Industrial control system products from Siemens and Schneider Electric account for roughly half of all the industrial control system bugs disclosed since 2007 -- which makes sense, since they are two of the largest industrial automation vendors in the world.
There were only six industrial control system exploits in 2010, a figure that more than tripled by 2014. As for 2015, there are already 14 such exploits as of mid-July, Recorded Future found. The bulk of exploits available since 2010 target products from Siemens, Schneider Electric, Advantech, CoDoSys, and DATAC. Researchers have identified flaws in such products as Siemens SIMATIC, Siemens WinCC, Advantech Broadwin, Schneider WonderWare, and GE Proficy.
Destructive attacks looming
While direct attacks on industrial control networks pose the greatest threat, successful attacks on office networks at agencies like the DoE carry their own hazards.
Sensitive information like operations details and floor plans related to the grid could be exploited for nefarious purposes. Attackers with an eye toward the long game can sniff out information about investments related to the grid, such as contracts indicating what kind of equipment the utilities own. This is the kind of information attackers can use when crafting campaigns against the power grid.
"With 150 successful attacks against the Department of Energy, these groups may already have what they need to conduct a successful operation. They have personnel records that can be mined for weak links and, potentially, other information that can also be reviewed for weaknesses," said Philip Casesam, (ISC)2's Director of Product Development and Portfolio Management.
Unfortunately, like other government agencies, the DoE has struggled in recent years to properly secure its systems. Attackers accessed personally identifying information for more than 104,000 Energy Department employees and contractors back in 2013. Last year's audit report by the Inspector General found 41 Energy Department servers and 14 workstations "were configured with default or easily guessed passwords."
USA Today found that 53 of the 159 successful intrusions were "root compromises," meaning perpetrators gained administrative privileges to Energy Department computer systems. USA Today said it was not able to determine whether the attackers picked up any sensitive information about the country's power grid or nuclear stockpile, and the department is not talking.
State-based attacks against critical infrastructure “are perceived to be close to war,” and cyber-criminals are less likely to target power grids and other utilities because there isn't a lot of financial gain in those attacks. The greatest threat comes from groups interested in extortion and destruction, which have nothing to do with financial gain or warfare. Consider the attacks against Sony and Sands, groups threatening distributed denial of service attacks against organizations who don't pay protection money, and ransomware. With the growing number of ICS vulnerabilities being disclosed and the availability of exploits, critical infrastructure is a target.
“ICS is a perfect place to take this behavior,” Recorded Future wrote.
Sign up for CIO Asia eNewsletters.