The Department of Homeland Security's Industrial Control Systems Computer Emergency Readiness Team (ICS-CERT), issued a report last week documenting how the number of cyber threats involving protected critical infrastructure control systems has skyrocketed over the past two years, from 9 reported incidents in 2009 to 198 in 2011. The report, which summarizes and offers intriguing but vague details on cyber incidents and onsite investigations it has been involved with since the founding of ICS-CERT in 2009, concludes that most of the organizations to which ICS-CERT responded over the time period "were not prepared with adequate detection techniques."
In fact, the report notes that in 3 of the 17 onsite visits it made, the asset owners had to be notified by outside parties that an intrusion had taken place at their facilities. In two additional cases, the cyber incident had been discovered by a hired third party, an outside consultant or integrator.
The failure by these asset owners (which could be energy -- utilities or oil and gas companies, for example -- water, nuclear, government or cross-sector organizations) to put into place adequate cyber detection programs is crucial because, as the report notes, "properly developed and implemented detection methods are the best strategy to quickly identify intrusions and implement mitigation and recovery procedures."
The protection methods needed appear to be simple ones. The report says that "ten organizations could have detected the intrusion by using ingress/egress filtering of known bad IP addresses or domain names."
Another simple cyber security risk mitigation technique, keeping external thumb drives away from protected control systems, popped up in the report regarding an intrusion that took place on the enterprise network of an unnamed nuclear sector organizations. In that situation, which required an onsite visit from the ICS-CERT team, an employee uploaded from a USB drive onto the organization's computer presentations from an industry event.
The drive was infected by the Mariposa botnet, a piece of malware used in cyberscamming and denial of service attacks. The virus ultimately infected 100 computers on the network. (Interestingly, the instructor involved in that particular industry event refused to give ICS-CERT the names of the event's attendees or their companies so that DHS could follow up, vowing to instead contact the attendees himself or herself. "Unfortunately, ICS-CERT was not able to verify if the companies were ever contacted and to what extent they may have been impacted.")
The report is also notable for documenting the first verified instance of a U.S. control system being infected with the Stuxnet virus, a cyber weapon said to be developed by the U.S. to interfere with Iran's nuclear program. Although the report offers few details about this Stuxnet infection, it does say a critical manufacturing facility was involved.
ICS-CERT deployed an incident response and analysis team to a critical manufacturing facility infected with the Stuxnet malware. ICS-CERT deployed a team of analysts to the facility and confirmed the presence of Stuxnet on all their engineering workstations as well as several other machines connected to their manufacturing control systems network.