* Cyber incidents more than quadrupled in 2011-DHS
* Virus hit over 100 computers at nuclear firm in 2010
By Jim Finkle
BOSTON, July 3 Cyber threats reported by U.S. energy companies, public water districts and other infrastructure facilities surged last year, a new government report shows.
The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team said that it received 198 reports of suspected cyber incidents, or security threats, in 2011, more than four times the 2010 level.
The report gave examples of cases in which firms were infected with malicious software designed for espionage and fraud.
The agency described a 2010 case in which investigators helped remove a version of the Mariposa botnet virus from more than 100 computers at an unnamed nuclear energy firm. The Mariposa virus was primarily used for financial fraud, though it could have been used to take complete control of the computers.
The virus entered the firm's network after a nuclear engineer plugged a tainted USB flash drive into his laptop, then connected the laptop to the system, according to the report.
The device was provided to the engineer by an instructor teaching a course to nuclear engineers, said Sean McGurk, a former DHS official who helped respond to the incident.
"We all know we aren't supposed to take USB sticks and put them into our networks, but time and time again it has proven to be true," said McGurk, who now manages an industrial control systems security practice at Verizon.
While ICS-CERT said the virus did not impact operations at the nuclear plant in question, it added that the virus could have spread to the laptops of engineers at other companies who took the same course and picked up similar flash drives.
NITRO, NIGHT DRAGON
The agency said its staff worked with victims of previously reported campaigns in which hackers targeted sensitive data held by chemical firms, energy companies and defense contractors - the "Night Dragon" attacks first reported in 2010 and "Nitro" campaign uncovered last year.
More than 40 percent of the incidents reported in 2011 were from the water sector.
Many water districts used a control system that administrators could access via the Internet that had a bug in it that made it vulnerable to hackers. ICS-CERT said it worked with the vendor to fix the bug, then urged operators to update their software.
Altogether ICS-CERT provided assistance in 28 cases in 2011, by either sending in teams of experts or through remote assistance from its Advanced Analytics Lab. It intervened 15 times in 2010 and 4 times in 2009, its first year of existence.
DHS spokesman Peter Boogaard said that ICS-CERT has been working closely with operators of industrial control facilities in recent years to help them institute procedures to better identify and prevent cyber incidents.
"The number of incidents reported to DHS's ICS-CERT has increased, partly due to this increased communication," Boogaard said.
Several cyber security experts said they believe that operators are in fact doing a better job of detecting intrusions.
"The operators are starting to wake up and realize that they need to look at their systems," said HD Moore, chief security officer at security firm Rapid7.