An unnamed U.S. utility was recently breached by cyberattackers who gained access to the utility's operational control system, an agency within the Department of Homeland Security reported this week.
The disclosure of a successful attack by a "sophisticated threat actor" on a U.S. utility was made in the quarterly cybersecurity report by ICS-CERT, which investigates threats to industrial control and supervisory control and data acquisition (SCADA) computer systems, the brain centers for critical energy infrastructure installations.
ICS-CERT was able to work with the utility to deploy defenses that ensured the security of the control system "before there was any impact to operations," according to the agency.
A DHS spokesman declined to provide any details on the target or timing of the attack, which could have been directed against anything from a major electric power utility to a small municipal water utility.
While cyberattacks on retail and banking establishments that steal customer information are routinely disclosed to warn those customers, information about campaigns against critical infrastructure are commonly kept confidential.
"I am told by people within the utilities industries that intrusions are much more prevalent than what gets reported," said Adam Crain, a cybersecurity analyst and investigator who last year identified what ICS-CERT called a serious vulnerability in vendor software that manages communications between control systems and key remote devices.
According to the DHS organization, the utility breach at issue involved one of the most fundamental defensive breakdowns -- a link connecting the utility control system to the Internet.
The utility attack was chosen to underscore a warning in the ICS-CERT quarterly report about the dangers of permitting control systems to "face" the Internet. It mentioned two other similar attacks, one against a control system for machinery and the other against an energy control facility at the Sochi Olympics in Russia.
"Is your control system accessible directly from the Internet?" the ICS-CERT bulletin asked. "Do you use remote access features to log into your control system network? Are you unsure of the security measures that protect your remote access services?
"If your answer was yes to any or all these questions, you are at increased risk of cyber attacks including scanning, probes, brute force attempts and unauthorized access to your control environment."
'Minimal skill and knowledge' needed to compromise systems
The agency noted the ability of search engines such as SHODAN to scan the Internet to find openings to control systems, including those that system owners do not know about. Such vulnerabilities may be rapidly shared among attack communities, experts say.
And ICS-CERT warned that exposed control system devices frequently are not adequately protected. "As tools and adversary capabilities advance, we expect that exposed systems will be more effectively discovered, and targeted by adversaries," the bulletin said.
Dennis Fisher, editor in chief of the ThreatPost blog from the Kaspersky Lab, commented yesterday, "The security of industrial control systems and SCADA systems has become a serious concern in recent years. ... Many of these systems, which control mechanical devices, manufacturing equipment, utilities, nuclear plants and other critical infrastructure, are connected to the Internet, either directly or through networks, and this has drawn the attention of attackers looking to do reconnaissance or cause trouble on these networks. Researchers have been sharply critical of the security in the SCADA and ICS industries, saying it's 'laughable' and has no formal security development life cycle."
In the three incidents reported by ICS-CERT, "the attackers were described as 'sophisticated threat actors,'" noted Dale Peterson, founder of the cybersecurity firm Digital Bond, "yet one of the systems had no authentication or protection and the other had any easily cracked password. Perhaps the attackers were sophisticated, but minimal skill and knowledge were required to compromise these systems."
Crain agreed: "The details provided do not suggest the attacker was sophisticated."
After being notified of the break, ICS-CERT verified that the software running the control system was accessible via an Internet connection to a remote access point. A simple password attack was used to gain access. The agency said its forensic analysis determined that the utility had likely been exposed to numerous security attacks, and intruders had gained access on other occasions.
"This incident highlights the need to evaluate security controls employed at the perimeter," ICS-CERT said.
One measure of the risk utilities face comes in a new survey by ThreatTrack Security Inc., a cybersecurity defense firm based in Clearwater, Fla. Representatives of 100 energy companies and 100 financial services firms were queried. Nearly three-quarters of those polled said they expected to be subject to a cyberattack in the next year.
Energy firm officials said they were most worried about threats from "hacktivists," while financial services firm respondents considered cyber crime syndicates their biggest threat.
One-third of the respondents said their systems had been infected in the past year by malware that evaded detection by traditional front-line defenses such as antivirus software, email security and firewalls.
Energy firms were not among the prominent targets of cyberattacks last year, but there were several high-profile incidents in 2012, including thefts of intellectual property from U.S. pipeline companies and a breach of the internal security systems at Telvent Canada Ltd., a unit of Schneider Electric that builds SCADA control systems.
The company said in a letter to customers that attackers installed malicious software that enabled the theft of proprietary information on a Telvent product that allows older control systems to work with new "smart grid" systems, according to a letter from Telvent to its customers obtained by KrebsOnSecurity.com.
Like what you see?
We thought you might.
Start a free trial now.