17 March 2015

DHS ICS-CERT MONITOR report reveals that most critical infrastructure attacks involve APTs, but organizations lack monitoring capabilities.

The DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued its new ICS-CERT MONITOR report related to the period September 2014 – February 2015. The ICS-CERT MONITOR report

According to the report, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) received and responded to 245 incidents in Fiscal Year 2014, more than half of the incidents reported by asset owners and industry partners involved sophisticated APT. ICS/SCADA system were also targeted by other categories of threat actors, including were also targeted by other categories of threat actors, including cyber criminals, insider threats and hacktivists.

“Of the total number of incidents reported to ICS-CERT, roughly 55 percent involved advanced persistent threats (APT) or sophisticated actors. Other actor types included hacktivists, insider threats, and criminals. In many cases, the threat actors were unknown due to a lack of attributional data.” states the report.

Analyzing incidents reported by sector, it is possible to note that the majority of the attacks involved entities in the Energy Sector followed by Critical Manufacturing. About 30 percent of the incidents hit infrastructures in the energy sector, meanwhile Critical Manufacturing (i.e. manufacturing of vehicles and aviation and aerospace components) accounted for 27 percent.

The threat actors used a significant number of zero-day vulnerabilities to compromise industrial control systems through the exploitation of web application flaws.

The most common flaws exploited by attackers include authentication, buffer overflow, and denial-of-service . Noteworthy among ICS-CERT’s activities included the multi-vendor coordination that was conducted for the “

“Noteworthy among ICS-CERT’s activities included the multi-vendor coordination that was conducted for the “Heartbleed” OpenSSL vulnerability. The team worked with the ICS vendor community to release multiple advisories, in addition to conducting briefings and webinars in an effort to raise awareness of the vulnerability and the mitigation strategies for preventing exploitation” states the ICS-CERT report to explain the coordination activities sustained by the agency to address principal vulnerabilities.

i1

The ICS-CERT MONITOR report confirmed that attackers used a vast range of methods for attempting to compromise control systems infrastructure, including:

i2

The principal problem for the experts that analyzed attacks against critical infrastructure is the difficulty to attribute them to threat actors. In many cases, these attacks go under the radar over the year due to the high level of sophistication of the Tactics, Techniques, and Procedures (TTPs).

For 38 percent of the reported incidents, the victims were not able to identify the threat actors neither the attack vector exploited by hackers.

“Many more incidents occur in critical infrastructure that go unreported,” states the ICS-CERT MONITOR report. “forensic evidence did not point to a method used for intrusion because of a lack of detection and monitoring capabilities within the compromised network”. 

Organizations are encouraged to report any kind of malicious activity, the activities conducted by organizations like the US ICS-CERT are crucial for prevention and prompt incident response.

Threat intelligence and Information sharing are essential to limit the number of incidents, in February the US President Obama has recently announced a new Executive Order Promoting Private Sector Cybersecurity Information Sharing, confirming the cyber strategy of the US Government.

“All sensitive or proprietary information reported to ICS-CERT is protected from disclosure under the Protected Critical Infrastructure Information (PCII) program,”

Pierluigi Paganini