Industrial control systems came under increasing scrutiny and attack in 2012, with almost 200 documented incidents, according to a report released last week by a component of the U.S. Department of Homeland Security.
Energy firms accounted for more than 40 percent of the 198 incidents reviewed by the Industrial Control Systems (ICS) Cyber Emergency Response Team (CERT), and water utilities took a distant second place with 15 percent of the incidents. While some of the cases were caused by security researchers using the Sentient Hyper-Optimized Data Access Network (SHODAN), a regularly updated directory of ports, to find exposed industrial control systems, the majority were serious breaches, the report stated.
The group took part in responding to almost two dozen attacks on oil and natural gas firms, discovering that sensitive information on the operations of the supervisory control and data analysis (SCADA) systems had been accessed by the attackers.
“Analysis of the targeted systems indicated that information pertaining to the ICS/SCADA environment, including data that could facilitate remote unauthorized operations, was exfiltrated,” the report stated.
Researchers and security professionals have focused on threats to industrial control systems and critical infrastructure for nearly a decade. However, the Stuxnet attack on Iranian uranium-processing equipment galvanized the critical-infrastructure industries into taking such threats seriously.
Yet change has come slowly: A year ago, researchers found that systems that use SCADA, an architecture for networked control systems, were still widely vulnerable. In November 2012, two rival vulnerability research firms underscored the issue by finding almost four dozen vulnerabilities in major SCADA products.
Such vulnerabilities seem to be the rule among industrial control products. ICS-CERT coordinated with more than 55 industrial-control system makers to report 171 vulnerabilities. The issues ranged from buffer overflows to input validation issues to cross-site scripting attacks. Products including hard-coded passwords accounted for seven of the security issues, the ICS-CERT report stated.
The group increased the pressure on the suppliers to fix their products’ security failings in a timely manner, allowing ICS-CERT to publish details of a particular vulnerability 45 days after notifying the vendor of the issue.
Suppliers were not alone in exposing security problems. One researcher using the SHODAN search engine to find Internet-accessible industrial control systems discovered about 20,000 systems accessible via the Internet.
“A large portion of the Internet facing devices belonged to state and local government organizations, while others were based in foreign countries,” the ICS-CERT report stated. “(We) worked with partners as well as 63 foreign CERTs in the effort to notify the identified control system owners and operators that their control systems/devices were exposed on the Internet.”
The ICS-CERT noted six incidents involving the nuclear sector but stressed that the group was not aware of any network breaches.