Attackers successfully infiltrated computer systems at the Department of Energy more than 150 times between 2010 and 2014, according to a review of federal documents by USA Today that were obtained as a result of a Freedom of Information Act request. In all, DoE networks were targeted 1,131 times over the four-year span.
While this sounds worrying -- the DoE oversees the country's power grid and nuclear weapons stockpile, after all -- there are a few things missing from the report. The attacks appear to be against the DoE's office systems and not the real-time systems that control the power grid. Those systems are typically operated by utilities and aren't directly connected to DoE's networks. The attacks in the USA Today report are equivalent to the kind universities, corporations, and other organizations regularly face.
Attackers also successfully hit the National Nuclear Security Administration, a DoE sub-agency in charge of securing nuclear weapons, 19 times over the four years. But again, there's no indication the attackers got beyond the office network to reach the secure network used to connect systems that actually manage nuclear assets.
There's a big difference between the systems actually used in managing critical infrastructure and the computers used by DoE employees and contractors. The USA Today report does not make clear which systems were targeted.
A tale of two networks
It's easy to blur the distinction between the two. Most critical infrastructure operators have a corporate network used by the employees for day-to-day operations and a separate network used for industrial control systems.
In an electric utility, for example, the control systems monitor the systems that generate and distribute electricity, the temperature within the facility, and other real-time safety controls. The computer with information about individual employees would typically be on the separate corporate network.
Nonetheless, there's plenty to worry about regarding the security of the industrial control systems. While there have been only a handful of reports of damaging industrial control systems attacks (contrary to movies and TV scripts), many such systems have vulnerabilities that could be exploited with devastating results. The most notable, of course, is the Stuxnet operation in 2011 against Iran's nuclear facilities. In 2014, attackers targeted a German steel mill.
Researchers are uncovering record numbers of industrial control system vulnerabilities, and many proofs of concept and exploits are being created, according to an analysis by the threat intelligence firm Recorded Future of roughly 400 issues documented in NIST vulnerability database. Security researchers uncovered more than 100 industrial control systems vulnerabilities in 2012, compared to less than a dozen reported in 2011 and years prior. Vulnerability disclosures were at record levels in 2013 and 2014, and researchers have already disclosed close to 50 new flaws between January and July of this year.
Sign up for Computerworld eNewsletters.