Early this afternoon the DHS ICS-CERT published the October-December issue of the ICS-CERT Monitor. Sometime later this afternoon all mention of it was removed from the ICS-CERT web page. Fortunately, the link provided earlier this afternoon is still functioning.
ICS-CERT Incident Response
The monitor reports that ICS-CERT responded to 256 incidents in 2013. There is a lot of miscellaneous information about these incidents but there is not a single conclusive mention of a control system being directly involved in any of the incidents.
Lacking any specific mention of ICS attacks, the most disturbing data point in this section of the Monitor is that of the 256 incidents, the ICS-CERT team could not determine if there had actually been an attack (or not) in 120 of the incidents (almost 47%). The reason given was that “the detection capabilities and log records were inadequate to positively determine if threat actors were able to penetrate the network and maintain a presence” (pg 2).
This section of the Monitor contains an interesting discussion of application whitelisting challenges. Another brief article discusses the Network Architecture Verification and Validation technique to detect communications attempts (and completions) with sources outside of the network. The use of Business Impact Analysis to prepare for attacks that are designed to dismantle or destroy a network asset was also discussed in a brief article.