Report: Cyberthreat Detection LackingCritical Infrastructure Security Incidents Go Unnoticed
Many security incidents that affect components of the nation's critical infrastructure go unnoticed due to a lack of sufficient detection or logging capabilities, according to a new report from the Industrial Control Systems Cyber Emergency Response Team.
The study recommends that organizations enhance detection, monitoring and response capabilities, as well as report incidents so they can be tracked, correlated and shared.
Commenting on the report's findings, Chris Blask, chair of the Industrial Control System Information Sharing and Analysis Center, notes: "While we as a nation, and some individual infrastructure operators, have advanced in detection capabilities, this remains, by far, the greatest weakness that must be addressed. There is no more important step that we can take individually or together to ensure the ongoing safety, reliability and availability of our infrastructure than increasing our situational awareness capabilities."
The ICS-CERT in 2013 responded to 256 incidents targeting the networks of organizations that support the nation's critical infrastructure and use industrial control systems, the report says. But because reporting incidents is voluntary, the number could be much higher.
ICS-CERT partners with law enforcement agencies and the intelligence community to reduce risks across all critical infrastructure sectors by coordinating efforts of the government and control systems owners, operators and vendors. It operates within the National Cybersecurity and Integration Center, a division of the Department of Homeland Security's Office of Cybersecurity and Communications.
The National Institute of Standards and Technology on Feb. 12 released its long-awaited cybersecurity framework, which provides best practices for voluntary use in all critical infrastructure sectors, including, for example, government, healthcare and financial services (see: NIST Releases Cybersecurity Framework).
Common methods used to infiltrate critical infrastructure organizations include "watering hole" attacks, spear phishing and SQL injection, according to the ICS-CERT report.
The energy and critical manufacturing sectors were most often targeted by cyber-attacks in 2013, the report says. Of the 256 reported incidents to which ICS-CERT responded, 151 incidents occurred in the energy sector.
"The trusted relationship that ICS-CERT has with many industry partners, combined with an increase in awareness and reporting, is likely responsible for the increase in reported incidents from energy sector partners," the report says.
The critical manufacturing sector experienced 50 compromises, or about 20 percent of the incidents reported to the ICS-CERT in 2013. Several of those incidents targeted organizations that produce industrial control system devices and software.
"This highlights the continued interest in control systems by malicious actors as well as the possibility of threat actors looking for opportunities to exploit vulnerabilities in the supply chain," the report says.
Improving Situational Awareness
Mitigating risks to industrial control systems will take enhanced technical capabilities to improve situational awareness, Blask says.
Situation awareness includes, for example, knowing what sensitive data the organization has and where it is stored, as well as being prepared to share threat information with other industries and sectors.
"Whether our experience of the consequences of active threats in the next several years is better or worse than recent history will be primarily determined by our success in significantly forwarding such situational awareness," he says.
Making progress in this arena will require that organizations, among other things, develop "the ability to effectively apply knowledge derived from external sources, and where possible, to share some knowledge of their own experiences with the broader community who rely on their stability," Blask says.
Addressing the risks around operating or supporting critical infrastructure systems, he says, shouldn't be just the responsibility of those directly responsible for defending them.
"It is critical that those responsible for financial, healthcare and governmental systems are aware of the nature of their own interdependencies," Blask says. "These individuals and organizations should both develop plans that include these dependencies as well as involve themselves appropriately in driving solutions which address their needs."