Cyber incident reports skyrocket over three-year period

The number of cybersecurity incidents involving potential attacks on critical infrastructure increased by more than 2,000 percent between 2009 and 2011, according to a new report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

In 2009, ICS-CERT, which is part of the Homeland Security Department, received nine incident reports; that number jumped to 41 in 2010 and 198 in 2011.

In 2009 and 2010, the energy sector was the target of the most incidents, accounting for a third of all reports in 2009 and for 44 percent in 2010. In 2011, water utilities saw 41 percent of the incidents reported to ICS-CERT, and attacks on multiple sectors made up 25 percent.

“Incidents specific to the water sector, when added to those that impacted multiple sectors, accounted for over half of the [2011] incidents due to a large number of Internet-facing control system devices reported by independent researchers,” the report noted.

Not all reports were actually cyber attacks, and only a handful of reported incidents required on-site response from ICS-CERT. In 2009, four of the nine reports required in-person assistance. In 2011, seven of the 198 reports called for on-site help, while 21 were handled with remote analysis by the Advanced Analytics Lab, as Dark Reading reported.

In some cases – including those involving Internet-facing control systems – ICS-CERT coordinated with a vendor providing a number of the systems’ platforms to mitigate vulnerabilities and identify and alert those affected.

A large number of incidents involved “sophisticated and targeted spear-phishing campaigns” that opened the door to theft and further network infiltration, according to the report.

“In all cases, ICS-CERT works with reporting organizations to help determine if the control network was compromised and provides mitigations to detect and mitigate the activity,” the report noted, citing as examples the organization’s assistance in responding to the Night Dragon and Nitro attacks.

After the most serious reported incidents, in which ICS-CERT responded in person, the main goals were to assess the nature and extent of the attack, then develop guidance and recommendations for recovery and future protection – although the organization doesn’t provide actual recovery services.

The next steps for ICS-CERT are to glean all the information from an attack to build better situational awareness and provide alerts to the critical infrastructure community; that data is then correlated with past incidents and shared with National Cybersecurity and Communications Integration Center partners, according to the report.

“These incidents highlight the activity of sophisticated threat actors and their ability to gain access to system networks, avoid detection, use advanced techniques to maintain a presence, and exfiltrate data,” the report stated. “These findings highlight areas for improvement in protecting control systems networks.”