Hacker hits on U.S. power and nuclear targets spiked in 2012
POSTED: Wednesday, January 9, 2013 - 10:00pm
UPDATED: Wednesday, January 9, 2013 - 10:04pm
NEW YORK (CNNMoney) — America's power, water, and nuclear systems are increasingly being targeted by cybercriminals seeking to gain access to some of the nation's most critical infrastructure.
The number of attacks reported to a U.S. Department of Homeland Security cybersecurity response team grew by 52 percent in 2012, according to a recent report from the team. There were 198 attacks brought to the agency's attention last year, several of which resulted in successful break-ins.
An earlier report from DHS sketched in details on some of those successes. An unidentified group of hackers targeting natural gas pipeline companies gained access to the corporate systems of several of their targets and "exfiltrated" -- that's security-speak for "stole" -- data on how their control systems work.
The information obtained "could facilitate remote unauthorized operations," DHS said. There's no evidence the hackers have actually broken into the control systems themselves, the agency added.
The energy sector was the most-targeted field, with 82 attacks, and the water industry reported 29 attacks last year. Chemical plants faced seven cyber attacks, and nuclear companies reported six.
Hackers hit the bulls-eye on "several" of their nuclear targets: "These organizations reported that their enterprise networks were compromised and in some cases, exfiltration of data occurred," the DHS team wrote. It said that it is not aware of any successful breaches of nuclear control networks.
Those are only the attacks that we know about, though. Many companies choose not to report incidents, and the majority of cyberattacks go undiscovered, according to industry researchers.
Of course, it's not the quantity of attacks that matters. It's the small handful that succeed.
DHS warned that the nation's infrastructure is worryingly vulnerable. Using a special search engine that finds Internet-connected devices, researchers from security advocacy group InfraCritical located more nearly 500,000 devices across the country that appeared to tap into key control systems. They brought their list to DHS, which began investigating -- and confirmed that 7,200 devices on it really do appear to be linked to critical control systems.
Many of those systems are directly reachable through the Internet and "have either weak, default, or nonexistent logon credential requirements," the agency warned.
It is working with government agencies and private partners to alert system operators and close down those vulnerabilities.
A similar test of European home automation systems revealed that many of these devices had been built without security in mind. One popular smart meter device, for instance, had a default password of "1234."
Anyone with malicious intent -- terrorists, rogue or enemy nations -- could locate those devices just as easily as the researchers did.
The Obama administration and many in Congress have been more vocal about how an enemy nation or a terrorist cell could target the country's critical infrastructure in a cyberattack. Legislation aimed at preventing such attacks stalled in Congress last year.
In its report, the Department of Homeland Security advised critical infrastructure companies to keep devices linked to their control systems offline, put stronger passwords in place and implement better security protocols.
Some security experts think the nation won't crack down on securing its critical systems until there's a high-profile debacle.
"I believe that people will not truly get this until they see the physical implications of a cyber attack," Shawn Henry, who retired last year as the Federal Bureau of Investigation's top cybercrime official, said at an industry conference in July. "We knew about Osama bin Laden in the early '90s. After 9/11, it was a worldwide name. I believe that type of thing can and will happen in the cyber environment."