In Fiscal Year 2014, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) received and responded to 245 incidents reported by asset owners and industry partners.
ICS-CERT’s continuing partnership with the Energy Sector provides many opportunities to share information and collaborate on incident response efforts.
Also noteworthy in 2014 were the incidents reported by the Critical Manufacturing Sector, some of which were from control systems equipment manufacturers.
The ICS vendor community may be a target for sophisticated threat actors for a variety of reasons, including economic espionage and reconnaissance.
Of the total number of incidents reported to ICS-CERT, roughly 55 percent involved advanced persistent threats (APT) or sophisticated actors.
Other actor types included hacktivists, insider threats, and criminals. In many cases, the threat actors were unknown due to a lack of attributional data.
FY 2014 incidents reported by sector (245 total).
The scope of incidents encompassed a vast range of threats and observed methods for attempting to gain access to both business and control systems infrastructure, including but not limited to the following:
- Unauthorised access and exploitation of Internet facing ICS/Supervisory Control and Data Acquisition (SCADA) devices
- Exploitation of zero-day vulnerabilities in control system devices and software
- Malware infections within air-gapped control system networks
- SQL injection via exploitation of web application vulnerabilities
- Network scanning and probing
- Lateral movement between network zones
- Targeted spear-phishing campaigns
- Strategic web site compromises (a.k.a., watering hole attacks).
The majority of incidents were categorized as having an “unknown” access vector. In these instances, the organization was confirmed to be compromised; however, forensic evidence did not point to a method used for intrusion because of a lack of detection and monitoring capabilities within the compromised network.
FY 2014 incidents reported by access vector (245 total).
The 245 incidents are only what was reported to ICS-CERT, either by the asset owner or through relationships with trusted third-party agencies and researchers.
Many more incidents occur in critical infrastructure that go unreported. ICS-CERT continues to encourage asset owners to report malicious activity impacting their environment even if assistance is not needed or requested.
As you report, ICS-CERT can provide situational awareness information about similar or related incidents and share data regarding the threat actor’s techniques and tactics.
ICS-CERT will also provide incident response services at the asset owner’s request. All sensitive or proprietary information reported to ICS-CERT is protected from disclosure under the Protected Critical Infrastructure Information (PCII) program.
PCII information disclosed to ICS-CERT will be handled with confidentiality while analysing and comparing with other current threat activity.
Once analysis is complete, ICS-CERT will provide the reporting entity with the latest strategies for detecting compromises and improving its defensive posture.
[Courtesy The Department of Homeland Security. Read the full report.]