DHS: Gas pipeline industry under significant ongoing cyberattack

ICS-CERT takes unusual step of issuing public warning to raise awareness

SAVANNAH, Ga. -- There is now an ongoing and massive cyberattack targeting the American gas-pipeline industry, aimed at giving the attacker a way to gather sensitive information by compromising business systems and possibly even subverting industrial control systems. The Department of Homeland Security's investigative division, called the ICS-CERT, says it's taking the somewhat unusual step of issuing an alert and speaking publicly about it to heighten awareness of a dangerous situation.

ICS-CERT, whose job at DHS is to interact with the nation's utilities and manufacturing firms that use industrial control systems and help them assess possible cyberattacks, is referring to it as the "Gas Pipeline Cyber Intrusion Campaign." In speaking briefly about it today at a conference here, Kevin Hemsley, a leader in the ICS-CERT, said a "sophisticated threat actor" is going after the national gas pipeline operators, mostly through spear-phishing, and has in some cases been able to compromise them.

MORE: The Most Mortifying Moments in IT Security History 

BACKGROUND: DHS: America's water and power utilities under daily cyberattack

The investigation into incidents so far suggests the attacks against the gas-pipeline industry started as early as December of last year, said Hemsley. "In the past two weeks, ICS-CERT has had multiple briefings in multiple locations," some of them classified with those in the pipeline industry with security clearances, to explain what is known about the attacks to date. ICS-CERT expects to put out more information publicly within the week, if possible, he said.

As to whether the "threat actor" alluded to happens to be a nation-state, Hemsley didn't discount that from the realm of possibilities but wouldn't comment further.

He said the government, which is getting cooperation from organizations impacted in the gas pipeline industry, is monitoring some of the IP traffic associated with successful targets that were spear-phished by the attackers.

At the ICSJWG 2012 Spring Conference here where Hemsley briefly discussed the cyberattacks on the gas pipeline sector, others also addressed cybersecurity issues that have arisen in the past few months.

One is the mistake that was made by the Curran-Gardner Townships Public Water District in Springfield, Ill., in reporting in November 2011 to authorities involved in gathering intelligence on terrorism and criminal attacks on public utilities that there had been a cyber-intrusion from Russia that impacted a water pump operation.

That information, which was summarized in an Illinois Statewide and Intelligence Center (STIC) report in November and sent on to DHS for review, was leaked to the media by a privileged source who had the report.

It sent off a firestorm of controversy, but ICS-CERT and FBI officials, who flew out to the Springfield water facility, which is rather small, said their investigation showed that this was a mistake made by Curran-Gardener. The suspected cyberattack from Russia was simply a known contractor who logged in from Russia during vacation, and the pump failure was just a coincidence.

Though some faulted the ICS-CERT and FBI response as too slow in investigating the suspected incident, especially given the many news stories that what would have been the first major cyberattack to impact U.S. industrial control systems had been reported, FBI and ICS-CERT representatives responsible for investigating said they worked as quickly as they could at the time.

Christopher Trifiletti, the FBI agent whose job is was to help determine what had actually happened, said Curran-Gardener "welcomed us at every opportunity."

Trifiletti, speaking today, said it "was a Russian IP address in a server log," that was the source of the misconception by Curran-Gardener staff. He said, noting the FBI spoke with the company's contractor, Jim Mimlitz, who acknowledged what he had done in terms of remote access from Russia during his vacation, adding he was also at Germany during that trip as well. "It was a non-incident," said Trifiletti.

Eric Cornelius, the technical specialist from ICS-CERT who was also involved in the investigation at Curran-Gardner in Springfield, said Curran-Gardner did maintain an extensive collection of logs, including control systems logs, but analysis was difficult because they weren't set up to do this. The code base at the water utility was "very proprietary," he said, and because it was written by a husband-and-wife team in their kitchen -- and the wife wasn't even professional coder -- it was "rife with "typographical errors" Cornelius said.

The FBI and DHS ICS-CERT turned to their own methods, which included the Splunk tool, to figure out what they could. And they called the contractor who readily acknowledged what he had done from Russia. Cornelius said the "lesson learned" in this incident which wasn't actually a cyberattack is that utilities need to put together a careful cyber-response plan and do better analysis before reporting a cyber-intrusion of serious consequences. It's estimated the forensics and analysis provided by the government to Curran-Gardener amounted to over $100,000 of dedicated security assessment.

To date, ICS-CERT says there has not been a cyber-compromise of a water, energy or other utility sectors that has led to a successful cyberattack directly on industrial control systems, which might wreck havoc by ceasing normal operations that generate electricity, water and gas. But there have been several cyber-intrusions, especially through Microsoft Windows, that have compromised energy sector business systems in particular, apparently some for purposes of intelligence-gathering by sophisticated attacks that might be criminals or nation-states, that have spread into the networks involved in ICS maintenance.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2012 IDG Communications, Inc.