Skip Links

DHS: America's water and power utilities under daily cyber-attack

DHS industrial-control systems (ICS) response team offers glimpse into how bad it is

By , Network World
April 04, 2012 10:09 AM ET

Network World - WASHINGTON, D.C. -- America's water and energy utilities face constant cyber-espionage and denial-of-service attacks against industrial-control systems, according to the team of specialists from the U.S. Department of Homeland Security who are called to investigate the worst cyber-related incidents at these utilities.

These ICS-based networks are used to control water, chemical and energy systems, and the emergency response team from DHS ICS-CERT, based at the DHS in Washington, D.C. will fly out to utilities across the country to investigate security incidents they learn about. ICS-CERT typically doesn't name the names of the utilities they try to assist, but this week they did provide a glimpse into how vulnerable America is. In a panel at the GovSec Conference, ICS-CERT's leaders candidly presented a bleak assessment of why America's utilities have a hard time maintaining security, and why it's getting worse.

Background: America's critical infrastructure-response system is broken

More form DHS: What is on a US Secret Service mainframe anyway?

"On a daily basis, the U.S. is being targeted," said Sanaz Browarny, chief, intelligence and analysis, control systems security program at the U.S. Department of Homeland Security as she presented some statistics from fly-away trips taken last year by the ICS emergency response team to utilities, most in the private sector.

Out of the 17 fly-away trips taken by the ICS-CERT team to assist in network and forensics analysis, it appeared that seven of the security incidents originated as spear-phishing attacks via e-mail against utility personnel. Browarny said 11 of the 17 incidents were very "sophisticated," signaling a well-organized "threat actor." She said DHS believes that in 12 of the 17 cases, if only the compromised utility had been able to practice the most basic type of network security for corporate and industrial control systems, they would likely have detected or fended off the attack.

One of the basic problems observed at utilities is that "a lot of folks are using older systems previously not connected to the Internet," she said. "The mindset is the equipment would last 20 or 30 years with updates. These systems are quite vulnerable."

ICS-CERT works with outside security researchers willing to share their findings about industrial control systems, of which there are only about half a dozen major manufacturers, such as Siemens and GE. The power, chemical and water systems companies tend to all use the same thing, Browarny pointed out.

There are three basic types of attacks coming at these utilities today, she said, those being thrill-seeking "garden-variety" hackers that target known vulnerabilities; secondly, the dangerous volley of viruses, worms and botnet attacks; and thirdly, "nation-state actors" that have "unlimited funding available" and conduct espionage as they "establish a covert presence on a sensitive network."

She also noted that the hacktivist group Anonymous is becoming more interested in ICS and it's a threat that should be taken seriously.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News