Operators of water and electrical systems, known collectively as critical infrastructure, have reported a surge in cybersecurity incidents over the past three years.
In 2011, companies reported 198 cyber incidents to the Homeland Security Department — a nearly 383 percent increase above 2010, according to a June 28 report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Companies reported nine such incidents in 2009., when DHS opened ICE-CERT to help protect private-sector operators critical infrastructure from “emerging” cyber threats.
Water facilities claimed the lion’s share of reported incidents, about 41 percent. ICS-CERT also logged reports from energy, nuclear and chemical facilities.
Click image to enlarge
For seven of the reported cases in 2011, ICS-CERT deployed on-site incident response teams at the behest of the companies involved..
Based on those on-site deployments, the agency pointed to some trends and commonalities among the incidents.
Spear-phishing most common method
The most common method of network intrusions was spear-phishing emails containing malicious links or attachments. Of the 17 incidents ICS-CERT investigated more closely, seven used spear phishing.
ICS-CERT also found many companies inadequately equipped to handle network intrusions. In 12 of the 17 cases, implementing certain security features, such as limiting log-ins and properly configuring firewalls “could have deterred the attack, significantly reduced the time to detect the attack or at least reduced the impact of the incident,” according to the report.
Most of the companies the agency responded to were also lacking tools to detect intrusions into their networks.
The security gaps fall into three broad categories, ICS-CERT said: people, process and technology. Companies can be hindered by employees who don’t understand risks, a lack of sufficient security strategies and inadequate technology.
As the number and sophistication of cyber intrusions continue to increase, ICS-CERT issued guidance on what companies should to respond to cyber attacks.