DHS managed ICS-CERT, Industrial Control Systems Cyber Emergency Response Team has recently released a report that informs a whopping increase in the number of infrastructure cyber attacks “cyber incidents” in the past few years. On its launch in 2009, ICS-CERT informed nine incident reports, out of which only four were confirmed as actual incidents. The number of cyber incidents increased to 41 in 2010 and jumped to 198 in 2011, which is a big leap. According to the report, among all incidents in 2011, around 41 percent were related to the Water Sector, and this was due to use of a large number of internet-facing control system devices. Rest is specific to government facilities, energy sector, nuclear, chemical, transportation, national monuments, IT, critical manufacturing, and communication segments.

“A fundamental challenge utilities face is that supervisory control and data acquisition (SCADA) systems were not designed to be secure,” said Chris Petersen,CTO and co-founder of LogRhythm, speaking on the subject of recent ICS-CERT warnings. “Much of the existing infrastructure was developed and implemented prior to the rise of the Internet. Security was most often thought of in the physical sense. The heat is on when it comes to protecting critical infrastructure in the United States. Unless the industry takes major steps to bolster its overall cyber security, 2012 could be the year hackers cause major disruptions that impact thousands of people”.

If we talk about the water sector sabotage, we got a fake alarm late last year as Joe Weiss, a managing partner for Applied Control Solutions, published information on a hack damaging a city water pump that the US Department of Homeland Security indicated happened in Springfield, Illinois. He said that the attackers were able to burn out one of the utility’s pumps by causing either the pump or the SCADA system that controlled it to turn on and off repeatedly. However, this was more of a false alarm as a detailed investigation on the issue suggested that there was no evidence to suggest that this indeed was a cyber incident, and that Weiss lacked any solid evidence or information to support his claims…and then it was discovered to be an authorized contractor connecting from Russia.

Here’s what ICS-CERT had in their report when they went on to scathe the lack of evidence,

“There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant,” the ICS-CERT alert states. “In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported. Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.”

As infrastructure cyber attacks are taking a progressive mode, Big Data plays a significant role in identifying the difference between a real threat and a false alarm. A prominent example is the Splunk’s solutions that help determine the difference, and provide both in-house security and security-as-a-service atop of numerous layers by looking at the data produced by a multitude of products. Splunk allows you to take the search language and use it to monitor real-time data streams as well as mine logs and big data for patterns. It monitors numerous data points being produced by a large system to detect and predict potentially failing parts or problem spots. Splunk uses Big Data systems, provide capability for deep real-time analysis, and delivers powerful languages that put the ability to query ongoing changing and data in the hands of technicians who may need those alerts to be prepared for both the expected and unexpected.