Yesterday the DHS ICS-CERT published their 2015 Year in Review (.PDF). This color glossy (okay, it’s a .PDF document, but the old print term still applies) annual report would not be out of place in a Fortune 1000 Company prospectus; lots of fluff and numbers, but no real details.
Actually, I had planned on reporting on this last night, but I could not find the report. It is mentioned on the ICS-CERT landing page. The link on that page takes you to a page about the report, but there is no link on that page to the .PDF document [NOTE: There is now a link to the document on this page; 4-20-16 13:30 EDT]. Fortunately, this morning a TWEET from ICS-CERT contained an actual link to the document.
For those wanting a brief synopsis of the document, you need to read no further than Marty Edward’s introduction on page 3 (the first page of actual text):
“In FY 2015, ICS-CERT responded to 295 cyber incidents, handled 486 vulnerabilities, performed in-depth analysis on 175 malware samples, conducted 112 assessments, released two new versions of the Cyber Security Evaluation Tool (CSET®), upgraded the Virtual Learning Portal, hosted multiple regional trainings around the country, and hosted two successful Industrial Control Systems Joint Working Group (ICSJWG) meetings in Washington, D.C., and Savannah, Georgia.”
The fluff that follows provides little more in the way of detail. There is no mention of how many of the 295 cyber incidents actually involved control systems. We know from the reports from the various ICS Monitor publications during the year that they do not all involve ICS; presumably most do not since ICS incidents are seldom mentioned.
The 175 malware samples sound impressive, but there is no indication in how many different types of malware were included. We know that some number were Black Energy because of the YARA rules for multiple variations that were published by ICS-CERT. No other YARA rules have been published to date, so one might conclude that only Black energy malware samples have been analyzed in depth; if so, that is disappointing.
As with most annual reports, this looks like it was prepared to impress investors that do not have time or the inclination to do real research into a company. If that is the case, Congressional readers should be happy.