Study: Attackers Continuously Targeting US Gas Utilities

Unknown attackers have targeted the Internet-connected systems of natural-gas companies, using brute-force attacks to attempt to access the companies’ business and process-control networks, according to a report published last week by the Internet Control System Cyber Emergency Response Team (ICS-CERT).

The incidents, which occurred in January and February, were first reported to the ICS-CERT, a component of the US Department of Homeland Security, in late February, the group stated in its quarterly public report on cyber threats.

Critical infrastructure under attack

Following the initial report and a subsequent warning from the ICS-CERT, more critical infrastructure companies came forward with news of other incidents.

“The companies reporting this activity operate gas compressor stations across the Midwest and Plains states within the US, although some of the attempts reported were solely against business networks,” the report stated. “While none of the brute force attempts were successful, these incidents highlight the need for constant vigilance on the part of industry asset owners and operators.”

The last attack occurred on 23 February, according to the report. While the ICS-CERT claimed that no new attacks have been detected, it’s unlikely that the attacks have stopped altogether, Tommy Stiansen, chief technology officer and co-founder of threat-intelligence firm Norse, said in an e-mail interview.

“Today all public facing IP addresses are attacked on a regular basis, but the questions are really by whom and how targeted and sophisticated are the attacks,” he said. “While there may be an element of failure to report, it may be that some of these installations are compromised but admins remain unaware due the stealthy nature of the compromise.”

Recent research published by security firm Trend Micro found that Internet-connected industrial-control systems are frequently targeted by online attackers.

The company’s researchers set up fake industrial control systems, made them appear valuable and logged 39 attacks over 28 days against the spoofed systems, the company stated in its report.

Varied sources

While the US has called out China for its attacks against sensitive industries, the attacks detected by Trend Micro have come from Internet addresses in 14 different nations. IP addresses in China accounted for about a third of the attacks, while Laos and the United States came in second and third, respectively.

The experiment, which occurred in 2012, underscores that attackers are continuously probing these important systems.

While the ICS-CERT reportedly informed industry members of the specific IP addresses that were involved in the attacks, creating block lists based on such quickly changing attributes does not work very well, Norse’s Stiansen said.

“The use of IP block lists described in the report often give admins a false sense of security,” Stiansen said. “Today cyber criminals can setup and launch attacks using botnets and other compromised hosts, quickly changing the IP address and obfuscating the location of the actual attackers.”

Are you a security pro? Try our quiz!