“Anyone can blow up a gas pipeline with dynamite. But with this stolen information, if I wanted to blow up not one, but 1,000 compressor stations, I could,” he adds. “I could put the attack vectors in place, let them sit there for years, and set them all off at the same time. I don’t have to worry about getting people physically in place to do the job, I just pull the trigger with one mouse click.”
The report comes at a time of growing US-China tensions over cyberespionage. President Obama called for tighter cybersecurity of critical US infrastructure in his State of the Union speech. This month, the White House also released an executive order that attempts to bolster cybersecurity among agencies that regulate electric utilities and other key industries. Congress, however, continues to resist legislation to mandate that such companies meet specific cybersecurity performance standards.
The attacks chronicled in the new DHS report were first reported in an exclusive Monitor article in May 2012, but the report offers confirmation, as well as further details and insights. Of the natural-gas pipeline operators targeted, 10 were infiltrated, another 10 cases are still being investigated, and three were “near misses,” in which the companies narrowly avoided infiltration of their networks, according to the report, titled “Active Cyber Campaigns Against the US Energy Sector” and compiled by DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Sensitive files were stolen that could give a cyberintruder the ability to control, or alter the operation of the pipelines, including usernames, passwords, personnel lists, system manuals, and pipeline control system access credentials, the report says.
“The data exfiltrated could provide an adversary with the capability to access US [oil and natural gas industrial-control systems], including performing unauthorized operations,” the report concludes. The stolen files were part of a “sophisticated attack shopping list.”