Yesterday the DHS ICS-CERT published a 17 page report on the cybersecurity incidents the organization responded to since its inception in 2009. The seventeen page report provides an overview of the number of incidents per year and by critical infrastructure sector. It summarizes common findings and provides an overview of vulnerabilities discovered in three broad categories; people, process and technology.
Summary Data Misleading
The initial summary of ICS-CERT incident response data is kind of frightening; nine responses in 2009, 41 in 2010 and 198 in 2011 (page 2). It would seem to support the general idea that our critical infrastructure systems are increasingly under attack; a conclusion supported by other report. A closer reading of the report, however, makes that conclusion less clear. For example the report notes that of the 2011 incidents an unspecified number were “due to a large number of Internet facing control system devices reported by independent researchers” (pg 5); presumably those incidents could have been reported in 2010 or 2009 if the tools for detecting internet facing devices had been available in those earlier years.
No ICS Threat Identified
The other misleading aspect of this report is that it is supposedly about the ICS threat landscape during the period. Unfortunately, the vast bulk of the incidents appear to be on enterprise systems at these facilities, not control systems. Of the incidents reported in any detail in this report (and the details are deliberately and rightfully sketchy) only three deal with actual control systems; a Stuxnet infection clearance, an environmental control system problem, and a water system pump problem. The last two were determined not to be related to a cyber-attack.
What the Report Doesn’t Say
The report does identify a number of incidents where sophisticated targeted attack were directed at critical infrastructure organizations. And it does briefly mention that there were multiple indications of information being exfiltrated from some of those infected systems. Unfortunately it doesn’t appear that anyone has any real idea of what types of information were taken; it could easily be assumed that control system access and topography data could have been copied that would allow for a sophisticated follow-on attack.
The report also makes no attempt to compare the reported attacks to a number of attacks detected but not reported to ICS-CERT or to a number of successful attacks that were not detected. While any such numbers would be guesses (hopefully educated guesses) they would give a better look at the potential threat landscape. As it stands this report seems to indicate that the overall threat to the ICS community is really rather small.
With the Senate perhaps (don’t really hold your breath) set to take up some sort of ‘comprehensive’ cybersecurity legislation in the coming weeks this report does a disservice to the control system community. It minimizes the potential threat to critical infrastructure control systems and makes the case quite firmly that there is no need for any regulation of cybersecurity for control systems. In fact, a diligent bean counter that read this report would conclude that there is little or no need for spending any significant corporate resources on control system security.
Because this politically inept report does not address the issue of the sharp increase in the vulnerabilities reported in control systems and the increasing interest in the hacker (black and white) community in finding the vulnerabilities in these systems, the report does not identify the increasing probability of attacks, sophisticated and otherwise, on control systems. It does not explain to the uninitiated that the landscape is quickly changing in that it is becoming easier to attack control systems and this presages a probable radical increase in actual attacks on control systems.
For those of us in the control system security community, this is a valuable report on what ICS-CERT has done, but it handicaps us in our ability to protect the critical infrastructure control systems in this country from future attacks.