By Gregory Hale
In what should be a surprise to no one: A series of attacks compromised energy companies in the United States and Europe which led to bad guys gaining access to grid operations to the point where they could flip the switch on power.
A report released by Symantec Wednesday revealed attacks by a group it is calling Dragonfly 2.0, which it said targeted dozens of energy companies since 2015.
In more than 20 cases, Symantec said attackers gained access to the target companies’ networks. At U.S. power firms and at least one company in Turkey their forensic analysis found the hackers obtained what they call operational access. That would mean control of the interfaces power company engineers use to send actual commands to equipment like circuit breakers, giving them the ability to stop the flow of electricity into U.S. homes and businesses.
Along the lines of attacks against power companies, the Ukraine suffered separate attacks in December of 2015 and in December 2016 that caused power outages for over 250,000 citizens.
“If it wasn’t clear before, it damn well ought to be clear now whoever the attack gets attributed to has real intent in gaining a foothold and understanding these networks,” said Patrick McBride of Claroty. “You don’t need to get a crystal ball to understand motivations. They are learning as much as they can so they can do something in the future. What and when is open to a lot of speculation.”
“It is concerning that the Dragonfly campaign re-emerged, that it has been discovered on operational computers and the intent of the malware is to obtain access to energy and ICS based systems,” said John Cusimano, director of industrial cybersecurity at aeSolutions.
A Way In
With all of these types of attacks, there always needs to be a way into the control system network.
“Any remote connection from a third party, or from the company’s own business network is a potential launching point for an attack into the crown jewels – the network and systems that actually control things. Most (but definitely not all) companies at least have some segregation of the control and business networks and some level of control of the remote access into them,” said Graham Speake, chief information security officer at Berkana Resources. “The sophistication of these barriers and the processes and policies that are in place to control the granting, revocation and review of the access rights will determine how likely a remote adversary will be able to exploit them. The ideal would be to disallow all remote access and only push data out from the control system network, preferably through data diode type devices, but this is not always feasible. Where remote access is needed, it does need to be strictly controlled and monitored to ensure only valid traffic and users are being allowed through. There are also a number of anomaly detection tools on the market that also work very well which can spot nefarious traffic patterns in the control system network. While it is an old adage, defense in depth is a great way to go, but do not just put the defenses in, actively monitor them as well.”
“If it wasn’t clear before, it damn well ought to be clear now whoever the attack gets attributed to has real intent in gaining a foothold and understanding these networks.”
— Patrick McBride
What is clear is the attackers are not only good at getting into a system, they also are very knowledgeable on control systems.
“There are definitely adversaries out there that know control systems. Assuming this is the Russian actors responsible for the Sandworm stuff and the Ukrainian attacks, yes, they know control systems,” McBride said. “These guys not only know how to get into a system, once they are there, they really know how to make things happen. Getting into the network is trivial. Once you are in, to have the outcome you really want to have, you really need to know the control system. This adversary has know how, has the tools, and the trade craft to do that.”
In these days of understanding attackers will get in either through brute force or surreptitiously, utilities – and users in general – need to know what they have running on their systems.
Challenge of ICS
“The challenge is that the installed base of ICS systems in the energy sector is enormous, complex and not well-documented. It is not uncommon to find ICS systems comprised of equipment that spans 3 or 4 decades and networks that expanded, evolved, and quite frankly have been ‘kludged’ together over the decades,” Cusimano said. “Because of this, many organizations are unaware of the security vulnerabilities that are deep within their ICS systems. The only way to find them is to perform an in-depth vulnerability assessment that maps out the actual ICS network and dataflows as well as evaluates the configuration of the ICS endpoints and network devices.
“Multiple software tools have emerged in the last few years to assist end-users in understanding and managing their ICS systems. These tools can be very helpful, but end-users need to be aware that no tool alone is going to do the work for you. A significant effort needs to be made to baseline the vulnerabilities and risks in existing ICS systems. Tools can help in this effort, but they cannot completely automate this effort. It requires people with deep knowledge of control systems, networks, industrial protocols, and plant operations who also have the time to actually ‘walk the network’ and open every cabinet and follow every undocumented network cable to find what’s on the other end. It’s a big effort but the results are always worth it.
“Once you’ve documented the actual system architecture, dataflows and vulnerabilities, you can then assess the risk from an operational perspective and develop a roadmap to address high risk items.”
— John Cusimano
“Once you’ve documented the actual system architecture, dataflows and vulnerabilities, you can then assess the risk from an operational perspective and develop a roadmap to address high risk items. Then, and only then, should you be evaluating continuous monitoring tools than can assist in detection, response and management of change. Investing in these tools before you’ve assessed your systems and implemented basic ICS security best practices is analogous to installing a sophisticated alarm system on a house that has openings in the fence, multiple unlocked windows and doors and valuables scattered throughout. You can do it but you’ll need a lot of sensors because the attack surface is huge, you’ll be flooded with alarms and the alarms will only tell you after the fact that you’ve been robbed. Your time and money would be much better spent first evaluating the gaps, repairing the fence, installing exterior locks, putting valuables in a safe and then designing an alarm system that will monitor the critical access points,” Cusimano said.
Use What Works
The message on how companies should protect themselves is not new, it is a tried and true formula.
“We can’t rely on hiding behind barriers, but have to start securing the components of our control systems,” said security controls expert, Eric Byres of ICS Secure. “Dragonfly, Stuxnet and BlackEnergy were all pretty obvious on the ICS network once you looked for them, but sadly few companies did. Even sadder still, few really have a means of monitoring their ICS network traffic in a meaningful way today. There is a gold rush of companies that offer software to help with ICS monitoring and that is good news. Unfortunately deploying ICS network analysis software corporate-wide is harder than it looks.
“It’s also important to note that monitoring is only half the solution. Effective security is a control loop where observations can be translated into immediate actions. For example, if you are detecting activity on your network that indicates someone is scanning for a particular vulnerability on your devices, then you need to know exactly which devices might be susceptible to that vulnerability and have a way to immediately triage those devices. Waiting for tomorrow’s morning shift to sort out a patching strategy just isn’t good enough,” Byres said.
“Effective security is a control loop where observations can be translated into immediate actions.”
— Eric Byres
McBride suggested a few items on how a utility could protect itself:
• Network segmentation
• Network monitoring to check for anomalies
• Understanding your vulnerabilities
• Patch as much as you can
• Firewalls at ingress and egress
• Educate workers on cybersecurity methods like avoiding a spear phishing attack
• Secure remote access
• Multi-factor authentication
Targeted for Over 2 Years
As Symantec’s report on the intrusions points out, the company tracked the Dragonfly 2.0 attacks back to at least December of 2015, but found they ramped up significantly in the first half of 2017, particularly in the U.S., Turkey, and Switzerland. Its analysis of those breaches found they began with spear phishing emails that tricked victims into opening a malicious attachment.
“Within critical infrastructure, we have relied heavily on traditional security controls like system complexity and obscurity to prevent attackers from gaining control over power generation, refining, and manufacturing,” said David Zahn, general manager of the cybersecurity business unit at PAS.
“In the end, attacker ingenuity, perseverance, and possibly nation-state backing have shown these controls (and others) as insufficient safeguards,” Zahn said. “The naked truth is that critical infrastructure is far behind other industries, such as financial services, in terms of cybersecurity and even those industries continue to experience significant breaches. It is therefore not surprising when we get news of attackers gaining control over power operations.”