USA Today reports that the US Department of Energy (DOE) was “successfully compromised” by cyber criminals “more than 150 times between 2010 and 2014, according to a review of federal records” obtained as part of a Freedom of Information request.
Records show that there were 1,131 cyber attacks on “critical information systems that contain sensitive data about the nation’s power grid, nuclear weapons stockpile and energy labs”, over the 48-month period ending October 2014, of which 159 – or 14% – were successful.
19 successful attacks hit the National Nuclear Security Administration, the agency “responsible for managing and securing the nation’s nuclear weapons stockpile”.
According to USA Today, “Energy Department officials would not say whether any sensitive data related to the operation and security of the nation’s power grid or nuclear weapons stockpile was accessed or stolen in any of the attacks, or whether foreign governments are believed to have been involved.”
Critical infrastructure weaknesses
In the wake of the massive cyber attack affecting the OPM, all federal organizations are rightly wary of potential compromises.
A major attack on the nation’s critical infrastructure might not be far away. Cyber attacks are increasing across all industries in the US, and weaknesses are being exploited by criminals with increasing frequency. Vulnerabilities have been identified in air traffic control systems and airplanes’ on-board electronic systems, many banks have been found to exercise inadequate control over their security and have suffered massive data breaches as a result of hacking and phishing campaigns, and even the White House has seen its network infiltrated by foreign cyber criminals.
Although it is still rare for an email-based malware campaign to cause physical damage, it is feared that such attacks will become increasingly common.
Last year, for example, a report from the German Federal Office for Information Security (Die Lage der IT-Sicherheit in Deutschland 2014) described an incident at an unnamed steel plant in Germany that resulted in catastrophic damage. Using a spear phishing email to install malware on the plant’s computers, hackers stole login credentials, which enabled them to access the production computer networks and gain control of systems that controlled the plant’s manufacturing equipment. They then caused system failures that meant the plant was unable to properly shut down a blast furnace, which was damaged beyond use.
Whatever your industry, if you’re concerned about your organization’s susceptibility to attack, you’ll be interested in IT Governance’s penetration testing packages. Designed to identify vulnerabilities and identify remedial measures that you can take to secure your systems, they provide a complete fixed-price solution for the routine security testing of your websites and IT systems to ensure that your networks and applications remain secure against cyber attacks.