Infrastructure protectionU.S. power and water utilities face daily cyberattacks

Published 6 April 2012

American water and energy companies deal with a constant barrage of cyberattacks on a daily basis; these incidents usually take the form of cyber espionage or denial-of-service attacks against the utilities’ industrial-control systems

American water and energy companies deal with a constant barrage of cyberattacks on a daily basis. These incidents usually take the form of cyber espionage or denial-of-service attacks against the utilities’ industrial-control systems, according to a panel from DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT).

ICS-based networks are used to control water, chemical, and energy systems, and members of the ICS-CERT teams, based at DHS in Washington, D.C., will fly out across the nation to investigate incidents that they learn about.

Though ICS-CERT typically does not name the utilities involved, this week they provided a bleak assessment of the vulnerability of America’s utilities.

In a panel at the GovSec conference which was held in Washington, D.C. this week, Sanaz Browarny, chief, intelligence and analysis, control systems security program at DHS said that “On a daily basis, the U.S. is being targeted” — as she presented statistics from on-site trips the ICS-CERT’s response team took last year, mostly to private sector utilities.

Of the seventeen trips she spoke about, seven appeared to originate as spear-phishing attacks by e-mail against utility personnel.

As explains, spear-phishing attacks are generally not initiated by an ordinary hacker, but are targeted attacks perpetrated by someone seeking either financial gain, or for espionage purposes, such as obtaining trade secrets or military intelligence.

As with regular phishing expeditions, spear-phishing e-mail messages appear to come from a trusted source, such as a large, well-known company or Web site with a broad consumer or member base. Spear-phishing messages, on the other hand, are more likely to appear as originating form someone within the target’s own organization, generally someone in a position of authority.

National Security Agency expert and West Point instructor Aaron Ferguson calls it the “colonel effect.”

As an illustration, Ferguson sent e-mail messages to 500 cadets, asking them to click on a link to verify their grades. The message appeared to come from a Colonel Robert Melville of West Point, and the result was that over 80 percent of the recipients clicked on the link.

Networkworld.comreports that Browarny went on to say that eleven of seventeen incidents were what she called “sophisticated,” an indicating a well-organized attacker. She went on to say that in twelve of the seventeen incidents she discussed, DHS believes that if the target companies had practiced the most fundamental network security practices for corporate and industrial control systems, they would likely have detected or blocked the attack.

One of the basic problems discovered in the incident analyses is that the target companies, in most cases, are attempting to continue using older equipment, some of it  not previously connected to the Internet, in order to maximize their investment in the hardware. Frequently, the vendor no longer supports the equipment, meaning that no patches or updates are installed, and the vulnerabilities remain.

ICS-CERT works with outside security contractors willing to share their findings about the IC systems, of which there are only a handful, such as GE and Siemens. Siemens produced the ICS that was the target of last year’s Stuxnet attack against suspected Iranian uranium enrichment program facilities.

American energy, chemical, and water utilities tend to use the same thing, a fact that makes the work of an attacker easier.

Browarny points out that there are essentially three types of attackers. First is the garden-variety hacker, out for the thrill of accessing a believed secure system. Second is the daily assault of viruses, worms, and botnet attacks.

Third, and most concerning, is the nation-state attackers, who are well-funded and most often seek to establish a covert presence on a network in order to obtain sensitive information.

She also made a point indicating that the hacktivist collective Anonymous seem to have taken an interest in ICS lately, and that is a threat to be taken seriously. Anonymous has been successful in a number of high-profile attacks, and would most likely be highly effective against the systems in place in American utility companies.

Panel member Baird McNaught, ICS-CERT operations lead at the Idaho National Lab, revealed that “We’ve seen a couple of denial-of-service attacks that have impacted operations.” He also pointed out there is evidence that attackers are even resident on the control systems. “Most of attacks are centered around data exfiltration when they’re stealing information for the control systems.”

Browarny pointed out that utilities tend to do the bare minimum to comply with NERC or NIST requirements, but that is insufficient. She also offered some simple advice, such as not to accept USB flash drives at conferences, or from some other sources, since ISC-CERT has found evidence that such drives contain malware designed to steal data.