Power, water, and nuclear systems in the U.S. are increasingly under attack by cybercriminals seeking to gain access to critical infrastructure.
The number of attacks reported to the U.S. Department of Homeland Security (DHS) cyber security response team grew by 52% in fiscal year 2012 ended in September, according to a report from the team. There were 198 attacks brought to the agency’s attention last year, several of which resulted in successful break-ins.
An unidentified group of hackers targeting natural gas pipeline companies gained access to the corporate systems of several of their targets and exfiltrated data on how the control systems work.
The information obtained “could facilitate remote unauthorized operations,” DHS said. There’s no evidence the hackers have actually broken into the control systems themselves, the agency added.
The energy sector was the most-targeted field, with 82 attacks, and the water industry reported 29 attacks last year. Chemical plants faced seven cyber attacks, and nuclear companies reported six.
Hackers hit several of their nuclear targets: “These organizations reported that their enterprise networks were compromised and in some cases, exfiltration of data occurred,” the DHS team wrote. DHS said it is not aware of any successful breaches of nuclear control networks.
Those are only the attacks that we know about, though. Quite a few companies make the decision not to report incidents, and the majority of cyber attacks go undiscovered, according to industry researchers.
DHS warned the nation’s infrastructure is vulnerable. Using a special search engine that finds Internet-connected devices, researchers from security advocacy group InfraCritical located more nearly 500,000 devices across the country that appeared to tap into key control systems. They brought their list to DHS, which began investigating — and confirmed that 7,200 devices on it do appear to link to critical control systems.
Many of those systems are directly reachable through the Internet and “have either weak, default, or nonexistent logon credential requirements,” DHS said.