September news roundup: Exploring the threats to critical infrastructure

September was marked by ongoing exploration and discussion of the very real threats to U.S. critical infrastructure. From successful cyberattacks against U.S. Department of Energy computer systems to a malicious phishing scheme targeting IT workers at critical infrastructure companies, these are the industrial security stories that captured our attention.

U.S. Critical Infrastructure under Cyberattack (Network World, Sept. 29, 2015)

Recent research from ESG reveals that 68 percent of U.S. critical infrastructure organizations have experienced one or several security incidents within the past two years. And 67 percent believe the threat landscape is more dangerous and getting worse than it was two years ago, leading some experts to predict a “cyber Pearl Harbor” in our future.

Cyber Risk Isn’t Always in the Computer (Wall Street Journal, Sept. 24, 2015)

When people think about industrial control systems, they don’t often consider equipment such as backup generators, thermostats and air conditioners, but they should. These components support data-center networks, and due to decades-old technology and communication standards, they are vulnerable to cyberattacks that could take down an entire operation.

Work Needed to Secure Power Grid, Experts Tell House Committee (USAToday, Sept. 11, 2015)

The power grid faces a host of threats, according to witnesses speaking to the House Committee on Science, Space and Technology’s oversight and energy subcommittees. Ranging from natural to physical to cyber, threats to the grid could result in a catastrophic outage, and this possibility should encourage the industry to address vulnerabilities with all possible haste.

Records: Energy Department Struck by Cyberattacks (CNBC, Sept. 10, 2015)

Serving a harsh wake-up call to critical infrastructure companies everywhere, USAToday learned there were 159 cyberattacks that compromised U.S. Department of Energy (DOE) computer systems from 2010 to 2014. Records show that DOE components reported 1,131 total cyberattacks in a 48-month period ending in October 2014, demonstrating a consistent and alarming onslaught of attacks, as well as numerous security vulnerabilities within the department’s cyber defense strategies.

Phishing Schemes Target IT Workers at Critical Infrastructure Companies (Wall Street Journal, Sept. 8, 2015)

The Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team reported the use of a malicious phishing scheme targeting IT workers at critical infrastructure companies. Considered the first stage of a cyberattack, phishing emails are intended to target a critical infrastructure operator’s business network, and from there, its control systems.

For more cybersecurity news, check out last month’s news roundup.

April news roundup: The results are in…

Critical infrastructure security was a major topic among analyst firms and researchers in April. If you didn’t stay up to date with the findings throughout the month, we prepared a brief recap for you. Included are findings from Dell’s survey on cybersecurity and a report by the Organization of American States. Read more in this month’s news roundup.

Hacks on critical infrastructure are more common than you think (The Inquirer - April 7, 2015)
In a recent report, the Organization of American States found that hackers commonly seek to destroy major critical infrastructures. The report shows that 54 percent of the 575 companies polled encountered attempts to manipulate control systems. Even more troublesome is that 60 percent of the companies detected attempts to steal data.

Cyberattacks on SCADA and industry double in 2014, says Dell (Fox News – April 8, 2015)
Analysis from Dell’s intelligence network shows attacks against SCADA systems have doubled in the last few years. These attacks on industrial systems can cause more damage than traditional hacking because of the risks they pose to critical infrastructures. Of the attacks that Dell investigated, most were against Finland, the U.K. and the U.S. since industrial control systems are commonly used in these countries. Dell also noticed a rise in point-of-sales malware and attacks on payment infrastructure, leading to some of the highest-profile breaches in history.

Are you prepared? This year's fastest growing security threats (Business News Daily - April 14, 2015)
In a more detailed article about the Dell study, Business News Daily offers some key insights from the results. Attacks against SCADA systems are the third largest security threat that businesses should be planning for in 2015. These attacks often go unreported, and when combined with the U.S.’s aging infrastructure, they present huge security risks.

The U.S.’s energy infrastructure will need major changes, says Obama report (Washington Post – April 21, 2015)
According to a recent report released by the Obama administration, the U.S. electric grid will require major changes to adapt to future national security challenges. The report comes in the wake of new developments to the grid system, increased threats from hackers and climate extremes, among other developments.

Protect cybersecurity spending to avoid attacks on energy infrastructure (Newsweek - April 27, 2015)
According to analysts, defense budget cuts have left the U.K. open to cyberattacks. Ewan Lawson, senior military research fellow at the Royal United Services Institute, recommends increasing budgets for cybersecurity to prevent attacks on energy infrastructure. He also points to the German steel mill attack, which caused massive damage to the plant control system. An additional report by cybersecurity firm Cylance Corporation shows Iranian actors have hacked into critical infrastructures in the U.K., France, Germany and the U.S.

Did you miss March’s critical infrastructure security news? Check it out in last month’s industrial security news roundup.

March news roundup: Hacks to industrial control systems continue

In case you weren’t able to keep up on this month’s critical infrastructure security news, below is a recap for you. As you’ll see, hacks to industrial control systems are increasing and there was no shortage of them in this month’s news, including attacks to a South Korean nuclear power plant and possible threat to U.S. airports and air traffic control centers. Read more in March’s news roundup:

NorthKorea 'Hacked' South Korean Nuclear Power Plant Operator
South Korea blamed North Korea for hacking and stealing data from one of its nuclear power plants. Blueprints of South Korean plants were posted on Twitter from an IP address located in North Korea. The attacks in question took place in December, shortly after the hack on Sony Pictures. Investigators, however, have found that South Korea’s nuclear plant management was not compromised and no critical data was leaked.

USindustrial control systems attacked 245 times in 12 months
In an ICS-CERT report, it was proven that U.S. industrial control systems encountered cyberattacks more than 245 times in the last year. The report, which covered the 2014 fiscal year, included all cyberattacks received and responded to by ICS-CERT. Fifty-five percent of these attacks showed signs of advanced persistent threats. Also, it should be noted that the energy sector accounted for 79 of the 245 attacks.

Kaspersky:‘A very bad incident’ awaits critical infrastructure
According to Eugene Kaspersky, founder of Kaspersky Lab, cyberterrorism is a looming threat to power grids, water supply systems and other critical infrastructure. The threats against critical infrastructure are increasing and hackers are learning more techniques from the exposure of these attacks. Kaspersky suggests international cooperation between security services may help defend against these attacks.

CyberspaceConflict Growing More Destructive, NSA’s Chief Says
According to NSA chief Rogers, there is a possibility that potential adversaries intentionally left evidence of an ICS hack in order to send a message to the U.S. that it is at risk of a destructive attack. To address the increasing risk of cyberattacks against U.S. organizations, Cyber Command is creating teams to defend military networks and assist commanders with a goal of having 6,200 personnel to operate in the next two years.

YourNext Flight Could Be Hit By a Cyber Attack    
The National Airspace System, which is responsible for controlling U.S. airports and air traffic control centers, is at risk for cyberattacks. According to a new report from the Government Accountability Office, hackers now have the capability to disrupt air traffic control operations. This report also made 17 public recommendations, including provisions to the training of cybersecurity employees.

Do you want to read more industrial security news? Check out last month’s news round up here.

January news roundup: Increasing awareness of threats to the power grid

• State of the Union:Finally, an agenda for the 21st century? by Stephanie Condon at CBS News

• Sophisticated hackerstarget the electric industry by Zack Coleman at The Washington Examiner

• Department of HomelandSecurity drops the ball on access control by Tara Seals at Infosecurity Magazine

• UK National Grid underconstant cyberattack by Doug Drinkwater at SC Magazine

The need for stronger critical infrastructure cybersecurity continues to become more evident. Attacks on U.S. and U.K. electric industries continue to increase, and governments are becoming more aware of these problems. President Obama touched on cybersecurity in his State of the Union address, urging Congress to pass legislation that will better protect the nation from attackers. However, his proposals focus heavier on data breach legislation, leaving ample room for improvement when it comes to ICS and SCADA security. Read about these evolving news stories and more in January’s news roundup:

President Obama’s State of the Union address in January hinted at his plans to work on cybersecurity issues. In what is being considered his “21^st century agenda,” Obama includes increasing cybersecurity, as well as investing in security of physical infrastructures. Earlier this month, Obama released a series of proposals to address cyber-related problems. He included in this a plan to enhance government cybersecurity efforts. In his State of the Union address, Obama simply urged Congress to pass the appropriate legislation to prevent cyberattacks. With these plans, he is only scratching the surface of critical infrastructure security.

The growing skills of hackers are challenging security of the electric utility industry. While the energy sector is strengthening its levels of protection, it was the target of 40 percent of cyberattacks in 2013. According to security analysts, the hackers behind these attacks are seeking to inflict serious damage on the energy sector. U.S. officials are warning the industry that the electric grid is quite vulnerable to attacks.

The Government Accountability Office issued a report claiming that the United States Department of Homeland Security (DHS) is not paying enough attention to potential cyberrisks to building and access control systems in federal facilities. The report stated that the DHS has not been addressing risks at nearly 9,000 federal facilities, and that “DHS lacks a strategy that: (1) defines the problem, (2) identifies the roles and responsibilities, (3) analyzes the resources needed and (4) identifies a methodology for assessing this cyberrisk.” The DHS claims that it has not yet created a strategy to deal with this because this issue is slowly emerging.

Parliament member James Arbuthnot made comments that the U.K.’s power grid is under constant attacks from computer hackers. “Our National Grid is coming under cyberattack not just day by day, but minute by minute,” said Arbuthnot. These comments came very soon after the German steel mill attack. However, cybersecurity experts have responded by saying that the energy sector is a common target of attacks. Arbuthnot added that it is the responsibilities of individual companies to make sure they have the proper protection. 

Want to read more industry news? Check out our December news round up.    

December news roundup: Critical infrastructure cyberattacks overshadowed by Sony data breach

• “Hack attack causes ‘massive damage’ at steel works” via the BBC

• “Low-risk ‘worm’ removed at hacked South Korea nuclear operator” by Meeyoung Cho at Reuters

• “A cyberattack may have caused a Turkish oil pipeline to catch fire in 2008” by Ariel Bogle at Slate

• “Iranian hackers targeting critical infrastructure across the globe” by Amanda Vicinanzo at HSToday

In what was one of the biggest cybersecurity stories of 2014, Sony Pictures fell victim to a major data breach where terabytes of information was stolen that was then slowly leaked to the public over the course of weeks. The ensuing scandal over embarrassing executive emails and the revelation that North Korea may have been the culprit, spurring fears of cyberwar, dominated the December headlines. It overshadowed other important industrial cybersecurity stories with implications for the state of the industry as we head into 2015. These stories included the disclosure of a cyberattack against a German steel mill that caused massive damage to a blast furnace, and the discovery of a computer worm that was removed from devices connected to industrial control system (ICS) networks at a South Korean nuclear operator. Read about these developing stories and more in this month’s news roundup:

The German Federal Office for Information Security (BSI) disclosed in its annual report a cyberattack against a steel mill blast furnace, causing massive physical damage. Hackers were able to infiltrate the plant by stealing the credentials of employees that had access to control system networks. This is a major cyberevent, and serves as a wake-up call for the evolving capabilities of modern-day adversaries as it is one of the best examples of how a cyberattack can be a threat to safety and reliability.

When investigating a non-critical data breach from earlier in the month, a South Korean nuclear facility discovered a computer worm on certain devices that were connected to control system networks. While no control systems were compromised by the virus, it underscores the security concerns of IT corporate networks with critical OT networks. Any control system network connected directly or indirectly to the internet must have security defenses in place to ensure the continued safety and reliability of protected systems.

In what would surely require a re-write of industrial cybersecurity history, Bloomberg reported that a cyberattack was behind a Turkish oil pipeline fire in 2008. If the report is accurate, then the incident took place two years before the infamous Stuxnet worm damaged centrifuges at an Iranian nuclear facility. The Turkish oil pipeline event would be one of the earliest-known examples of a high-impact cyberattack on critical infrastructures. For the world, it’s just another reason why cybersecurity is just as important as physical security.

Iranian hacker activity has picked up around the globe, compromising computer networks, government agencies and critical infrastructure sites in the U.S. in a campaign called “Operation Cleaver.” While Iranian hackers are nothing new, the story offers evidence that the threats out there are real and they need to be taken seriously. With new recruits coming in daily, our adversaries and their capabilities keep getting stronger. Critical infrastructures need to keep strengthening their defenses as well, including the latest best practice, stronger-than-firewall protections, to stay one step ahead.

Want to read more industry news? Check out our November news roundup. 

November news roundup: Turbulent times for the U.S. power grid

• “NSA Director: China can damage US power grid” by Ken Dilanian of AP, via The Washington Post

• “Vulnerabilities identified in three Advantech products” by Adam Greenberg of SC Magazine

• “DHS: Hackers targeted the grid 79 times this year” by Gavin Bade of Utility Dive

• “BlackEnergy threatens U.S. infrastructure” by Lorrie Barclay of GSN

The vulnerability of U.S. critical infrastructure to a state-sponsored attack was confirmed this past month, as the director of the NSA, Michael Rogers, reported that China has the capability to cause damage to the nation’s power grid. Rogers’ concern held a lot of weight, since it came after CERT’s discovery that in the fiscal year of 2014, hackers targeted the U.S. power grid up to 79 times. Similar to Rogers’ warning about China, CERT believes reconnaissance was the motivation for these attacks, where hackers plant malware within industrial control systems in order to gather information for more sophisticated attacks later. The worry for CERT and the NSA lies in what these hackers are capable of, underscoring the need for utilities to deploy stronger-than-firewall cybersecurity alternatives to ensure the safety and reliability of critical control system networks. Read about these developing stories and more in this month’s news roundup:
In arguably the month’s biggest news story, the director of the NSA and head of U.S. Cyber Command, Admiral Michael Rogers, publicly confirmed that China and “one or two other countries” have the capabilities to launch a cyberattack that would effectively shut down the United States electric grid. Rogers claimed that U.S. adversaries are already performing reconnaissance operations throughout U.S. critical infrastructure, making an attack that would harm these pre-infected industrial control systems a real possibility. Because most of these cyberthreats are likely state- and government-sponsored, Rogers says that the next step in preparation will be determining how to classify an act of war.
The latest security vulnerability to critical infrastructure comes in the form of three defects that were discovered within products manufactured by Advantech, an industrial technology developer. The three vulnerabilities include an OS command injection, a stack-based buffer overflow and a buffer overflow. Advantech has indicated that it will not fix two of the vulnerabilities. A fix has been issued for the third, but only in the latest release of Advantech software, and the fix does not work if an earlier installation is upgraded to the latest release without first erasing the device. This report highlights the continued problem of a “soft interior” in most control system networks, a problem that is often addressed with strong network cyber and physical perimeter protections.
Throughout the 2014 fiscal year, U.S. energy companies were the targets of 79 hacking incidents, reports CERT. Although this represents an overall decrease from last year’s number of 145, the fact remains that the grid is constantly under the threat of an attack. These hacks were not aimed at immediately disrupting or taking over operation systems, but there is concern that this malware gives the attackers  a backdoor to grid systems where they could insert harmful programs in the future.”
The Department of Homeland Security and ICS-CERT identified the Russian Trojan horse, BlackEnergy, as a threat to U.S. critical infrastructure. BlackEnergy was initially discovered within software existent amongst oil and gas pipelines, water systems and power grids, covering the spectrum of most U.S. critical industries. Consisting of the same strain of malware developed by the Russian cyberespionage group, Sandworm, investigators are almost certain that BlackEnergy can be traced back to the same group.

Check out our October news roundup for even more industrial security news.

October news roundup: Are we ready for cyberwarfare?

•  “Control systems are under attack: 4SICS” by Tony Morbin of SC Magazine UK

• “Pharmaceuticals, Not Energy, May Have Been True Target of Dragonfly, Energetic Bear” by Sara Peters of Dark Reading

•  “Cyber Weapons Hold ‘No Taboo’ For States” by Jimmy Nicholls of Computer Business Review

• “Sandworm Team Went After Firms Running SCADA” by Phil Muncaster of InfoSecurity Magazine

• “Exploring the 'insecure by design' blind spot in industrial systems” by Peter Behr and Blake Sobczak of E&E News

The rising likelihood of cyberwarfare has been a prominent topic over the last couple of weeks in industrial cybersecurity press. The reports that politically-motivated hackers have no reservations when it comes to launching large-scale cyberattacks against a nation’s critical infrastructure did not mesh well with the news that most industrial control systems are understaffed and underprepared for the possibility of cyberwarfare. Attacks have become increasingly sophisticated, and hackers are determined to get around common firewall defenses through whichever means possible. Overall, this makes the ensured protection of our critical infrastructure all the more important. Here are some recent reports on the topic:

The lack of cyberattacks that have been directed at industrial control systems (ICS) in the past has made them extremely susceptible to future attacks, according to SC Magazine’s correspondent at the Stockholm International Summit on Security in ICS. Because control systems aren’t under attack from advanced threats, such as malware, nearly as much as large enterprises are, the likelihood of a successful hacking attempt is troublingly high. According to the article, there’s little incentive among critical infrastructure security professionals to fix a crisis that hasn’t occurred yet.

The motives behind hacker groups Dragonfly and Energetic Bear may have been misinterpreted all along, according to a new report from Dark Reading. The article claims that compromised companies were not from the critical energy sector, but rather suppliers for OEMs that served pharma and biotech. Dragonfly’s malware concentrated on uploading malicious code into systems that would reflect real-world ICS configurations. The targeted companies’ “trojanized” computers were connected to industrial control system utilities and drivers.

Stewart Baker, a former general counsel for the NSA, warns the industry that organizations have no reservations toward using cyberweaponry as a means to gain power on the international stage. This suggests that the future of international disputes will be settled on a digital battlefield, with the primary target being critical infrastructure, an area where knowledgeable political hackers know they can do a lot of damage.

Security professionals have discovered that Sandworm, a hacking organization with links to Russian cyberespionage, are likely going after industrial SCADA systems that use products from GE Intelligent Platforms by way of malware. Researchers from Trend Micro claimed that the hackers used files that run through the application, CIMPLICITY, in order to gain closer access to the programs that run in conjunction with SCADA systems.

Peter Behr and Blake Sobczak look at how a large amount of basic vulnerabilities affecting power grids, factories and pipelines have gone largely unaddressed. This is as a result of the sensors and remote controllers that play a huge role in transferring vital data throughout ICS being built without cybersecurity in mind. Thus, critical infrastructure is left with a gaping flaw in security by the design of the systems themselves.

Want to read more? See what we had to say about cyberwarfare earlier this year.