Homeland Security report hoses down energy-sector 'cybergeddon' talk
It's all the media's fault. Even when the DHS hypes things up
+Comment Everybody knows how easily the world could be plunged into a New Dark Ages with nothing more than a handful of hacker keystrokes – everybody except the United States Department of Homeland Security (DHS).
In a report obtained and published by Public Intelligence researchers, the DHS contradicts most of the received wisdom attached to the critical infrastructure debate, by assessing the immediate risk to America's energy network as “low”.
The intelligence assessment, entitled Damaging Cyber Attacks Possible but Not Likely Against the US Energy Sector, has been circulated among America's policy-makers since January.
Working with ICS-CERT, the DHS has come to the conclusion that the main aim of nation state-level attackers on the US energy sector is espionage rather than destruction.
“The APT activity directed against sector industrial control system (ICS) networks probably is focused on acquiring and maintaining persistent access to facilitate the introduction of malware, and likely is part of nation-state contingency planning that would only be implemented to conduct a damaging or disruptive attack in the event of hostilities with the United States”, the report says under the heading Key Judgements.
While there were 17 intrusions “against the US energy sector” reported in 2014, for example, the report says the “APT actors did not cause any damage or disruption”.
Incidents described in the report included four Bang-based DDoS malware attacks, three Cryptolocker attacks, and a successful financial attack against a North Carolina fuel distributor that netted US$800,000 by using compromised login credentials.
So why does everybody believe the world is only a few clicks away from cybergeddon? Apparently, the DHS reckons, it's all the media's fault.
“Imprecise use of the term 'cyber attack' in open source media reporting and throughout the private sector has led to misperceptions about the cyber threat to the US energy sector”, the report says.
Asking for the rhetoric rheostat to be dialled back a few notches, the report continues: “Overuse of the term 'cyber attack' risks 'alarm fatigue', which could lead to longer response times or to missing important incidents”.
The DHS's public rhetoric doesn't always help media distinguish between real and imagined threats. A good example is in how the report dissects the now-famous December blackouts in the Ukraine.
In March, ICS-CERT was confident about attributing the attacks to intrusions: “power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers”.
Here's the intelligence assessment's full text regarding the incidents (emphasis added):
“Open source media and various US cybersecurity threat intelligence companies have claimed that at least six Ukrainian regional power providers in late December suffered a cyber attack causing the loss of power for more than 80,000 customers for up to six hours. Due to limited authoritative reporting, I&A is unable to confirm the event was triggered by cyber means.
“While not independently confirmed as the cause of the outage, malware provided by Kyiv indicates the presence of a variant of an ICS-specific malware on the energy provider’s systems, according to ICS-CERT analysis.
“The variant provided by the Ukrainian Government has the capability to enable remote access and delete computer content, including system drives. I&A cannot attribute this operation to any specific cyber actor, but the attacks are consistent with our understanding of Moscow’s capability and intent, including observations of cyber operations during regional tensions. This incident does not represent an increase in the threat of a disruptive or destructive attack on US energy infrastructure, which I&A assesses is low.”
The DHS's Andy Ozment and Greg Touhill wrote: “US critical infrastructure entities have been affected by targeted intrusions in recent years, and it is imperative that critical infrastructure owners and operators across all sectors are aware and up-to-date on the cyber threat landscape and the measures they can take to protect their assets.”
That seems, to The Register, to leave plenty of room for the media to interpret the DHS's position as a warning of imminent threat. ®