Continuing a now well established trend, the utility sector continued to be the most highly targeted industry for cyber attacks in 2014. In second place for such attacks was the critical manufacturing sector. Included in that sector are companies that manufacture the control systems used by utilities and power generators around the world. Combined, these accounted for 59 percent of the reported attacks. When adding in water, nuclear, and telecommunications the total rises to 71 percent. For comparison, the financial industry represented just 1 percent of reported attacks.
The recently published Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) report did find that while this sector had the greatest number of cyber attacks, the number of reported incidents declined from the previous year. The report struck a cautionary note, however, stating that a reduction in the number of incidents does not equate to less attacks because “many more incidents occur in critical infrastructure that go unreported.” The ICS-CERT report also noted that nearly 55 percent of all reported attacks came from “sophisticated actors.” Interestingly, “attacks” have been as simple as phone calls attempting to secure information from employees or simple “phishing” attempts that dupe employees into disclosing information that may grant access to a company’s system architecture. The ICS-CERT report detailed that attacks included unauthorized access and exploitation of Internet facing industrial control systems (SCADA).
Perhaps most troubling, were the attacks that successfully exploited unknown security “holes” that allowed cyber attackers to penetrate systems. A successful attack could deploy malicious code or create “backdoors” for later entry by the attacker. In defending against these attacks, companies work to isolate the attacked portion of the system. Typically, approaches include physical, electronic, or electromagnetic separation from the rest of the system. The Department of Homeland Security and the Federal Bureau of Investigation have been actively engaged in the defense and identification of two particularly sophisticated malware attacks – Havex and Black Energy.
Defending against cyber attacks remains a mission critical item for utilities, critical manufacturers, and all businesses. Because cyber attacks and cyber crime have so many angles – identify theft, corporate espionage, financial, or geopolitical strategy – companies and their employees must continue being vigilant for emerging trends and techniques of attack, and how to defend against them. Statistics demonstrate that people and human error are the most frequent and likely means of penetration through a company’s system. Whether clicking on an embedded hyperlink in an email, responding to a phishing email before considering its validity, or the accidental loss of computers, tablets, or smartphones without security measures, human error or carelessness is a very common cause of cybersecurity breaches.
Companies are responding by requiring annual (or more frequent) training on cyber related issues and basic defense against known means of attacks. By doing so, companies derive at least two main benefits. First, by requiring the training exercise, it keeps the cyber issue in the front of employees minds. Second, it exposes employees to common techniques of attack, how to specifically identify the common approaches, and how to respond – both in denying the attacker access and to make the company aware so it can respond across the board.