From: WSJ
Rachael King
Internet-based attacks on critical U.S. energy infrastructure are occurring at a greater rate than previously understood, according to a new government report. The report, issued by a cyber security team that operates within the Department of Homeland Security, found that thousands of control systems used in critical infrastructure are linked directly to the Internet and are vulnerable to attack by viruses and other malware. In the fiscal year that ended September 30, 2012, companies reported 198 cyber incidents to the DHS’s Industrial Control Systems Cyber Emergency Response Team, more than 40% of which were directed against companies operating in the energy sector. The team “has been tracking threats and responding to intrusions into infrastructure such as oil and natural gas pipelines and electric power organizations at an alarming rate,” according to the report.
The report detailed a number of recent discoveries of malicious software in control systems, including one at an electric utility and another at a power generation facility, both of which were infected by USB devices. Like many organizations, these energy companies believed they had effectively quarantined the networks controlling production facilities from their business IT networks.
“Executives are told the networks aren’t connected, and that may be true in a logical sense, but it’s not entirely true,” said Alan Paller, founder of cybersecurity research and education organization SANS Institute. Even though a so-called air gap prevents the two networks from communicating electronically with one another, such as via email, those networks often share hardware such as routers and printers, which can be used by hackers to hop across from the business IT network to the production network. Those devices are shared for practical reasons; companies need to get production data in the business systems and they need to do maintenance on the production network, Mr. Paller added.
In one instance in early October, a virus was discovered in a turbine control system which impacted approximately ten computers on the control system network of an electric utility. Investigators found the malware gained entry through a third-party technician who used a USB drive to upload software updates during a scheduled equipment upgrade. The technician did not know that the USB drive was infected with malware. The infection prevented the utility from restarting the plant by three weeks.
Some of the most sophisticated and destructive cyber attacks of 2012 could have potentially been much worse had hackers been able to cross from business to production IT networks. For example, according to the report, hackers in August used the Shamoon virus to attack the production network belonging to Saudi Arabian Oil Co. But the malware only succeeded in destroying data residing on the company’s business IT network. The same was true of Qatari natural gas company Rasgas Company Limited, also attacked in August. Both production networks were spared because the companies segregated the networks using an air gap.
Leave a Reply