Iranian hackers have amped up a campaign of cyber-attacks against America's energy industry, according to a report from The Wall Street Journal.
Citing current and former U.S. officials speaking under the blanket of anonymity, the Journal reported that Iranian hackers accessed control system software that could have allowed them to manipulate oil or gas pipelines. The attacks raise the stakes in cyber-space between the U.S. and Iran, which has been accused by U.S. officials of being behind a spate of distributed denial-of-service attacks (DDoS) against U.S. banks stretching back to 2012.
"This is representative of stepped-up cyber activity by the Iranian regime. The more they do this, the more our concerns grow," a source told the Journal. "What they have done so far has certainly been noticed, and they should be cautious."
Alireza Miryousefi, Iran's spokesperson at the United Nations, denied any connection between hackers and the regime in an interview with the Journal.
The officials who spoke to The Wall Street Journal did not name any of the energy companies targeted in the attacks. But two former officials said oil and gas companies located along the Canadian border were among those hit.
Word of the attacks comes a week after Charles Edwards, deputy inspector general at the U.S. Department of Homeland Security, told members of a Senate subcommittee that industrial control systems were increasingly coming under attack in cyber-space in ways that could potentially cause "large-scale power outages or man-made environmental disasters."
Securing these systems is complicated, as many are more interconnected with the Internet than people realize, explained Tom Cross, director of security research at network security vendor Lancope.
"It is also difficult to fix security flaws with these systems because they aren't designed to be patched and restarted frequently," he said.
"It is extremely important," he continued, "that operators of industrial control networks monitor those networks with systems that can identify anomalous activity that might be associated with an attack. Because of the relatively homogenous nature of network activity on many control systems networks, anomaly detection can be can be a powerful tool in an environment where other kinds of security approaches fall flat."
Much of the talk about improving the security of critical infrastructure companies has focused on information sharing between the government and private sector. Improving communication between government and business figured prominently in the executive order on cyber-security that President Barack Obama issued in February. However, many officials and security experts have said that the order does not undo the need for legislation.
"The increases in cyber-assaults on our energy systems from Iranian-backed hackers are another signal to the government and the industry that measures must be taken to fortify the security of our critical infrastructure," said Lila Kee, chief product and marketing officer at GlobalSign and a North American Energy Standards Board (NAESB) board member.
"However, there is a fine line between cyber-security regulation and voluntary standards," she said. "Regulations cannot be so rigid so as to prevent protection from today's evolving advanced persistent threats, and voluntary standards cannot be so loose so as to provide no purpose. In today's modern world of malware, solutions must be fluid and scalable to battle aggressive cyber-attacks."