The Department of Homeland Security (DHS) Control Systems Security Program manages and operates the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to provide focused operational capabilities for defense of control system environments against emerging cyber threats.
To accomplish this mission, ICS-CERT
• responds to and analyzes control systems related incidents
• conducts vulnerability and malware analysis
• provides onsite support for incident response and forensic analysis
• provides situational awareness in the form of actionable intelligence
• coordinates the responsible disclosure of vulnerabilities/mitigations, and
• shares and coordinates vulnerability information and threat analysis through information products and alerts.
This report provides a summary of cyber incidents, onsite deployments, and associated findings from the time ICS-CERT was established in 2009 through the end of 2011. The report is divided into three main sections:
1. The first section gives a summary of incident reports and outlines major highlights for each year. Statistics are given for incident response support as well as onsite deployments. Typical incident response support consists of analysis performed in the Advanced Analytics Lab (AAL) on digital media, malware, log files, and other artifacts. Companies request analysis support from ICS-CERT to help determine the extent of the compromise and gather information about cyber attacks including the adversary’s techniques and tactics. This information helps asset owners evaluate their security posture and take measures to strengthen their control systems and network security.
2. The second section examines the onsite response efforts in detail and gives a summary of each deployment. At the request of a company and when appropriate, ICS-CERT can deploy an onsite incident response team to help triage a cyber incident affecting a critical infrastructure owner/operators with the purpose of identifying threat vectors, collecting data for analysis, assisting with immediate mitigation efforts, providing cybersecurity threat briefings, and identifying future defense strategies.
3. The third section presents common findings from onsite vulnerability assessments and discusses security gaps that asset owners should address to improve the secure posture of their systems.
Download the full ICS-CERT Incident Response Summary Report here: