Connect with us

Hi, what are you looking for?


Security Infrastructure

ICS-CERT: Response to Cyber ‘Incidents’ Against Critical Infrastructure Jumped 52 Percent in 2012

Attackers increasingly targeted the country’s critical infrastructure such as power grids, water systems, and nuclear facilities in 2012, according to a recent Homeland Security report.

Attackers increasingly targeted the country’s critical infrastructure such as power grids, water systems, and nuclear facilities in 2012, according to a recent Homeland Security report.

The department’s Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) responded to and investigated 198 cyber-incidents against critical infrastructure in fiscal year 2012, compared to 130 in 2011, according to the latest ICS-CERT Monitor report. The energy sector was the most targeted industry in 2012, accounting for 41 percent of reported events, followed by water with 15 percent.

This rise in attacks against critical infrastructure systems is hardly surprising given many of the headlines and reports that emerged during 2012.

Attacks Against Critical InfastructureOther popular targets included commercial entities, government, transportation, and communications, according to the report. Chemical organizations reported seven incidents to ICS-CERT and nuclear plants reported six.

“Of the six incidents in the nuclear sector, ICS-CERT is not aware of any compromises into control networks,” the agency said in the report. The fiscal year in the report extends from Oct. 1, 2011 to Sept. 30, 2012.

The cyber-security response team helped with incident response and recovery for 23 oil/natural gas sector organizations after a targeted phishing campaign, the report said. ICS-CERT analyzed over 50 malware samples and malicious files, 20 emails, and 38 hard drive images to determine the extent of the compromise and to understand the techniques the attackers used. It turned out that in an incident, attackers successfully exfiltrated information pertaining to an industrial control systems and SCADA environment, including how to remotely operate the systems.

Spear phishing and Internet-facing systems with weak or default credentials were the most common incidents in the water sector.

Exposed Critical Infrastruture SystemIn fact, control systems devices that could be directly accessed from the Internet were an “area of concern” in fiscal year 2012, ICS-CERT said. Researcher Eireann Leverett used the SHODAN search engine to identify and locate 20,000 ICS-related devices that could directly be addressed over the Internet and had weak or default authentication, according to the report.

“A large portion of the Internet-facing devices belonged to state and local government organizations,” ICS-CERT said. Along with incident response, ICS-CERT also coordinates vulnerability disclosures between researchers, vendors, and the industry. ICS-CERT tracked 171 unique vulnerabilities affecting ICS products across 55 different vendors in fiscal year 2012, compared to 145 vulnerabilities tracked in 2011. While the total number of vulnerabilities increased from a year ago, buffer overflows still remained as the most common vulnerability type, the report said. The good news is that buffer overflow issues accounted for only 26 percent of reported vulnerabilities, compared to 46 percent in 2011.

Advertisement. Scroll to continue reading.

More than 24 types of vulnerabilities were reported, including input validation, cross-site scripting, resource management, access control, hard-coded credentials, encryption issues, and SQL injection.

“ICS-CERT also noted an increase in vulnerabilities related to hardware, including ICS networking and medical devices,” the report said.

The report described two separate incidents at a power generation company and an electronic utility where an infected USB drive infected several computers on the network. In both cases, having an antivirus product with up-to-date definitions would have been effective in detecting and blocking the malware from infecting the machines. ICS-CERT recommends owners and operators of critical infrastructure should also have policies in place governing the use of removable media, such as regularly scanning and cleaning all removable media so that they can’t infect multiple systems.

“Such practices will mitigate many issues that could lead to extended system downtimes,” ICS-CERT said.

ICS-CERT also reminded readers about the benefits of continuous monitoring and that help is available for organizations looking to implement continuous monitoring.

As SecurityWeek columnist Dr. Mike Lloyd of RedSeal Networks recently noted, an audit once a year is all pain for very little gain, while continuous monitoring “isn’t just more of the same – it’s a real transformation of the objective and the outcome.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture


Identity and access governance vendor Saviynt has closed a $205 million financing round.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Identity & Access

The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).


Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.