* Cyber incidents more than quadrupled in 2011-DHS
* Virus hit over 100 computers at nuclear firm in 2010
By Jim Finkle
BOSTON, July 3 Cyber threats reported by U.S.
energy companies, public water districts and other
infrastructure facilities surged last year, a new government
The Department of Homeland Security's Industrial Control
Systems Cyber Emergency Response Team said that it received 198
reports of suspected cyber incidents, or security threats, in
2011, more than four times the 2010 level.
The report gave examples of cases in which firms were
infected with malicious software designed for espionage and
The agency described a 2010 case in which investigators
helped remove a version of the Mariposa botnet virus from more
than 100 computers at an unnamed nuclear energy firm. The
Mariposa virus was primarily used for financial fraud, though it
could have been used to take complete control of the computers.
The virus entered the firm's network after a nuclear
engineer plugged a tainted USB flash drive into his laptop, then
connected the laptop to the system, according to the report.
The device was provided to the engineer by an instructor
teaching a course to nuclear engineers, said Sean McGurk, a
former DHS official who helped respond to the incident.
"We all know we aren't supposed to take USB sticks and put
them into our networks, but time and time again it has proven to
be true," said McGurk, who now manages an industrial control
systems security practice at Verizon.
While ICS-CERT said the virus did not impact operations at
the nuclear plant in question, it added that the virus could
have spread to the laptops of engineers at other companies who
took the same course and picked up similar flash drives.
NITRO, NIGHT DRAGON
The agency said its staff worked with victims of previously
reported campaigns in which hackers targeted sensitive data held
by chemical firms, energy companies and defense contractors -
the "Night Dragon" attacks first reported in 2010 and "Nitro"
campaign uncovered last year.
More than 40 percent of the incidents reported in 2011 were
from the water sector.
Many water districts used a control system that
administrators could access via the Internet that had a bug in
it that made it vulnerable to hackers. ICS-CERT said it worked
with the vendor to fix the bug, then urged operators to update
Altogether ICS-CERT provided assistance in 28 cases in 2011,
by either sending in teams of experts or through remote
assistance from its Advanced Analytics Lab. It intervened 15
times in 2010 and 4 times in 2009, its first year of existence.
DHS spokesman Peter Boogaard said that ICS-CERT has been
working closely with operators of industrial control facilities
in recent years to help them institute procedures to better
identify and prevent cyber incidents.
"The number of incidents reported to DHS's ICS-CERT has
increased, partly due to this increased communication," Boogaard
Several cyber security experts said they believe that
operators are in fact doing a better job of detecting
"The operators are starting to wake up and realize that they
need to look at their systems," said HD Moore, chief security
officer at security firm Rapid7.