U.S. Natural Gas Sector Hit by Coordinated Cyber Attacks
The U.S. government is moving quickly to respond to an ongoing series of cyber attacks on companies in the natural gas pipeline sector, according to the Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, at the Department of Homeland Security.
In a daily report released Tuesday, DHS reported that the coordinated cyber intrusions targeting natural gas companies began in December last year and have continued for the past five months. "Analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign," ICS-CERT noted earlier this month.
These cyber attacks are being launched through the use of so-called spear-phishing attempts, which specifically target individuals within a company or organization. Phishing attacks generally involve e-mail spoofing or instant messaging activities that direct users to a fake online destination masquerading as a legitimate Web site, where the victims are asked to submit additional data.
With respect to the ongoing attacks on private natural gas companies, ICS-CERT noted that the number of persons targeted appears to be tightly focused. "In addition, the e-mails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization," ICS-CERT explained in a statement.
A Coordinated Response
ICS-CERT has asked all private companies operating natural gas facilities to submit the requisite data for identifying the scope of the infection as well as for developing a plan for mitigating the damage and eradicating the threat from the infected networks. According to the U.S. industry publication Natural Gas Intelligence, Obama administration officials and Senate staff met Monday to discuss the ongoing threat to the nation's energy production infrastructure.
"DHS is coordinating with the FBI and appropriate federal agencies, and ICS-CERT is working with affected organizations to prepare mitigation plans customized to their current network and security configurations to detect, mitigate and prevent such threats," DHS spokesman Peter Boogaard said, according to Natural Gas Intelligence.
ICS-CERT has already held a series of briefings with oil and natural gas pipeline companies across the nation. The bottom line is that the entire U.S. natural gas sector has been notified that allowing these intrusion activities to persist within their networks is not an option.
The big question, however, is how businesses located near a natural gas facility might potentially be impacted by a successful cyber intrusion at the plant. The DHS did not immediately respond to our request for further information, but Natural Gas Intelligence spokesperson Alex Steis noted that the Federal Energy Regulatory Commission has already "conducted a number of studies on the potential of a cyber attack on U.S. pipelines."
Adopting a Defense-in-Depth Strategy
In advance of releasing additional mitigation information in an advisory, ICS-CERT continues to advise the U.S. natural gas companies to adopt a "defense-in-depth" security strategy that includes the regular monitoring of log files by experienced administrators, together with the upgrading, patching or removing of vulnerable legacy software applications.
Still, ICS-CERT noted that even companies with the best firewall configurations, security software and a well-trained IT management staff remain vulnerable to cyber attacks -- which means they need to be prepared to handle and analyze any intrusions that occur. ICS-CERT recommends that companies prepare and regularly review incident preparedness and response checklists that will enable them to document and respond to any cyber incidents.
Full documentation includes IP ranges and hostnames; DNS information; software and operating system names and versions, and patch levels; user and computer roles; and ingress as well as egress points between networks. Additionally, companies are advised to compile an incident report that specifies the affected IPs, method of detection, the type of assistance required and the attack's potential operational impact.