third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
car park will not open. It is annoying that staff and visitors have<br />
to park somewhere else or that employees feel cold or hot, but it<br />
generally does not mean anything worse than that.<br />
Year # Reports # Investigations<br />
2010 39 57<br />
Local/Regional<br />
2011 204 70<br />
(for example traffic installations, sewer pump and<br />
2012 138 89<br />
bridge operation, individual windmills)<br />
Digital incidents at this level can have a major impact, but the<br />
Table 11. Developments in number of reports in the US<br />
damage remains limited to a local or regional level and is primarily<br />
practical and financial in nature. An example is a bridge that stays<br />
opens so that traffic comes to a halt or a company that suffers major<br />
financial harm because one of its factory’s systems fails bringing<br />
production to a stop for a few days.<br />
National<br />
(vital infrastructure, for example the energy and<br />
drinking water supply)<br />
Digital incidents in the vital sectors may lead to social instability<br />
and therefore affect national security. There could be many victims<br />
and/or severe economic damage and recover may be lengthy, while<br />
these products and services are essential. IT, telecommunications<br />
(fixed and mobile) and electricity are crucial for society’s vital<br />
sectors to function. Failure of these can lead to harmful effects in<br />
other sectors and the impact of an incident may intensify even<br />
further. These incidents are the most relevant to the CSAN because<br />
they can have a direct impact on large groups of citizens, companies<br />
The number of investigations continues to rise, which indicates<br />
an increasing number of incidents. Based on the limited detailed<br />
information about ICS-related incidents, these are ranked in the<br />
three categories below.<br />
Incidents caused by internet connectivity<br />
Since 2011, various researchers have been focusing attention on<br />
systems which, by using Shodan [219] and other search engines, can<br />
be reached through the internet [220] . Smaller companies, local<br />
authorities and private individuals in particular are not sufficiently<br />
aware that their systems (generally SOHO and private applications)<br />
are directly accessible on the internet. The combination of<br />
vulnerabilities in the software and the use of weak passwords, etc.<br />
means that in many cases unauthorised access can be obtained<br />
to these systems. These vulnerabilities often arise because of<br />
insufficient agreements regarding security with <strong>third</strong> parties taking<br />
care of the installation and/or management.<br />
and governments.<br />
9.3 Incidents involving ICSs<br />
Particularly at the beginning of 2012 there was increased focus on<br />
the risks of connecting ICSs to the internet that resulted in many<br />
It is impossible to provide proper statistics about ICS-related<br />
incidents in the <strong>Netherlands</strong>. Organisations involved are still<br />
reticent about sharing information on this subject. In the period<br />
from June 2011 to November 2012, <strong>NCSC</strong>.nl received just 11 reports.<br />
Because of this low number, the American ICS-CERT has been<br />
reviewed as one of the few available public sources. Furthermore, a<br />
public incident reports. All the reports concerned systems that<br />
could be found through the internet using the Shodan search<br />
engine. [221] Although this category of vulnerabilities attracts by far<br />
the most attention and publicity, this is not where the biggest risks<br />
to national security currently lies because the vast majority of these<br />
fall in the SOHO category.<br />
broad reporting period was assessed to give insight into the gradual<br />
developments. The ICS-CERT annual overview with reports of<br />
218 There is no report as to whether these are truly ICS incidents. Following investigation, it may<br />
emerge that there was no security incident (simply a disruption) or that no ICS/SCADA was<br />
involved. There may also have been multiple reports of the same incident.<br />
219 SHODAN is an internet search engine that facilitates targeted searching of computers that are<br />
connected to the internet.<br />
220 Examples include: Eirann Leverett: http://www.blackhat.com/usa/speakers/Eireann-Leverett.<br />
html, Project SHINE: http://ics-cert.us-cert.gov/pdf/ICS-CERT_Monthly_Monitor_Oct-<br />
Dec2012.pdf and HD Moore: https://community.rapid7.com/community/metasploit/<br />
blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers<br />
221 The (few) cases reported to the <strong>Netherlands</strong> because of these cases proved not to be related<br />
to vital infrastructures.<br />
96<br />
Incidents caused by vulnerabilities in generic IT tools<br />
(collateral damage category)<br />
General IT tools, known as Commercial Off-The-Shelf (COTS)<br />
products, are increasingly being used in IT environments. This<br />
applies not just to hardware, but primarily also to software such as<br />
operating systems, web technologies and databases. Use of these<br />
COTS products undoubtedly has many advantages (such as lower<br />
costs), but it also gives vulnerabilities in these products a stepping<br />
stone to ultimately manipulate process controls. It also makes ICS<br />
environments more susceptible to malware that is actually (only)<br />
intended for standard IT facilities. For example outbreaks of the<br />
computer worms Slammer and Conficker in factory networks meant<br />
that production had to be halted. Key loggers, banking trojans and<br />
other generic malware that unintentionally infect ICS environments<br />
can also lead to failures.<br />
Incidents caused by the ‘human factor’<br />
Around half of the investigations cited by ICS-CERT relate to cases of<br />
spear phishing, possibly with the intention of penetrating the ICS