DHS Sounds Alarm on Gas Line Cyberthreat
May 9, 2012 8:59 AM PT
For months, the nation's natural gas pipeline industry has been under persistent cyberattack from unknown parties, the U.S. Department of Homeland Security (DHS) revealed this week.
"DHS's Industrial Control Systems Cyber Emergency Response Team [ICS-CERT] has been working since March 2012 with critical infrastructure owners and operators in the oil and natural gas sector to address a series of cyberintrusions targeting natural gas pipeline companies," DHS spokesperson Peter Boogaard said Tuesday.
"The cyber intrusion involves sophisticated spear-phishing activities targeting personnel within the private companies," he continued. "DHS is coordinating with the FBI and appropriate federal agencies, and ICS-CERT is working with affected organizations to prepare mitigation plans customized to their current network and security configurations to detect, mitigate and prevent such threats."
Although the department did not identify who was behind the attacks, ICS-CERT noted in its April bulletin that it had "positively identified" the online offensive as a "single campaign with spear-phishing activity dating back to as early as December 2011."
Another question unanswered by the DHS is whether the attacks have jeopardized any of the control systems of the gas pipeline companies. An attack on those systems could result in a disruption in the delivery of natural gas to the nation.
"It isn't clear whether the pipelines themselves were affected, as opposed to the business networks of the pipeline companies," Joe Weiss, an industrial control security consultant with Applied Control Solutions, told TechNewsWorld.
"There is all kinds of monitoring for phishing and everything else on the corporate networks," he explained. "There's very little of it that you would find on a pipeline control system network."
"Are these systems vulnerable? Absolutely," he said.
Whether control systems are a main target or not, organizations still need to exercise caution, according to Brian Contos, the senior director and customer security strategist at cybersecurity software maker McAfee.
"There is always control system risk when under attack," he told TechNewsWorld.
Combines Night Dragon and Stuxnet
Based on the information that's been made public, the intrusions have characteristics of both the Night Dragon and Stuxnet attacks, according to Donald "Andy" Purdy, chief cybesecurity strategist at Computer Sciences and a member of the team that crafted in 2003 George W. Bush's National Strategy to Secure Cyberspace.
Night Dragon was what McAfee called a string of intrusions it reported in February 2011 targeted a specific organizations and designed to steal sensitive data from them.
Stuxnet is a computer worm used to disrupt Iran's nuclear development program by attacking its control systems for the centrifuges used to enrich uranium.
Like Stuxnet, this campaign is being sustained over a long period of time, he explained, and like Night Dragon, it's targeted at specific organizations.
Searching for IP
Purdy explained that the current campaign against the gas pipeline companies could be a prelude to future malicious activity. "There's a whole range of things they can do if they gain access at the system at the administrator level," he told TechNewsWorld.
"It gives them the ability, should their intent change, to do active harm in the future," he added.
Campaigns like the one described by the DHS are not uncommon, according to Liam O Murchu, a researcher with Symantec.
"Based on the fact that it's using spear phishing and is targeting a specific industry, this is the type of thing we've seen before," he told TechNewsWorld.
"We've seen it happening for a few years now," he continued. "It's becoming more widespread."
Attackers, he explained, will target a certain industry for a period of time, then move on to another one. "That could be what we're seeing here," he said.
These kinds of attacks typically don't target control systems, he added. "We've seen them attacking the corporate side," he noted. "They're looking for intellectual property stored on the network rather than attacking the actual control systems themselves."
"We haven't seen any attacks on control systems via malware and spear phishing targeted email attacks," he said. "The only time we've seen that was in Iran. We haven't seen it anywhere outside that."