Concerns about Russian cyber attacks on U.S. electric utilities have increased again this week. The Wall Street Journal (WSJ) is reporting that such attacks have impacted hundreds of victims, not just the dozens reported earlier.
In March of this year the U.S. Department of Homeland Security publicly reported that Russian cyber attacks have been targeting U.S. critical infrastructure. Not only was this a rare identification of the threat actors and their strategic intent, the report provided descriptions of each stage of the attack, detailed indicators of compromise (IOCs) and a long list of detection and prevention measures. We wrote an earlier article that summarized the key findings of the report and how the new technologies can help.
Since making its report public, DHS has been briefing utilities around the country about the attacks. It was in one of these sessions that the scope of the Russian cyber attacks was greatly broadened, according to WSJ.
This news brings a new wave of concern about cyber attacks to the board rooms and plant floors of utilities and their suppliers across the U.S. and beyond. If you are involved in this discussion, or might be, following is a recap of what is known about the Russian cyber attacks and my thoughts on its significance and repercussions.
Russian Cyber Attacks on Critical Infrastructure – What We Know
On March 15, 2018 US-CERT released an advisory describing Russian cyber attacks on energy and other critical infrastructure sectors. Key details include:
- The threat actors used spear phishing, altered trade publication and websites (watering-holes) and publicly available information to infect staging targets, such as trusted third-party suppliers to energy organizations
- The credentials of the staging targets were then used for spear phishing and other attacks on the intended targets, ultimately accessing the victims’ networks
- The malware established multiple local administrator accounts, each with a specific purpose
- Tools were downloaded from a remote server to gather and store user credentials
- An ICS reconnaissance phase followed, which gathered information on the assets of the industrial networks and how the networks and its process worked
- Finally, the threat actors hid their tracks by clearing logs and removing malware applications, registry keys and screen captures
The infection and reconnaissance phases of the attack are lengthy; the government advisory indicates the attacks began in March 2016 and the first reported detection of it was not until the fall of 2017, in a report from Symantec. This means there is a good opportunity to detect and stop such an attack. With the right technology monitoring the network, it is much harder for threat actors to go unobserved until their final attack.
The ultimate goal of the Russian cyber attacks, in terms of what equipment it would target and what type of disruption it would cause is unknown.
The WSJ article highlights fears about such attacks:
“They got to the point where they could have thrown switches” and disrupted power flows.
Jonathan Homer, chief of industrial-control-systems analysis for DHS
While cyber attacks did lead to limited black outs in the Ukraine in 2015 and 2016, actually causing black outs across the United States, with a multitude of private providers, is much more difficult. Nonetheless, I believe that the attackers have all the tools they need to cause power outages and the only thing holding them back is their fear of the consequences.
Harming Critical Infrastructure Via Cyber Attacks Has Never Been Easier
Today, the skills required to attack an industrial system can be as simple as the smart use of Open Source Software (OSS) tools, knowledge gained from ICS malware frameworks freely available on the Internet, and malicious intent. Over the last decade the knowledge needed by threat actors has dramatically decreased as tools and examples for attacks have proliferated.
For example, let’s consider the TRITON attack, a milestone attack revealed last year. Why is it a milestone? Because, for the first time, attackers successfully changed the programming logic of a SIS (Safety Instrumented Systems) controller. SIS systems are the last line of automated defense for a control network, and are designed to ensure a plant shuts down or changes its process so that no harm can come to people or the environment.
The TRITON malware framework and many other malware frameworks discovered in the last two years are freely available on the Internet. You may need to know where to look, but they are not impossible to find. They can be adapted by people with relatively low programming skills to create sophisticated attacks. (Speaking of TRITON: next month at Black Hat we will be presenting new TRITON research and a live demonstration of an attack.)
Turning back to the Russian cyber attacks, my belief is that they have not yet caused black outs because of the risk of unknown consequences and retaliation. Attacks on the power grid will be difficult to control and will undoubtedly lead to lots of collateral damage. This, combined with the risk of retaliation, may be keeping attackers at bay.
It is reminiscent of the mutually assured destruction model of the Cold War when restraint was used on all sides. We are likely in the midst of a Cyber Cold War with all sides holding back from carrying out the destruction of which they are truly capable.
Be Ready for the “New Normal” of Significant Industrial Cyber Threats
The attacker may change, but our goal remains the same: ensure that critical infrastructure is protected.
Now is the time to review your cyber security program and make sure the basics are covered. Know your network and its assets. Compare your cyber security posture with cyber security standards such as NIST, and continually improve.
The WSJ article closes with a statement that the DHS is looking for evidence that the Russians are automating their attacks, which could “presage a large increase in hacking efforts”. In response, I suggest you start thinking about how to stay ahead of the hackers by automating industrial threat detection.
I have spent my entire career working to protect critical infrastructure. I have been on the front lines as a security engineer responsible for reducing the risk of an attack on a critical installation. It was, and will forever be, a tough job. But, I feel optimistic, because as WSJ mentions, the level of transparency and cooperation between government authorities and critical infrastructure organizations has never been higher. This public / private cooperation is encouraging, and I hope it continues.
Advanced cyber threats to critical infrastructure are now part of the “new normal” for energy and industrial operators. Make sure your “new normal” for reliable operations includes proactive cyber security measures.
Related Content to Download
Whitepaper: “Improving ICS Cyber Security for Substations and Power Grids”
Real-time ICS Anomaly Detection and Operational Visibility Use Cases
Read this paper to learn:
Power grid cyber security technical challenges
Sample architectures for cyber resiliency
Cyber security use cases
Operational visibility use cases
How ICS anomaly detection improves cyber security
- WSJ.com: Russian Hackers Reach U.S. Utility Control Rooms, Homeland Security Officials Say
- Blog: Russian Cyber Attacks on Critical Infrastructure – What You Need to Know
- UScert.gov: Alert (TA18-074A) – Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors
- Symantec.com: Dragonfly: Western energy sector targeted by sophisticated attack group
- SCmagazineuk.com: Attackers can easily find vulnerabilities within CNI with OSS tools
- Blog: New TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol
- Webpage: Nozomi Networks at Black Hat USA 2018
Co-Founder and Chief Product Officer
Andrea Carcano, an expert in industrial network security, advises governments, industrial operators, security partners and industry organizations on ICS cyber security strategies and best practices. He holds a Ph.D. in Computer Science focused on critical infrastructure security, and has authored multiple academic papers on ICS malware attacks and advanced attack detection techniques. As Founder and Chief Product Officer at Nozomi Networks, Andrea and his team are defining a new generation of ICS security solutions that detect complex intrusions to critical infrastructure control systems.