Attackers successfully infiltrated computer systems at the Department of Energy more than 150 times between 2010 and 2014, according to a review of federal documents by USA Today that were obtained as a result of a Freedom of Information Act request. In all, DoE networks were targeted 1,131 times over the four-year span.
While this sounds worrying -- the DoE oversees the country's power grid and nuclear weapons stockpile, after all -- a few items are missing from the report. The attacks appear to be against the DoE's office systems and not the real-time systems that control the power grid. Those systems are typically operated by utilities and aren't directly connected to DoE's networks. The attacks in the USA Today report are equivalent to the kind universities, corporations, and other organizations regularly face.
Attackers also successfully hit the National Nuclear Security Administration, a DoE sub-agency in charge of securing nuclear weapons, 19 times over the four years. But again, there's no indication the attackers got beyond the office network to reach the secure network used to connect systems that actually manage nuclear assets.
There's a big difference between the systems actually used in managing critical infrastructure and the computers used by DoE employees and contractors. The USA Today report does not make clear which systems were targeted.
A tale of two networks
It's easy to blur the distinction between the two. Most critical infrastructure operators have a corporate network used by the employees for day-to-day operations and a separate network used for industrial control systems.
In an electric utility, for example, the control systems monitor the systems that generate and distribute electricity, the temperature within the facility, and other real-time safety controls. The computer with information about individual employees would typically be on the separate corporate network.
Nonetheless, there's plenty to worry about regarding the security of the industrial control systems. While there have been only a handful of reports of damaging industrial control systems attacks (contrary to movies and TV scripts), many such systems have vulnerabilities that could be exploited with devastating results. The most notable, of course, is the Stuxnet operation in 2011 against Iran's nuclear facilities. In 2014, attackers targeted a German steel mill.
Researchers are uncovering record numbers of industrial control system vulnerabilities, and many proofs of concept and exploits are being created, according to an analysis by the threat intelligence firm Recorded Future of roughly 400 issues documented in NIST vulnerability database. Security researchers uncovered more than 100 industrial control systems vulnerabilities in 2012, compared to less than a dozen reported in 2011 and years prior. Vulnerability disclosures were at record levels in 2013 and 2014, and researchers have already disclosed close to 50 new flaws between January and July of this year.
Industrial control system products from Siemens and Schneider Electric account for roughly half of all the industrial control system bugs disclosed since 2007 -- which makes sense, since they are two of the largest industrial automation vendors in the world.
There were only six industrial control system exploits in 2010, a figure that more than tripled by 2014. As for 2015, there are already 14 such exploits as of mid-July, Recorded Future found. The bulk of exploits available since 2010 target products from Siemens, Schneider Electric, Advantech, CoDoSys, and DATAC. Researchers have identified flaws in such products as Siemens SIMATIC, Siemens WinCC, Advantech Broadwin, Schneider WonderWare, and GE Proficy.
Destructive attacks looming
While direct attacks on industrial control networks pose the greatest threat, successful attacks on office networks at agencies like the DoE carry their own hazards.
Sensitive information like operations details and floor plans related to the grid could be exploited for nefarious purposes. Attackers with an eye toward the long game can sniff out information about investments related to the grid, such as contracts indicating what kind of equipment the utilities own. This is the kind of information attackers can use when crafting campaigns against the power grid.
"With 150 successful attacks against the Department of Energy, these groups may already have what they need to conduct a successful operation. They have personnel records that can be mined for weak links and, potentially, other information that can also be reviewed for weaknesses," said Philip Casesa, (ISC)2's Director of Product Development and Portfolio Management.
Unfortunately, like other government agencies, the DoE has struggled in recent years to properly secure its systems. Attackers accessed personally identifying information for more than 104,000 Energy Department employees and contractors back in 2013. Last year's audit report by the Inspector General found 41 Energy Department servers and 14 workstations "were configured with default or easily guessed passwords."
USA Today found that 53 of the 159 successful intrusions were "root compromises," meaning perpetrators gained administrative privileges to Energy Department computer systems. USA Today said it was not able to determine whether the attackers picked up any sensitive information about the country's power grid or nuclear stockpile, and the department is not talking.
State-based attacks against critical infrastructure “are perceived to be close to war,” and cyber criminals are less likely to target power grids and other utilities because there isn't a lot of financial gain in those attacks. The greatest threat comes from groups interested in extortion and destruction, which have nothing to do with financial gain or warfare. Consider the attacks against Sony and Sands, groups threatening distributed denial of service attacks against organizations who don't pay protection money, and ransomware. With the growing number of ICS vulnerabilities being disclosed and the availability of exploits, critical infrastructure is a target.
“ICS is a perfect place to take this behavior,” Recorded Future wrote.