A recent report issued by the Industrial Control Systems Cyber Emergency Response Team (ISC-CERT) revealed that the organization responded to nearly 250 incidents last year, 55 percent of which involved advanced persistent threats (APT).
According to the September 2014-February 2015 ICS-CERT Monitor newsletter, the energy sector was once again the most targeted industry in 2014, accounting for 79 of reported incidents (32 percent).
Similarly, the critical manufacturing sector reported 65 incidents last year (27 percent), some of which were from control systems equipment manufactures, the report said.
“The ICS vendor community may be a target for a variety of reasons, including economic espionage and reconnaissance,” read the report.
ICS-CERT added its continuing partnership with the energy sector provides many opportunities to share information and collaborate on incident response efforts.
Additionally, the finding’s discovered the scope of incidents comprised a variety of threats, utilizing several methods in an effort to gain access to both business and control systems infrastructure, such as:
- Unauthorized access and exploitation of Internet facing ICS/Supervisory Control and Data (SCADA devices)
- Exploitation of zero-day vulnerabilities in control system devices and software
- Malware infections within air-gapped control system networks
- SQL injection via exploitation of web application vulnerabilities
- Network scanning and probing
- Lateral movement between network zones
- Targeted spear-phishing campaigns
- Strategic website compromises (a.k.a., watering hole attacks)
Furthermore, ICS-CERT stated that the majority of cases (38 percent), attacks were reported as having an “unknown attack vector” due to insufficient attributional data.
“In these instances, the organization was confirmed to be compromised,” said the report. “However, forensic evidence did not point to a method used for intrusion because of a lack of detection and monitoring capabilities within the compromised network.”
Common known attack vectors in the reported incidents included spear phishing (17 percent), network scanning/probing (22 percent) and weak authentication (5 percent), among others.
Nonetheless, ICS-CERT added the findings are based on incidents reported to the organization, either by asset owner or through partnerships with trusted third-party agencies or researchers.
“Many more incidents occur in critical infrastructure that go unreported,” said the ICS-CERT Monitor.
For additional findings, read the full report here: https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2014-Feb2015.pdf (PDF).