US government warns Anonymous could target critical infrastructure systems

The US government has warned that Anonymous could be planning to launch attacks on industrial control systems (ICS) that are vital to the safe operation of key facilities including water, chemical and energy plants.

An unclassified bulletin from the US Department of Homeland Security's (DHS) National Cybersecurity and Communications Integration Center points to several examples apparently highlighting "a recent interest Anonymous has developed in exploiting ICS".

These include a Tweet by an Anonymous member in July that showed the "results of browsing the directory tree for Siemens SIMATIC software", a type of industrial automation software.

While the DHS said that Anonymous appears to currently have "limited ability" when it comes to the knowledge and skills necessary to attack ICS systems, it warned that these capabilities could be developed "to gain access and trespass on control system networks very quickly".

"Free educational opportunities (conferences, classes), presentations at hacker conferences, and other high-profile events have raised awareness of ICS vulnerabilities, and likely shortened the time needed to develop sufficient tactics, techniques and procedures to disrupt ICS," it added.

In addition, exploits for control systems are found in common pen testing software, while some control systems can be accessed directly from the internet, increasing the risk of attack, said the bulletin.

"These systems could be easily located and accessed with minimal skills in order to trespass, carry out nefarious activities, or conduct reconnaissance activities to be used in future operations," the DHS said.

"Asset owners and operators of critical infrastructure control systems are encouraged to engage in addressing the security needs of their control system assets."

Industrial control system flaws hit the headlines with the discovery of the infamous Stuxnet worm, believed to have been designed to target Siemens Scada systems in Iranian nuclear facilities.

Since then there have been frequent disclosures of vulnerabilities in similar industrial control systems. For example, in April 52 new Scada threats were revealed by security management firm Idappcom.

Researchers at NSS Labs were then involved in a very public spat with Siemens arguing that the firm was not doing enough to fix known vulnerabilities.