DHS: APT behind Half of Cyber Incidents In Critical Infrastructure

DHS said half of all cyber incidents affecting critical infrastructure in 2014 were attributable to “APT” and “advanced threat” actors.

In-brief:  A new report from the Department of Homeland Security reveals that there were 245 reported incidents of cyber attacks on critical infrastructure in 2014. More than half were attributed to sophisticated “APT” type actors. 

A report from the Department of Homeland Security reveals that so-called “advanced persistent threat” actors were linked to more than half of industrial control system (ICS) incident reports filed during 2014.

The revelation comes from DHS’s Industrial Control System Cyber Emergency Response Team (ICS-CERT), which reported on incident response and vulnerability coordination in 2014. Among the 245 incidents reported were malware infections on “air-gapped control system networks,” strategic compromises of so-called “watering hole” web sites and the use of previously unknown or “zero day” vulnerabilities in industrial control system software. DHS found 55% involved APT or sophisticated actors. Hactivists, malicious insiders and cyber criminals were behind other incidents. In many other cases, asset owners were unable to determine who or what was attacking them, the report said.

The report from ICS-CERT gives the best picture available of the scope of cyber attacks on critical infrastructure. Firms in the energy sector reported the biggest share of cyber attacks: 79, or 32% of the incident reports. The “critical manufacturing” sector reported the next highest number of incidents: 65, or 27% of the total recorded by ICS-CERT.

The different types of attacks varied, DHS said. Incident reports documented unauthorized access and exploitation of Internet facing industrial control and SCADA devices as well as the exploitation of  previously unknown or “zero-day” vulnerabilities in control system devices and software, the report says. The report notes evidence of malware infections on control system networks that were physically separated (or “air gapped”) from the Internet, as well.

Still, in a majority of incidents that were investigated, the organization wasn’t able to determine, based on forensic evidence, how the intrusion occurred. ICS-CERT cited a “lack of detection and monitoring capabilities within the compromised network” as the reason.

[Read more Security Ledger coverage of SCADA and critical infrastructure.]

Further, DHS warned that its figure of 245 incidents is almost certainly low. “Many more incidents occur in critical infrastructure that go unreported,” ICS-CERT warned.

The number of vulnerabilities in control systems software reported to ICS-CERT declined slightly in 2014. ICS-CERT received 159 reports involving vulnerabilities. Those largely concerned systems commonly used in the Energy Sector, followed by Critical Manufacturing and Water and Wastewater. By comparison, in 2013, ICS-CERT handled 187 vulnerability reports.

Authentication weaknesses, buffer overflows and denial of service vulnerabilities were the most common types reported to ICS-CERT, the report said.