A recent report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) shows that while ICS vendors have been targeted by various types of malicious actors, over half of the attacks reported to the agency in 2014 involved advanced persistent threats (APTs).
According to the “ICS-CERT Monitor” newsletter for the period between September 2014 and February 2015, a total of 245 incidents were reported to the organization in the fiscal year 2014.
The report revealed that well over half of the incidents affected the energy (32%) and the critical manufacturing (27%) sectors. Communications, water, transportation, healthcare, and government facilities sectors each accounted for 5-6% of the total number of ICS incidents.
Roughly 55% of the incidents involved APTs. Sophisticated threat actors target ICS vendors for reconnaissance, economic espionage, and for other reasons, ICS-CERT noted. Some of the attacks were carried out by insiders, hacktivists and criminals, but in many cases the perpetrators remained unknown due to the lack of attributional data.
The list of incidents reported to ICS-CERT in 2014 included unauthorized access and exploitation of ICS/SCADA devices connected to the Internet, exploitation of zero-day flaws in control system software and devices, SQL injection attacks via vulnerable Web apps, malware infections in air-gapped networks, lateral movement between network zones, network probing, watering hole attacks, and targeted spear-phishing campaigns.
The access vector was unknown in many of the incidents, mainly due to the lack of monitoring and detection capabilities in the targeted networks. Network scanning was identified as the access vector in 22% of cases, followed by spear phishing with 17%.
ICS-CERT has noted that the 245 incidents it has analyzed are only the ones reported by the asset owners or third-party agencies and researchers. The organization believes many breaches and intrusion attempts went unreported.
Researchers and vendors submitted a total of 159 reports involving control system component vulnerabilities in 2014. The security issues, which included authentication, buffer overflow and denial-of-service (DoS) vulnerabilities, affected systems most commonly deployed in the energy sector.
ICS-CERT issued alerts for two campaigns over the last year. One of them focused on the use of the Havex RAT in attacks aimed at ICS, and the second was related to BlackEnergy attacks exploiting vulnerabilities in products from GE, Advantech/Broadwin, and Siemens.
One of the most serious ICS-related cyber security incidents in 2014 targeted a steel plant in Germany. The country’s Federal Office for Information Security reported that the attack caused significant damage to the facility.