Cyber attacks against Industrial Control Systems pose a risk to power plants and other critical infrastructure - and action is needed to ensure nations stay safe, the EU’s cyber security agency ENISA said today.
ENISA suggested that collecting and using information from such attacks was key to fighting them - with a white paper pointing to a lack of scientific studies about such attacks, and a “culture gap” between IT and operations staff.
“ICS are widely used to control industrial processes for manufacturing, production and distribution of products. Often commercial, outdated off-the-shelf software is used,” ENISA warns. “Security experts across the world continue to sound the alarm bells about the security of Industrial Control Systems (ICS). Industrial Control Systems look more and more like consumer PCs. They are used everywhere and involve a considerable amount of software, often outdated and unpatched.”
Power plants in the U.S. have been widely targeted with cyber attacks, including brute force attacks and sophisticated spear-phishing attacks. We Live Security’s reports can be found here
A phishing expert from trainers PhishMe said last week that all attackers needed was one “lucky” spear-phishing email to “black out” energy companies.
ENISA recommended that companies need to analyze such attacks to speed up response to cyber attacks against industrial systems.
The researchers recommend, “Complementing the existing skills base with ex-post analysis expertise and understanding overlaps between cyber and physical critical incident response teams. Facilitating the integration of cyber and physical response processes with a greater understanding of where digital evidence may be found and what the appropriate actions to preserve it would be.”
Executive Director of ENISA Professor Udo Helmbrecht said: “SCADA systems are often embedded in sectors that are part of a nation’s critical infrastructure, for example power distribution and transportation control, which makes them an increasingly attractive potential target for cyber attacks, ranging from disgruntled insiders and dissident groups, to foreign states.”
“Such systems should be operated in a manner which allows for the collection and analysis of digital evidence to identify what happened during a security breach.”
In ESET's 2013 malware forecast, Senior Research Fellow David Harley predicted that attacks against ICS would increase.
Cybercriminals targeted U.S. energy companies with a wave of brute force cyber attacks earlier this year, according to the Industrial Control Systems Emergency Response Team (ICS-CERT).
A series of attacks were directed against companies operating gas compressor stations in the U.S. in February and March this year.
“While none of the brute force attempts were successful, these incidents highlight the need for constant vigilance on the part of industry,” ICS-CERT said in its newsletter.
“ The ability to detect anomalous network activity and network intrusions early in an incident greatly increases the chance of a successful mitigation and resolution.”
The organization says it has responded to more than 100 incidents targeting the energy sector between October 2012 and May 2013.
“The majority of these incidents involved attacker techniques such as watering hole attacks, SQL injection, and spear-phishing attacks. In all cases, ICS-CERT evaluates the information available to determine if successful compromise has occurred, the depth and breadth of the compromise, and the potential consequences to critical infrastructure networks.”
A Congressional survey of electrical utilities earlier this year found that companies faced up to 10,000 attacks per month. Out of 53 companies surveyed, more than a dozen described attacks on their systems as “daily” or “constant”. One company complained of being under a “constant state of ‘attack’ from malware and entities seeking to gain access to internal systems.”
This April, a spear-phishing attack which targeted an American electrical company was documented in this month’s Monitor report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).