ICS-CERT alert: Natural gas pipelines under attack?

The latest incident response report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) — part of DHS — warns of an ongoing cyberattack against the computer networks of US natural gas pipeline companies.

In March, 2012, ICS-CERT identified an active series of cyber intrusions targeting natural gas pipeline sector companies. Various sources provided information to ICS-CERT describing targeted attempts and  intrusions into multiple natural gas pipeline sector organizations.

Analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign with spear-phishing activity dating back to as early as December 2011. Analysis shows that the spear-phishing attempts have targeted a variety of personnel within these organizations; however, the number of persons targeted appears to be tightly focused. In addition, the e-mails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization. ICS-CERT has issued an alert (and two updates) to the US-CERT Control Systems Center secure portal library and also disseminated them to sector organizations and agencies to ensure broad distribution to asset owners and operators. ICS-CERT Alerts are intended to provide early warning indicators of threats and vulnerabilities for the community to act upon quickly. While ICS-CERT strives to make as much information publicly available as possible, the indicators in these alerts are considered sensitive and cannot be disseminated through public or unsecure channels. ICS-CERT will continue to issue updates as new information is uncovered.

ICS-CERT is currently engaged with multiple organizations to provide remote and onsite analytic assistance to confirm the compromise, extent of infection, and assist in removing it from networks. ICS-CERT does NOT recommend enabling the intrusion activity to persist within networks and has been working aggressively with affected organizations to prepare mitigation plans customized to their current network security configurations to remove the threat and harden networks from re-infection.

In addition, ICS-CERT recently conducted a series of briefings across the country to share information related to the intrusion activity with oil and natural gas pipeline companies. These briefings provided additional context of the intrusions and mitigations for detecting and removing the activity from networks. ICS-CERT will continue to work with private sector and government partners to respond to this and other cyber threats.

Combating sophisticated attacks are challenging for any company and therefore, ICSCERT is working with partners to evaluate a more strategic and layered approach to detecting and mitigating these threats. ICS-CERT is also preparing additional mitigation information that will be released in an upcoming Advisory. Until then, ICS-CERT continues to recommend Defense-in-Depth practices and educating users about social engineering and spear-phishing attacks. Organizations are also encouraged to review ICS-CERT’s Incident Handling Brochure for tips on preparing for and responding to an incident.

Asset owners/operators who would like access to the portal or to the alerts can contact ICS-CERT at ics-cert@dhs.gov. Alternatively, they can work with their sector Information Sharing and Analysis Center (ISAC) or sector source for cyber alerts and information sharing to obtain the ICS-CERT Alerts.

In this particular campaign, reporting organizations enabled ICS-CERT to analyze the data and create an overall view of the activity in progress. This would not have been possible without the active cooperation of the reporting organizations, so ICS-CERT commends those involved and requests continued private sector reporting whenever possible. ICSCERT provides secure portal access to critical infrastructure asset owners and government agency personnel who are tasked with protecting critical infrastructure.

See GAS PIPELINE CYBER INTRUSION CAMPAIGN from the US Department of Homeland Security.

Tags: , , , , ,