While America’s water and energy utilities have suffered attacks in the past, they are constantly facing cyber-espionage and denial-of-service attacks, according to the U.S. Department of Homeland Security (DHS) team that investigates cyber-related incidents at these utilities.
These networks control water, chemical and energy systems, and the emergency response team from DHS ICS-CERT, based at the DHS in Washington, D.C. will fly out to utilities across the country to investigate security incidents they learn about. ICS-CERT typically doesn’t name the names of the utilities they try to assist, but this week they did provide a glimpse into how vulnerable America is. During a panel discussion at the GovSec Conference, ICS-CERT’s leaders presented a bleak assessment of why America’s utilities have a hard time maintaining security, and why it’s getting worse.
“On a daily basis, the U.S. is being targeted,” said Sanaz Browarny, chief, intelligence and analysis, control systems security program at the U.S. Department of Homeland Security as she presented some statistics from investigations last year by the ICS emergency response team.
Out of the 17 fly-away trips taken by the ICS-CERT team to assist in network and forensics analysis, it appeared that seven of the security incidents originated as spear-phishing attacks via email against utility personnel. Browarny said 11 of the 17 incidents were very “sophisticated,” signaling a well-organized “threat actor.” She said DHS believes in 12 of the 17 cases, if only the compromised utility had been able to practice the most basic type of network security for corporate and industrial control systems, they would likely have detected or fended off the attack.
One of the basic problems observed at utilities is “a lot of folks are using older systems previously not connected to the Internet,” she said. “The mindset is the equipment would last 20 or 30 years with updates. These systems are quite vulnerable.”
ICS-CERT works with outside security researchers willing to share their findings about industrial control systems, of which there are only about half a dozen major manufacturers, such as Siemens and GE. The power, chemical and water systems companies tend to all use the same thing, Browarny said.
There are three basic types of attacks coming at these utilities today, she said, those being thrill-seeking “garden-variety” hackers that target known vulnerabilities; secondly, the dangerous volley of viruses, worms and botnet attacks; and thirdly, “nation-state actors” that have “unlimited funding available” and conduct espionage as they “establish a covert presence on a sensitive network.”
She also noted hactivist groups are becoming more interested in ICS and it’s a threat everyone should take seriously.
Kevin Helmsley, a leader in the emergency-response effort in the Control Systems Security Program at ICS-CERT, which operates under DHS, said the count of “incident tickets” related to reported incidents at water and power-generating utilities are going up. While there were only nine incidents reported in 2009, last year this grew to 198 incident tickets. Just over 40% came from water-sector utilities, with the rest from various energy, nuclear energy and chemical providers. “There’s a lot of exposed water systems,” he noted. In three of the 17 fly-away cases last year to some of these companies, third parties, such as hired contractors, discovered the problems.
Outside researchers will from time to time discover vulnerabilities in ICS-related products, and Helmsley noted older ICS equipment that is hard to bring up to date is a big issue. He said he knew of one GE product that was 20 years old and still in use and “riddled with problems.” But some of the ICS equipment is very expensive and owners want to maximize their investments, he said. “Sometimes the product is no longer being maintained by the vendor and they don’t release a patch. But that doesn’t mean it’s not being used.”
In case anyone was thinking attacks are not really happening or my company will not suffer a compromise, that is just not the case. Serious compromises and attacks are occurring, ICS-CERT team leaders said.
Helmsley said in quite a few cases the attacks don’t seem to be coming directly through the Internet via ISPs, but often trace to outside companies that provide services to the attacked utilities, raising the question of compromises there.
In regulated industries, the water and energy utilities will “do the bare minimum” to pass regulatory audits as they seek to comply with NERC or NIST standards, Browarny said. But this is simply not enough based on what America is facing.