By Gregory Hale
A chill spread over the manufacturing automation sector this week as a warning released from the Department of Homeland Security (DHS) regarding Russian infiltration of energy sector systems and networks.
More details on the advanced persistent threat (APT) attacks did release from an earlier March warning and some recommendations were made to help protect organizations.
However, a government agency that works at the behest of the country’s chief executive released cybersecurity information detrimental to Russia after a controversial week of news centered on the president’s perceived caving in to Russian President Vladimir Putin, smacks of a political deception to take heat off a different issue.
Be that as it may, if it helps launch industry leaders from being just aware of the cybersecurity issue to forcing them to actually doing something, it was worth it.
“What we are talking about is from a release issued in March with a bit more context and detail,” said Jeanette Manfra, assistant secretary, office of cybersecurity and communications (CS&C) at DHS in a Wednesday webcast entitled, “Russian Activity Against Critical Infrastructure.” “There was no threat for the electrical grid to go down. The industry did a great job in working with us in the day-to-day work in countering this threat.”
This call to cyber arms came about when DHS earlier this week said Russian hackers were able to penetrate the control rooms of hundreds of U.S. utilities last year as part of a campaign against power company vendors.
Hackers working for a state-sponsored group known as Dragonfly or Energetic Bear were able to get inside the networks of hundreds of U.S. utilities.
Access, But No Attack
The department did not disclose which companies were victimized by the hacks, but indicated there were hundreds affected by the breach.
To date, in terms of the attack, “the effect has been limited to access so far, with no physical impact identified,” said Jonathan Homer, chief of industrial control systems group at the Hunt and Incident Response Team (HIRT)/NCCIC during the Wednesday webcast. “They had the access, but they didn’t commit to making the change.”
“Effectively the intrusions that occurred weren’t in a position to cause blackouts. In 1 or 2 cases the access was concerning on if the adversary did something stupid,” said Robert Lee, founder and chief executive at Dragos. “But the narrative of hundreds of victims and imminent blackouts wasn’t realistic with what actually occurred. The adversary is learning for future attacks but we have no indication of what and when will occur and it’s still a difficult path for the adversary. It’s not as if there are no challenges left for them.”
In March, DHS issued a warning about Russia staging a multi-year cyberattack campaign against the energy grid and other elements of critical infrastructure in the United States.
In conducting reconnaissance on control systems. “The threat actor conducted research using publicly available information specifically related to the control systems being operated by specific victims,” Homer said. Through a series of attacks manly focused around spear phishing the APT group was able to, over time, infiltrate various control systems.
In addition, “Many of the phishing emails were targeted against control system operations and related to control system operations,” he said.
While the idea Russia or any other country or attack group is constantly conducting reconnaissance on critical infrastructure entities should not really be a surprise, those companies working in those vital sectors need to have a security program in place – and it needs to be a good one.
“Many of the actions exhibited by the activities responsible for these intrusions used relatively simple – yet effective – techniques to gain access to and pivot around the victim networks,” said Joe Slowik, adversary hunter at Dragos. “Specifically, the adversaries relied on capturing and reusing user credentials.”
“The report of Russian cyberattacks on the U.S. utilities and other critical infrastructure should not come as a surprise,” said Eddie Habibi, founder and chief executive at PAS Global. “Russia is not the only nation developing and field testing cyber-physical weapons capable of knocking out the critical infrastructure of other nations. The DHS/FBI report highlighted in the news this week exposes the relentless determination of Russia in developing its offensive cyber arsenal.
“Cyber-physical warfare is rapidly developing as the new normalized weapon of choice as it can, unlike nuclear, be developed in complete secrecy without detection. It is stealth and effective in crippling an economy and the defense capabilities of a nation. The cyber-physical arms race is where nuclear was in the mid-to-late fifties, early proliferation. A major difference between nuclear and cyber weapons development is the speed and the cost of development. Any nation today can go from zero to a full-fledged offensive cyber weapons capability in 18 months. That is alarming.”
Habibi mentioned four thoughts companies should keep in mind:
1. Recognize and accept the fact that cyber-physical weapons arms race started over a decade ago. Politicians must stop the infighting at once and help industry harden its vulnerable industrial control systems.
2. The engines of the economy are under serious threat. The same automation systems responsible for process safety and production in every industrial facility are soft targets in every country. They were not designed with cybersecurity in mind. Once breached, these systems cannot discern between authorized commands from destructive moves by an attacker.
3. Operating companies at the board level recognize the threat to their production capability and brand reputation. They are in a race to secure their automation cyber assets but most are in the early stages. They also realize these are highly complex heterogenous systems and securing them will take time, unplanned budget appropriation and significant coordination.
4. The cyber fight is not a battle. It is a perennial war that is with us to stay. Get used to it.
Ahead of Threat
Talking about and warning others about the various threats to the ICS environment is one thing, but there are things everyone can do to help stay ahead of the threat.
During the Wednesday webcast, Homer discussed recommendations from NCCIC:
In the initial triage
• Search for known indicators in historical logs (see DHS alert)
• Remain focused on behaviors and tactics, techniques and procedures(TTPs)
• Don’t whitelist network traffic with trusted partners
For continual monitoring
• Behavior-based analysis
• Staging Targets: Anticipate spear phishing and watering holes
• Intended Targets: Anticipate spear phishing, C2 using legitimate credentials, and persistent scripts on workstations and servers
• Block all external SMB network traffic
• Require multi-factor authentication for all external interfaces
“The value of segregating your network is invaluable,” said Gary Williams, senior director, cybersecurity service offer leader at Schneider Electric. “People don’t realize when a breach takes place, the first things you have to do is isolate, identify and mitigate. If you have an open plant with no segregation, that means the forensic investigators have to look at the entire plant. If there is segregation, you only have to isolate the portion or the zone that has been infiltrated.
Zones and Conduits
“Every attack that has taken place over the years has either been somebody being stupid or, if it is an accidental attack, it is because they have not implemented security in depth. Security in layers was the first approach of the ISA 99 (now IEC 62443) using the Purdue model. It was superb, it worked, it gave clear definition of how to segregate each one of the operations criteria as you moved down the chain. Zones and conduits has so much value. It saves money and time from an audit perspective, it is the best way to approach any breach because all you have to do is isolate the egress and ingress point and then identify and eradicate,” Williams said.
“Adding two-factor authentication schema, eliminating or sharply curtailing the use of local administrator accounts, and increasing host visibility and logging to track user activity can all be used to improve defenses and shorten the amount of time to breach discovery,” Slowik said. “Within the ICS network itself, the same items discussed above plus increasing segmentation and overall visibility will help, along with a better understanding of the ICS threat environment and learning how adversaries operate in these intrusions. Knowing how these attacks take place and what behaviors are exhibited by ICS-targeting groups allows ICS defenders to prepare and position defenses against future attacks.”