attacks on industrial control systems and infrastructure, but little has been done to protect these systems. Last year researchers concluded that systems using SCADA were still vulnerable to an attack, and in November, security firms found almost fifty vulnerabilities in SCADA products.

EWeeknotes that such vulnerabilities seem to be commonplace. ICS-CERT, along with fifty five industrial-control system makers, reported 171 vulnerabilities. Products including hard-coded passwords accounted for seven of the security issues, the ICS-CERT report stated.

ICS-CERT has pushed suppliers to fix holes in their security as fast as possible in order to publish the details of a security breach forty-five days after notifying the supplier that their system has been breached.

Suppliers were not the only ones to expose security issues. One researcher who used the SHODAN search engine in order to find Internet-accessible industrial control systems discovered about 20,000 systems which could be accessed through the Internet.

“A large portion of the Internet facing devices belonged to state and local government organizations, while others were based in foreign countries,” the ICS-CERT report stated. “(We) worked with partners as well as 63 foreign CERTs in the effort to notify the identified control system owners and operators that their control systems/devices were exposed on the Internet.”

— Read more in Malware Infections in the Control Environment (ICS-CERT, December 2012)