Senior U.S. officials have warned in recent months that foreign adversaries are probing computer systems that operate chemical, electric and water plants. But they are also increasingly concerned about the threat of a potentially destructive cyberattack.
Such attacks are rare. Last summer, more than 30,000 computers at the state-owned oil company Saudi Aramco were destroyed when a virus wiped data from the hard drives. The same virus also damaged computer systems at Ras Gas, an energy company in Qatar.
U.S. intelligence officials have said they think those attacks were linked to the Iranian government. Saudi Arabia and Qatar are allied with Western powers that have tightened economic and oil sanctions against Iran in an effort to slow Iran’s nuclear program.
DHS officials did not provide details on the nature of the latest threat, but there has been renewed concern among government and industry officials about cyber-activity out of the Middle East, particularly Iran.
“There have been oil and gas companies that have seen increased activity out of Iran — not just U.S. but overseas companies,” said one industry official who was not authorized to speak for the record.
The unclassified alert issued Thursday was released by DHS’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT. The agency helps companies investigate intrusions and suggests ways to improve security. In doing so, it collects data about cyberthreats that it can use to alert the private sector.
The alert comes as the Obama administration is ramping up efforts to share more information about threats and encourage greater computer network security. In February, President Obama issued an executive order directing federal agencies to provide more cyberthreat data to industry more quickly.
“This is the sort of information-sharing that everyone’s talking about doing so we can protect critical infrastructure,” said Evan Wolff, a partner at Hunton & Williams and a former DHS adviser who works with industry.
The 13-page alert included specific measures that could be taken to prevent disruptive attacks, industry officials said. It included detailed descriptions of tactics and techniques used to gain access to computers, passwords and various levels of a company’s network. A separate document provided indicators of compromise that can be used by technicians to detect attacks.
“The type of information and detail that DHS is now delivering in these intelligence reports to the community has dramatically improved in the last 18 months,” said Tim Conway, a technical director of the Bethesda-based SANS Institute, a cyber-training organization that helps companies deflect attacks.
Conway, who worked for more than a decade with the electric sector, said industry officials long demanded such information from the government. “This is exactly what we’ve been wanting,” he said.