Security Experts:

Report: DHS Requested Gas Pipeline Companies to Let Attackers Lurk Inside Networks

DHS Warns Natural Gas Companies

DHS Warns of Cyber Attack Targeting Natural Gas Industry: Companies Requested Not To Take Action to Remove Attackers, Says Source

According to reports, which were confirmed Friday by ICS-CERT, an active Phishing campaign is responsible for the U.S. Department of Homeland Security (DHS) issuing three warnings since the end of March that the natural gas industry has been under ongoing cyber attack. However, it’s the advice that the DHS is giving that should raise some red flags.

The specter of a cyber attack against critical infrastructure is a reality, but not because the DHS is guarding the Internet, but because the networks running the critical infrastructure are so poorly protected. It’s gotten to the point that simple Phishing attacks, things that proper email protection and awareness training cover, rate three separate warnings and alerts.

“Various sources provided information to ICS-CERT describing targeted attempts and intrusions into multiple natural gas pipeline sector organizations. Analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign. The campaign appears to have started in late December 2011 and is active today,” the CERT alert advised.

As reported by the DHS though the Transportation Security Administration’s Office of Intelligence, the U.S. pipeline system is comprised of 161,189 miles of liquid pipelines with more than 200 operators; 309,503 miles of natural gas transmission pipelines with more than 700 operators; and 1.9 million miles of natural gas distribution pipelines with more than 1,300 operators.

“Virtually the entire U.S. pipeline system and critical infrastructure is owned and operated by private entities,” the agency said in a pipeline threat assessment memo from 2011.

“Oil and natural gas pipeline system operations rely heavily on industry control systems (ICSs) including supervisory control and data acquisition (SCADA) networks. Terrorist groups have discussed attacks on unspecified SCADA systems, but it is uncertain whether al-Qa’ida or any other group has the capability to conduct a successful cyber attack. The TSA-OI is not aware of any credible, specific threat reporting targeting U.S. pipelines’ industry control systems or the supervisory control and data acquisition networks.”

Still, the idea that something as simple as a Phishing attack could cripple the nation’s pipeline system – as the alerts lead one to believe – is sad, but it get’s worse. Someone who has seen the three alerts from the DHS, which were allegedly kept from the public due to sensitive information, told the Christian Science Monitor what they essentially requested from those in the industry.

“There are several intriguing and unusual aspects of the attacks and the US response to them not described in Friday's public notice,” CSM Staff Writer, Mark Clayton, noted. “One is the greater level of detail in these alerts than in past alerts. Another is the unusual if not unprecedented request to leave the cyber spies alone for a little while.”

According to the source, the companies were “specifically requested in a March 29 alert not to take action to remove the cyber spies if discovered on their networks, but to instead allow them to persist as long as company operations did not appear to be endangered.”

“In essence they were saying: 'Do not put in any mitigation or blocks against these active intruders,’" the CSM’s source said. "But if you're telling an investor owned utility not to do anything, that's pretty unheard of. Step one is always block these guys and get them off the system. It's pretty unusual in the commercial world to just let them collect data. Heaven forbid that the intruders gain control..."

Based on the information released by PublicIntelligence.net, the let them in and watch approach doesn’t seem to be on the training calendar for June’s National Level Exercise (NLE).

NLE 2012, which will involve thirteen states, four countries, nearly every major governmental department in the U.S. in addition to a few NGOs, private sector firms, and universities, is set to focus on “cyber threats to critical infrastructure and the “real world” implications for government and law enforcement of large-scale cyber attacks.”

"Given the response, it would seem clear that the DHS is interested not in simply repelling the attack, but getting to the people behind it," Wade Williamson, Senior Security Analyst at Palo Alto Networks told SecurityWeek.

The DHS will not comment on "For Official Use Only" and other sensitive memos, so their reasoning for allowing the attackers to look around will remain in speculation.

Related Reading: A New Cyber Security Model for SCADA

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.
view counter