Maybe we should dub 2012 “The Year of the Pipeline Hack.”
According to the Homeland Security Department, more than 40 percent of cyber “attacks” reported in fiscal 2012 were aimed at the energy sector, and a good chunk of those were targeting oil and natural gas companies that operate pipelines.
The energy sector, broadly, was the subject of an intense cyber campaign in the past year apparently aimed at gaining control to the computers that physically control mechanical systems at utility sites. To put this campaign in some perspective, the DHS group that monitors threats to infrastructure owners and industry groups responded to 198 “cyber incidents” in fiscal 2012 (October 1, 2011-September 30, 2012).
To say these incidents are now commonplace is an understatement. But how severe are they?
Incident is a pretty broad term, and DHS helpfully sheds some light on it. The department’s Industrial Control Systems Cyber Emergency Response Team, the folks who will go out to a targeted site and figure out what happened, assisted 23 oil and natural gas sector organizations that were targeted in a spear-phishing campaign. In those cases, “information pertaining to the ICS/SCADA environment, including data that could facilitate remote unauthorized operations, was exfiltrated.” Put another way, the hackers made off with information that they could use to disrupt, disable, or commandeer the infrastructure (read: gas pipeline, oil refinery, whatever the “organization” in question is).
One DHS team visited an unnamed power generation facility and discovered “common and sophisticated malware” in “the industrial control environment,” viruses and malware on systems that control power plants. The source of the problem was an infected USB drive. (DHS offered no further details about how it became infected.)
Also, in October 2012, a power company reported “a virus infection in a turbine control system,” DHS says. It turned out “a third-party technician used a USB-drive to upload software updates during a scheduled outage for equipment upgrades. Unknown to the technician, the USB-drive was infected with crimeware [a type of malicious code specifically designed for criminal activity, like fraud or theft.]”
I suppose what’s most frustrating about these incidents is that they are, to varying degrees, preventable. At the very least, there are steps owners can take to lessen the risk that their machinery will be compromised. At the most basic level, DHS advises that they not connect control system devices to the Internet. Seems obvious enough, but according to research published last fall, there are more than 7,000 control systems connected to the Internet in the United States. Want to see where they are?
Apparently, DHS is tired of reminding energy companies and public utilities not to use “password” as the password for control systems. So, the department’s computer emergency response team has joined up with the Energy Department and is conducting both secret and non-classified briefings for infrastructure owners across the country. Officials are sharing information about the incidents reported in the past year, as well as “essential information regarding mitigation strategies, best practices, and emerging trends.” (There have been two in the Washington region, according to DHS.)
This seems like a smart move on DHS’ part. But it also puts the onus on government to keep industry up to date on the operational details of what they’re seeing. Where are these hacks coming from? Who’s behind them? What can companies do beyond using stronger passwords and putting up firewalls to protect themselves? And perhaps most importnat, what is the government going to do to actively fend off these intrusions? I haven’t sat in on one of these briefings but I imagine that last question is being asked by more than a few exasperated company executives, who now find their companies in the crosshairs.