The companies that control critical infrastructure in the United States are reporting higher numbers of attacks on their systems over the past three years, according to a report issued by the Department of Homeland Security.
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) says the number of reported attacks is up and attackers have been targeting companies with access to the country’s power grid, water filtration facilities and a nuclear facility.
According to the report, which was released last week, there were 198 incidents reported to DHS in 2011, up from nine incidents in 2009. Cyber emergency response teams went to the physical locations to investigate and further analyze the threats in 17 of the 198 cases in 2011.
The most common threat was a technique known as spear-phishing, which can corrupt a company’s computer system by uploading malicious attachments and gaining access to sensitive information. Eleven of the 17 incidents to which the emergency response teams physically responded were attacks that had been launched by “sophisticated actors,” the report said.
The reported incident against a nuclear facility, which the department did not specifically name, was found to be the result of a USB drive that an employee had used to download presentation materials onto a laptop. Those materials included malware that was then able to spread to 100 hosts on the network, according to Homeland Security.
The government has made a point of not identifying companies by name due to fear that such public exposure would deter other companies who are the victims of similar attacks from coming forward and sharing information about the threats.
The report also identified common trends that allowed attackers to penetrate systems. They included employees who were not properly aware of potential dangers and technical and process flaws that left their systems exposed to attack.
The Department of Homeland Security sees the rise in the number of reported events as a sign that businesses are trusting the government more when it comes to allowing federal investigators to access their systems.
“Incident response is an essential part of cybersecurity,” DHS spokesman Peter Boogaard said Wednesday. “DHS has made a consistent effort to work with public and private sector partners to develop trusted relationships and help asset owners and operators establish policies and controls that prevent incidents. The number of incidents reported to DHS’s ICS-CERT has increased partly due to this increased communication.”
The sensitivity over the public-private partnership remains a hotly debated issue in Washington, as lawmakers try to come up with legislation that would require acceptable minimum security standards for companies that operate critical infrastructure systems. Republican-backed proposals have included making the exchange of information between private companies and the government voluntary. Other initiatives, including a bipartisan bill backed by Sens. Joe Lieberman, I-Connecticut, and Susan Collins, R-Maine, would require companies to prove to the government that minimum security standards are in place, and would make that information subject to a government audit.