The "hacktivist" collective Anonymous is capable of crippling critical infrastructure, but the odds of developing a Stuxnet-style attack on industrial Supervisory Control and Data Acquisition systems were slim, according to a Department of Homeland Security bulletin.
The four-page report from the department's National Cyber-Security and Communications Integration Center was posted on the Public Intelligence Website on Oct. 17. The Department of Homeland Security evaluated the collective's potential to disrupt critical infrastructure in the "Assessment of Anonymous Threat to Control Systems" report, dated Sept. 17.
Even though hacktivist groups are increasingly more active in their attacks, DHS said actual threats to control systems don't seem to have increased. Anonymous currently has a "limited ability" to conduct attacks that target industrial control systems, the DHS found. The group has the capability to disrupt operations with distributed denial-of-service attacks, but it doesn't currently have the necessary skills to take over critical infrastructure, according to the DHS.
"However, experienced and skilled members of Anonymous...could be able to develop capabilities to gain access and trespass on control system networks very quickly," according to the DHS bulletin.
DHS evaluated the group after a known Anonymous member posted on Twitter on July 19 a directory tree for Siemens SIMATIC control system software, according to the report. "This is an indication in a shift toward interest in control systems by the hacktivist group," the report said.
Critical infrastructure refers to the systems and networks that power communications, energy, financial systems, food, government operations, health care systems, transportation and water.
The vast majority of the infrastructure is currently controlled by the private sector. There are several bills in Congress proposing some form of government oversight to protect critical infrastructure, but disagreements remain as to who should be in charge and the role government should play.
The idea that Anonymous might target critical infrastructure is not far-fetched. Members have called for attacking energy companies and on July 11, some members of the collective attacked biotechnology seed company Monsanto. As part of the attack, Monsanto's Web infrastructure had been disabled for two days, email servers disabled for three days and data on 2,500 employees and partners stolen.
Groups such as Anonymous and LulzSec choose to "harass and embarrass their targets using rudimentary attack methods," DHS said. All the information released by Anonymous and LulzSec indicated that the groups showed "no indication of exploitation capability," according to the report.
While the risks currently are low, there was a "moderate likelihood" that future protests could be accompanied by attacks on core infrastructure in the future.
The group can become more interested, especially as they realize how poorly these systems are secured in the first place, the report warned. Members can study industrial control systems using publicly available information and develop malware to exploit well-known vulnerabilities, according to the federal agency.
The DHS report still warned that even though Anonymous may not attack the control systems, all businesses should still make sure their IT systems are protected. Attackers can easily locate and access industrial control systems with "minimal skills" using Internet search engine tools and applications to carry out "nefarious activities" or conduct reconnaissance activities to launch other attacks, the department warned.
Oil and gas companies are potentially attractive targets as the collective supports the "green energy" agenda and has opposed pipeline projects in the past.