Reports of attacks on the Department of Energy raise alarms

The power grid may not be in immediate danger, but that doesn't mean the threat to critical infrastructure isn't there

Attackers successfully infiltrated computer systems at the Department of Energy more than 150 times between 2010 and 2014, according to a review of federal documents by USA Today that  were obtained as a result of a Freedom of Information Act request. In all, DoE networks were targeted 1,131 times over the four-year span.

While this sounds worrying -- the DoE oversees the country's power grid and nuclear weapons stockpile, after all -- there are a few things missing from the report. The attacks appear to be against the DoE's office systems and not the real-time systems that control the power grid. Those systems are typically operated by utilities and aren't directly connected to DoE's networks. The attacks in the USA Today report are equivalent to the kind universities, corporations, and other organizations regularly face.

Attackers also successfully hit the National Nuclear Security Administration, a DoE sub-agency in charge of securing nuclear weapons, 19 times over the four years. But again, there's no indication the attackers got beyond the office network to reach the secure network used to connect systems that actually manage nuclear assets.

There's a big difference between the systems actually used in managing critical infrastructure and the computers used by DoE employees and contractors. The USA Today report does not make clear which systems were targeted.

A tale of two networks

It's easy to blur the distinction between the two. Most critical infrastructure operators have a corporate network used by the employees for day-to-day operations and a separate network used for industrial control systems.

In an electric utility, for example, the control systems monitor the systems that generate and distribute electricity, the temperature within the facility, and other real-time safety controls. The computer with information about individual employees would typically be on the separate corporate network.

Nonetheless, there's plenty to worry about regarding the security of the industrial control systems. While there have been only a handful of reports of damaging industrial control systems attacks (contrary to movies and TV scripts), many such systems have vulnerabilities that could be exploited with devastating results. The most notable, of course, is the Stuxnet operation in 2011 against Iran's nuclear facilities. In 2014, attackers targeted a German steel mill.

Researchers are uncovering record numbers of industrial control system vulnerabilities, and many proofs of concept and exploits are being created, according to an analysis by the threat intelligence firm Recorded Future of roughly 400 issues documented in NIST vulnerability database. Security researchers uncovered more than 100 industrial control systems vulnerabilities in 2012, compared to less than a dozen reported in 2011 and years prior. Vulnerability disclosures were at record levels in 2013 and 2014, and researchers have already disclosed close to 50 new flaws between January and July of this year.

Industrial control system products from Siemens and Schneider Electric account for roughly half of all the industrial control system bugs disclosed since 2007 -- which makes sense, since they are two of the largest industrial automation vendors in the world.

There were only six industrial control system exploits in 2010, a figure that more than tripled by 2014. As for 2015, there are already 14 such exploits as of mid-July, Recorded Future found. The bulk of exploits available since 2010 target products from Siemens, Schneider Electric, Advantech, CoDoSys, and DATAC. Researchers have identified flaws in such products as Siemens SIMATIC, Siemens WinCC, Advantech Broadwin, Schneider WonderWare, and GE Proficy.

Destructive attacks looming

While direct attacks on industrial control networks pose the greatest threat, successful attacks on office networks at agencies like the DoE carry their own hazards.

Sensitive information like operations details and floor plans related to the grid could be exploited for nefarious purposes. Attackers with an eye toward the long game can sniff out information about investments related to the grid, such as contracts indicating what kind of equipment the utilities own. This is the kind of information attackers can use when crafting campaigns against the power grid.

"With 150 successful attacks against the Department of Energy, these groups may already have what they need to conduct a successful operation. They have personnel records that can be mined for weak links and, potentially, other information that can also be reviewed for weaknesses," said Philip Casesam, (ISC)2's Director of Product Development and Portfolio Management.

Unfortunately, like other government agencies, the DoE has struggled in recent years to properly secure its systems. Attackers accessed personally identifying information for more than 104,000 Energy Department employees and contractors back in 2013. Last year's audit report by the Inspector General found 41 Energy Department servers and 14 workstations "were configured with default or easily guessed passwords."

USA Today found that 53 of the 159 successful intrusions were "root compromises," meaning perpetrators gained administrative privileges to Energy Department computer systems. USA Today said it was not able to determine whether the attackers picked up any sensitive information about the country's power grid or nuclear stockpile, and the department is not talking.

State-based attacks against critical infrastructure “are perceived to be close to war,” and cyber-criminals are less likely to target power grids and other utilities because there isn't a lot of financial gain in those attacks. The greatest threat comes from groups interested in extortion and destruction, which have nothing to do with financial gain or warfare. Consider the attacks against Sony and Sands, groups threatening distributed denial of service attacks against organizations who don't pay protection money, and ransomware. With the growing number of ICS vulnerabilities being disclosed and the availability of exploits, critical infrastructure is a target.

“ICS is a perfect place to take this behavior,” Recorded Future wrote.

Join the CSO newsletter!

Error: Please check your email address.

More about FreedomGESchneider ElectricSiemensSonyWonderWare

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts