It has been an incredibly busy two months in the world of Industrial Control Systems/Critical Infrastructure cybersecurity. A drop in the bucket for what we've become used to in the world of IT security - but incredibly noisy for this space – and an alarming precursor for what will come.
Yes, we chose “will” come specifically because we don’t believe there is room for doubt any longer.
Before the chattering class erupts with a chorus of “FUD! FUD MONGERS!”
We agree, pure FUD is not helpful and can unnecessarily scare citizens, policymakers, and executives alike – and we all know that sound decisions are not often made from a position of fear. We also agree, the cybersecurity community has a long history of shoveling heaps of FUD. However, the recent chorus of FUD counter-spin in the industrial control system cybersecurity space can be just as damaging.
As an industry, we should be a calm force in the storm. But telling everyone to ignore the dark clouds on the horizon, basically to ignore the storm, is simply irresponsible, unproductive and will not help galvanize support for action. And what we need now is action to better protect these networks.
After last week’s news that threat actors were (again) targeting US Energy companies the chattering class was quite vocal and publicly derided journalists for “hyping” the story. Yes, the intrusions were confined to the business networks, not the control system networks. Yes, the use of Wolf Creek Nuclear in headlines may have somewhat over-hyped the story. No, the lights weren't turned out, like Ukraine, because of these cyber-attacks. But that does not diminish the fact that we are witnessing a rapidly evolving threat situation.
Yes, there are dark storm clouds and it is already raining in some places.
Counter-spin like this is not helpful.
“It’s not trivial to move from the business networks to the industrial networks, and our grid has a lot of safeguards...”
Need we remind that the VPN credentials used in the 2015 Ukraine Grid Attack were pinched FROM THE BUSINESS NETWORK?
It is, in fact, sometimes very easy to move from the business network to the control network. Yes, there are safeguards in place between IT/OT networks – from firewalls to one-way diode technologies – that can make lateral network movement from the business network to the control network difficult. There are also safety systems providing an additional layer of protection and raise the bar for attackers trying to cause harm to people or industrial assets.
But many of the counter-spin statements, maybe inadvertently, seriously underplayed the risk to energy systems specifically, and the very large set of industrial networks that run our world.
What has happened in the past two months that should give cause for alarm?
We’ve seen a series of attacks that have either been directly targeted at critical infrastructure/industrial control systems networks – or that have spilled over into these domains.
- May 2017 - WannaCry Ransomware (believed to be perpetrated NOT by criminals but by North Korea) spills over into industrial control systems networks and disrupts production
- June 2017 – Petya/Petya/NotPetya Ransomware (believed to be perpetrated NOT by criminals but by Russia) spills over into industrial control systems networks and disrupts production
- July 2017 (Disclosure) – A series of spear-phishing and watering hole attacks (believed to be perpetrated by Russia) against the business networks of more than a dozen energy and nuclear power firms is disclosed
In the past 3 months, we’ve arguably seen more (at least from a disclosure perspective) threat activity against critical infrastructure/industrial control networks than we’ve seen in the past few years. Signaling a trend – the attackers are coming, they’re coming from multiple angles and with multiple motives.
We’ve been warning about the changing threat landscape in critical infrastructure/ICS for some time now – and we believe that the following warning from a previous blog post we penned is accurate and should be heeded based on what we’ve seen in the past few months:
“Nation-states do not fear reprisal and are likely to use ICS attacks as a component of geo-political conflict. Alarmingly, offensive cyber tools are becoming commonplace, lowering the bar for rogue nations, jihadists and hacktivists to get into the ICS attack game. And, cyber-criminals are figuring out that ICS networks are critical and therefore valuable, meaning it is only a matter of time until we see major ransomware trends in ICS. “
Why be alarmed if we haven't seen major disruption like Hollywood spelled out in 1995's "Hackers" or whichever “Die Hard” # that one was?
We shouldn’t overstate the problem with hyperbole – no, the probing against business networks disclosed in July haven’t caused disruption, and no – they haven’t jeopardized safety at nuclear power plants. In order to be responsible information security professionals, however, we must endcap those statements with the word “Yet.” Because while the segmentation between business networks and ICS networks in nuclear power plants might be fairly sophisticated, in most industrial networks, including many Utilities that are part of the US Grid, they are not.
Just as we cannot overstate the impact of the activity over the past few months causing fear, uncertainty and doubt…we cannot understate them either. While the “Fear” portion of “FUD” may not accompany understatement, “uncertainty” and “doubt” definitely do.
We cannot responsibly tell our constituents (paraphrasing) “You shouldn’t be that worried about this stuff – the probing of energy and nuclear facilities just led to the theft of employee credentials and such…”
“Don’t worry because it isn’t a trivial exercise to get from the business networks to the industrial side of the house.”
“Security people are just screaming “FIRE” because they don’t have anything else to point to…”
Because – frankly – all of these (paraphrased) statements are completely inaccurate.
Our constituents SHOULD be VERY concerned with the fact that an adversary which already conducted probing activity against energy in 2014 and perpetrated two disruptive attacks against Ukraine in 2015 and 2016 is back at it again.
Our constituents SHOULD be VERY concerned that these adversaries seemingly already had one nuclear energy company’s network mapped, that they were using stolen credentials in an effort to further map the network/gain access to a large number of Windows machines (This is lateral movement, folks).
Our constituents SHOULD NOT believe that their business and ICS networks are so well segmented that a determined adversary cannot make the jump – c’mon man, what are you talking about? Just look at the ransomware spillover and it is clear as day how poorly segmented these networks actually are.
As we say, airgaps and unicorns have one thing in common – they do not exist. A motivated adversary with the right skills and tools will ALWAYS find a way into a network.
And we should definitely NOT besmirch the motives of others in the security space who are seeking to sound an alarm – which if not heeded could result in disastrous outcomes.
The Ground Truth in the Echo Chamber…
The lack of nightmarish outcomes from the past few months of threat activity in critical infrastructure/ICS does not and must not diminish the need for a world-wide wake-up call. Nation-state adversaries have shown us time and again that they are patient and persistent. They have shown us that work done today is usually in preparation for larger activity in the future.
The intellectual property gains that can come from probing business networks at nuclear and energy firms are limited – clearly, the adversary is interested in the industrial side of the house…perhaps not for activity today or tomorrow – but for activity at some point when the geo-political situation warrants it. Seems like a training exercise – not on the tech – but on how far adversaries can push before the world reacts.
We have to stop this non-sense as security professionals. It’s a repeat of what we saw over the past 10 years in IT security – where the talking heads debate the severity of the problem as that severity grows and grows.
In that case, all we lost (le sigh, le sarcasm) was hundreds of billions of dollars of intellectual property, decades worth of competitive advantage, a treasure trove of state secrets, millions upon millions of pieces of PII…in this case, the stakes are far too high.
We believe that the challenge in cyber security over the next decade is to stop the threats to industrial control systems networks that is not only growing, but is manifesting itself TODAY.
Don’t take our word for it – listen to the folks that have had the highest levels of access to the most real threat information. Look at the comments of past and current NSA Directors – General Michael Hayden is vocal on this subject.
What about Admiral Rogers? He’s been touring the country attending small ICS cyber security conferences to raise awareness. They obviously believe this threat is real, is imminent and that defenders are woefully unprepared.
The long and short of it is this – the threat is growing and while we shouldn’t be acting like “Chicken Little” as an industry – we darn well better not be acting as Neville Chamberlain either.