Siliconcowboy's Blog

Security Industry Sources say DHS Requested Gas Pipeline Companies Let Phishers Get Inside Networks

SecurityWeek today said that the Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) issue three successive confidential “amber” alerts at the end of March warning of an active phishing campaign targeting the U.S. natural gas infrastructure. The warnings, requested by the U.S. Department of Homeland Security (DHS), noted that multiple sources had described various features of an ongoing cyber attack.

But industry watchers expressed even greater alarm at the advice that the DHS gave to infrastructure security companies.

“There are several intriguing and unusual aspects of the attacks and the US response to them not described in Friday’s public notice,” Christian Science Monitor Staff Writer, Mark Clayton, noted. “One is the greater level of detail in these alerts than in past alerts. Another is the unusual if not unprecedented request to leave the cyber spies alone for a little while.”

According to CSM sources, energy companies were “specifically requested in a March 29 alert not to take action to remove the cyber spies if discovered on their networks, but to instead allow them to persist as long as company operations did not appear to be endangered.”

The unusual request to publicly owned companies to avoid mitigating or blocking these active intruders is “pretty unheard of,” said CSM sources.

“It’s pretty unusual in the commercial world to just let them collect data. Heaven forbid that the intruders gain control,” said the source.

SecurityWeek writer Steve Ragan said the possibility of a cyber attack against critical infrastructure is a reality because the networks running the infrastructure are so poorly protected.

“ It’s gotten to the point that simple phishing attacks, things that proper email protection and awareness training cover, rate three separate warnings and alerts,” wrote Ragan.

The CERT alert covered multiple targeted attempts and intrusions into multiple natural gas pipeline sector organizations, and all were determined to be related to a single campaign that appears to have started in late December 2011 and is still active today.

As reported by the DHS though the Transportation Security Administration’s Office of Intelligence, the U.S. pipeline system is comprised of 161,189 miles of liquid pipelines with more than 200 operators; 309,503 miles of natural gas transmission pipelines with more than 700 operators; and 1.9 million miles of natural gas distribution pipelines with more than 1,300 operators.

Virtually the entire U.S. pipeline system and critical infrastructure is owned and operated by private entities, the agency said in a pipeline threat assessment memo from 2011.

The ICS-CERT is charged with helping secure the nation’s industrial control systems – computerized systems that open and close valves, switches, and factory processes vital to the chemical, industrial, and power sectors. Their “fly away” teams visit factories, power plants, and pipeline companies to investigate cyber intrusions.

Historically, DHS has been concerned that terrorist groups could target supervisory control and data acquisition (SCADA) networks that manage these networks.  And while the DHS said it is “not aware of any credible, specific threat reporting targeting U.S. pipelines’ industry control systems or the supervisory control and data acquisition networks,” the new alert suggests that a terrorist may not have to be that sophisticated.