ICS-CERT reviews computer security incidents of 2012
The potential for cybersecurity threats to affect critical infrastructure has been a focus of many political discussions in recent months. A recent report from the Industrial Control Systems Cyber Emergency Response Team shed light on the prevalence of computer security risks facing essential systems by reviewing incidents the team has helped address.
The energy sector in particular was a common target in the 2012 fiscal year, accounting for 41 percent of 198 incidents responded to by ICS-CERT. Cybercriminal strategies ranged from infecting systems with malware in order to disrupt operations to stealthier campaigns designed to retrieve sensitive information. In its efforts to assist organizations in responding to these incidents, ICS-CERT aided in tasks such as identifying best practices for removing malware and for improving intrusion detection practices to prevent future incidents.
The report also highlighted efforts undertaken by researchers Bob Radvanovsky and Jake Brodsky of InfraCritical to identify the number of web-connected and potentially vulnerable systems. The effort, called Project Shine (SHodan INtelligence Extraction), resulted in a list of nearly 500,000 potentially vulnerable systems.
To improve risk management and prioritization, ICS-CERT developed the CVSS scoring system to reveal the severity of a problem. A score of 0 indicates there is no vulnerability, while 10 is given to issues that pose the most risk.
"[R]eaders can use the base metric as a tool to quickly determine the seriousness of thevulnerability associated with the affected system," the report stated. "The asset owners and operators can use the base metric provided by ICS-CERT and apply the temporal and environmental metrics that are appropriate for their individual situation."
The Internet of Things and risk
There are a lot of things on the IT professional's to-do list, so it may be difficult to fit in time for improving risk management paradigms. However, as Wired's Andrew Rose recently noted, the Internet of Things may make evaluation of existing practices more critical.
"It's scary how few people are preparing for it," Rose wrote. "Most security and risk professionals are so preoccupied with putting last week's vulnerability-malware-hacktivist genie back into the bottle, that they're too distracted to notice their R&D colleagues have conjured up even more unpredictable spirits. Spirits in the form of automated systems that can reach beyond the digital plane to influence and adjust the physical world … all without human interfacing."
As data makes its way to more places throughout the technology ecosystem, a premium will likely be placed on creating new risk management procedures to account for automated systems. Rose further predicted that government legislation is inevitable, given how many devices are already part of the Internet of Things.