Some days I wonder why we connected our organization to the Internet. Sure, I was the one advocating for it when I was a technical manager. But it seems that for all of the benefit that it brings in efficiency, functionality and services, it brings twice as much in the way of vulnerability and risk.
“APTs are state-sponsored threats that seek to establish a beachhead inside our networks and stay there”
But connect it we did and now we constantly thread the risk and reward needle. Oh, for the simple days when we connected our fledgling network directly to the Internet with no intervening firewall. Simple or not, I cringe to think that we ever did that.
The Perils of Cyberspace
It's not news to anyone that cyberspace is full of dastardly trolls, constantly searching for a route to make a quick buck or steal intellectual property. We've known this for a long time now. All of us have dealt with scammers, spammers and phishes. We've cleaned up after viruses, worms, Trojans and botnets. We've coped with ransomware and CryptoLocker. It’s become part of what we do as IT professionals.
But as of late, a new type of threat has emerged, one that should make all energy companies nervous. Many call it the advanced persistent threat, or APT. This threat doesn't come from your run-of-the-mill mobster or botnet herder. APTs are state-sponsored threats that seek to establish a beachhead inside our networks and stay there. Clean them up and they come right back, because they were never really gone. APTs are the gift that keeps on giving.
I've heard it said that there are two types of companies, those that have been infected by an APT and know it, and those that have been infected by an APT and don't know it yet. I'm not exactly sure how true that statement is, but when an APT campaign was discovered in the oil and natural gas sector a few years ago, it was determined that the undetected campaign had been underway for at least five years. The affected companies had intruders in their networks for FIVE YEARS and didn’t know it.
Thankfully, in that campaign the APT controllers were only after intellectual property. After all, why spend the time and money developing leading-edge technology when you can just steal it?
But what if they had been after more than the latest technologies and designs in the energy business? What if they had been after control of our refineries, pipelines or electric generators? It sure seems that they could’ve easily had it.
A Cybersecurity Sea Change
If you follow the mainstream news, you probably know that the cybersecurity game in the energy sector has changed substantially in recent months.
Just before Christmas, on Dec. 23, 2015, a widespread blackout occurred in parts of Ukraine, impacting some 225,000 customers. The media immediately began to speculate that it was the result of a cyber-attack.
According to a recent report from CNN, security experts from the U.S. assisted the Ukrainian government in the post-mortem analysis. During that analysis, a variant of malware known as BlackEnergy was discovered on the affected entities’ networks. However, it was not known if the malware was actually used in the attack, or if it was simply uncovered during the investigation. (As an aside, the name “BlackEnergy” is unfortunate in this context, in that there is nothing energy-specific in the malware. It could just as easily been named “PurpleKiwi”.)
Additional reporting from ICS-CERT, a part of the Department of Homeland Security, confirmed that incident was caused by cyber-attackers, noting that the role of BlackEnergy in the attack remains uncertain.
According to that report, the attackers found their way into the compromised networks via a simple e-mail phishing attack, carrying an infected Microsoft Office attached. When opened, an embedded macro downloaded the malware (BlackEnergy or something like it) into the affected organizations’ network. Once inside, the malware was able to obtain valid network credentials and used those credentials to remotely access the control networks.
With access to the control networks and the systems residing on it, it would have been a very simple task to utilize the inherent functionality in those control systems to open the line breakers in a large number of electric substations and drop the load on those stations.
Once the impact had been inflicted, the attackers apparently used the KillDisk disk-erasing utility to render the control systems unbootable and unusable for restoration efforts.
In parallel with the attack on the electric infrastructure, there were denial of service attacks on the utilities’ telephone call centers in an apparent attempt to keep thwart outage reporting calls. There were also reports of uninterruptible power supply system’s being targeted via their network management interfaces, also in an apparent attempt to hinder recovery.
There are several takeaways from this incident, ones that should make every organization – energy sector or otherwise–rethink their cyber security strategy.
1. This was a well-planned and coordinated attack. This incident was not a haphazard cyber expedition, put together by routine spammers, scammers or script-kiddies. This was a deliberate, well-orchestrated attack on very specific and valuable targets.
2. This was not a brute-force attack. From the information available, it does not appear that firewalls were breached or brute-force password cracking was done. These attackers took the simple route in. As the saying goes: “Why break down the front door when you can slip through a side window?”
3. There was nothing novel in this attack. The methods, tactics and malware were standard “off the shelf” techniques. Spear-phishing, malicious attachments, remote access Trojans, stealing of credentials and other tactics have existed for years. They just hadn’t been put together in a form to cause power outages … until now.
So, a low-tech attack (though thoroughly-planned and executed) pulled off the first documented case of a cyber-induced power outage. Think about what could have been done with a sophisticated one.
Whether you as the CIO have CISO responsibilities for your organization or not, it is incumbent on you to take steps to ensure that your IT assets are adequately protected. What happened in Ukraine makes it obvious that no target is immune from attack and compromise. Not to mention the “routine” breaches that we’ve all come to expect at major companies that we would have expected to be better at the protection game than they were. In short, we’re ALL vulnerable.
Think about your organization’s IT operation in light of what happened in the Ukrainian incident. Can you say that you wouldn’t fall victim to a similar attack? Are your company’s key systems and information safe from compromise? If not, then you have some work to do.
A cyber compromise of your “crown jewels” is no longer a theoretical exercise … it’s now all too real.