The ongoing investigation of last year’s hacking of the presidential election in the U.S. by the Russians has pretty much sucked the air out of conference rooms at the country’s intelligence agencies and cybersecurity firms. But earlier this month attention began to shift to an entirely new sector where the stakes are just as high when news outlets like The New York Times and Bloomberg broke stories involving the breach of at least 12 U.S. energy facilities, including the Wolf Creek nuclear power plant in Burlington, Kansas.
The Department of Homeland Security (DHS) and the FBI found evidence that Russian government-backed hackers were doing what could be considered network reconnaissance of potential critical infrastructure targets for future attacks. DHS and FBI officials said that the hackers are employing spearphishing emails that contained embedded attachments or links that were infected with malware, along with “watering hole” attacks that take an unsuspecting user to malware-laced websites. Ironically, U.S. President Donald Trump was at the G20 summit when the news of these incidents was occurring, where he proposed a joint “cybersecurity alliance” with Russia and President Vladimir Putin. U.S. officials quickly backtracked on that suggestion.
The fear among the nation’s cybersecurity experts is that while the Russians are currently simply probing American facilities, they have already demonstrated the capability of delivering a crippling blow to advanced power grids, shutting the lights to more than 225,000 citizens in Kiev, Ukraine twice in the last two years. U.S. government officials state that in these recent attacks the hackers were penetrating business operation networks and not the critical industrial control systems.
But most cyber experts agree it is only a matter of time. So taking the Ukraine as an example, just how prepared are electrical power and nuclear facilities in the U.S. to defend against these hacks and just how vulnerable is our power grid to outside Russian threats?
“First, the concept you use some smaller targets as a test is not new. The concept that you do recon is not new. Sun Tzu didn't code in [ancient] China but some of the same attack principles apply. I can't tell you I think the U.S. infrastructure is super well prepared to defend against outside threats. I do think that some good effort is being put into paying attention to this, which is a good thing because it continues to sound like there are weaknesses in what we have now,” says Rodney Thayer, a well-respected network security consultant. “We’ve got a power grid first installed two centuries ago, so it's a bit of a fixer upper. The severity of any industrial control system attack depends on whether hackers managed to breach not only its traditional computer systems but also the far more obscure, less internet-connected systems that actually manipulate its physical equipment.”
Most cybersecurity experts agree that the American power grid is certainly vulnerable to assorted state threat actors, criminals, terrorists, and others. On a global scale, there have been attempted cyber-attacks on global grids and utilities, many via phishing and ransomware, and some have been successful.
So as Chuck Brooks, vice president of government relations and marketing for Sutherland Government Solutions says, it is not surprising that these threat actors would be engaged in mapping facility networks. He adds that U.S. critical infrastructure is a logical target because much of it is owned by the private sector, saying that a significant challenge has been to increase public-private cooperation that requires threat information sharing between parties. The recent alerts highlight threats but also progress in the ecosphere of strategic cooperation to protect infrastructure.
“State threat actors like Russia do pose significant threats. Adm. Mike Rodgers, head of the National Security Agency and U.S. Cyber Command, has stated that only two or three countries have the ability to launch a cyber-attack that could shut down the entire U.S. power grid and other critical infrastructure. Those countries could wreak havoc, but the U.S. would not sit idle and could certainly retaliate. In my opinion, the more dangerous threats come from rogue extremist states such as North Korea or Iran,” warns Brooks. “On the negative side of preparedness, much of the equipment that comprises our electric grid infrastructure is antiquated and needs updating. On the positive side, events such as the Ukrainian breach have called attention to the need to reinforce SCADA systems for both technologies and process controls. DHS, DOE, DOD, FBI, and the intelligence communities are working loosely on monitoring and detecting threats and think we are reaching better levels of security. DHS and the FBI disclosed that this recent Russian incident was contained saying, 'there is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.’”
For longtime security analyst Jorge Lozano, CEO and president of Condortech Services, the crucial element for improving the proactive security of these critical infrastructure sectors is the full collaboration of U.S. federal agencies, with the DHS, FBI and the DOD working together and cooperating in all phases of the problem.
“In my view, most of the electric power systems and nuclear facilities use similar operating technologies (OT) and information technologies (IT) to control their subsystems. Operating technologies are composed of multiple controls systems, such as micro-controllers, programmable logic controllers (PLC), etc.; and it is important to distinguish both of those two technologies. The subsystems of OT use different controls, although similar in nature because they are proprietary technologies. The lack of standardization amongst the manufacturers is what protect us in most cases and makes it difficult for the hacker to learn each brand. Corporations need to collaborate with their IT engineers and facility engineers in order to understand the complexity of both IT and OT systems,” says Lozano.
Nathan Wenzler, chief security strategist at AsTech, a San Francisco-based security consulting company, admits that even seemingly minor incidents are able to create huge breakdowns on the power grid, citing a power outage in the Northeast U.S. in 2003 as an example.
“With a focused, targeted attack, a huge amount of damage could potentially be levied against power grids and other infrastructure facilities. What we're seeing in Ukraine is generally regarded as the proving grounds for the malicious software that is likely going to be unleashed against other power facilities in other countries. And while many facilities are preparing for such attacks, there are still a huge amount of organizations which are using outdated security models such as air-gapping their networks (which Stuxnet has proven can be easily defeated), and are at risk of being compromised by these attacks,” Wenzler says. “And, with the way that the power grid is so heavily interconnected, one break in the chain could cause a domino effect that impacts all the other facilities. It's a pretty serious problem that, by and large, the organizations responsible for these systems are not ready to handle.”
Joseph Carson, chief security scientist at Thycotic, a Washington D.C.-based provider of privileged account management (PAM) solutions is frustrated by the fact the U.S. has a muddled cybersecurity roadmap and that the current administration is sending dangerous mixed messages regarding cyber threats and vulnerabilities.
“It is very clear that the U.S. does not have a consistent or clear cybersecurity strategy on dealing with Russia. The stance with Russia on cybersecurity matters changes as frequent as the weather, one day President Trump tweets, ‘forming an impenetrable cybersecurity unit so that election hacking and many other negative things, will be guarded and safe,’ and the next day followed with ‘the fact that President Putin and I discussed a cyber security unit doesn't mean I think it can happen.’ These tweets send a very confusing message to the industry,” chides Carson.
Carson continues that he thinks cyber-attacks against critical infrastructure are greatly concerning and that the lack of a clear U.S. strategy leaves these critical systems exposed to cyber-attacks.
“It must be the time that, whether or not governments are responsible for sponsoring these cyber-attacks, they must take action against citizens who are carrying out these cyber crimes. What is clear is that every day cyber-attacks between nation states are being carried out on a massive scale. The biggest gap we have in the industry is while we know these attacks are occurring, what is lacking is a clear incident response or transparent cooperation between nation states on dealing with these crimes,” says Carson. ”While the governments of nations deny they are sponsoring these attacks, lack of cooperation means that they are turning a blind eye to these crimes. It is time for strong accountability and responsibility from governments.”
Lozano concludes that we have to recognize that the U.S. is working towards new standards to help the industry become more resilient and secure, pointing out that NIST recently released the latest standard publication SP 800-82 (centric to OT systems) and other initiatives that are totally focused on those specific issues.
“To this date, most government standards have been centric to information technologies, while operating technologies like SCADA systems, distributed control systems (DCS), and other control system configurations such as PLC have been totally unsecured and without the proper government standards,” says Lozano. “Our power grids are vulnerable to a point, and the threat assessment depends on how updated the corporate OT policies are if any, in addition to their IT infrastructures. The whole cycle begins with acknowledging OT vulnerabilities are as critical to protecting the IT systems. It has taken the government and industries years to recognize the need for comprehensive cybersecurity standards, but now we must move to the next level of understanding: cyber security encompasses any system or device that has access to the internet.”
About the Author:
Steve Lasky is the Editorial Director of SouthComm Security Media, which includes print publications Security Technology Executive, Security Dealer & Integrator, Locksmith Ledger Int’l and the world’s top security web portal SecurityInfoWatch.com. He is a 30-year veteran of the security industry and a 26-year member of ASIS.