It has been a busy week of webinars, headlines, and carefully curated statements about Russia’s 2016-2017 campaign against America’s critical infrastructure, with an emphasis on energy and public utility companies. Before I delve into my thoughts on this week’s proceedings, I want to offer a quick thought about the Department of Homeland Security (DHS) and specifically the National Cybersecurity and Communications Integration Center, or NCCIC.
I have been working with the NCCIC in one capacity or another for the better part of the last decade — both during my time at U.S. Cyber Command and most recently as CTO for the state of New Jersey. I believe in their mission and their people. I also believe that the NCCIC is a valuable and often unrecognized asset to the country. The organization has evolved, and this evolution will no doubt continue well into the next decade. And while it’s easy for us on the outside to throw spears at their analysis and messaging, we should all be thankful for their commitment to the Nation’s cybersecurity during what it an incredibly difficult time to serve for a whole host of reasons. The NCCIC has matured in leaps and bounds over the last several years and I expect this growth trajectory to continue.
Okay, so let’s recap what happened this week. DHS, through the NCCIC, hosted four webinars to grow awareness of and put into context the Russian cyber activity against critical infrastructure detailed in March’s Technical Alert TA18-074A. Grow awareness they did, but they unfortunately botched the context part — at least initially.
For close observers of cyber threats to critical infrastructure, these webinars didn’t reveal any new information — they simply presented existing analysis in a less technical manner for a more generalist audience (which is a good thing by the way). The media, however, seized on the portentous picture painted by the presentation. “They got to the point where they could have thrown switches”, said one of the NCCIC officials. Later that evening the Wall Street Journal published an article with the word “blackouts” appearing three times.
Here’s the deal: as a society we have a tendency to fixate on this hypothetical scenario of cyber-induced blackouts, and understandably so I suppose. We rely so heavily on the availability of electricity for commerce, communications, and in our daily lives; referencing massive outages paints the kind of sensationalized picture that sells papers and attracts viewers. Likewise, by constantly referring to “the grid” in singular form, the media reinforces this misconception that America’s electrical generation capacity has a single point of failure, as opposed to its relatively redundant and isolated state.
What we witnessed this week was at best a common marketing tactic of sacrificing some intellectual integrity in order to amplify a broader message, and at worse an irresponsible analytical leap.
In fact, what really happened was later clarified by Secretary of Homeland Security Nielsen on Fox News. When asked about the threat of blackouts, she didn’t take the bait. Instead, she said:
"What we saw was targeting a particular industrial control system which manages our grid, manages distribution of energy, and in one case we did see access to a very limited distribution asset. It would not have had an effect on the larger grid. Nonetheless, it shows us the capability is there."
So how do we get to a place where there is such a disparity between what is really happening in cyberspace and how it is being reported? This is a topic for a future and much more in-depth post, but put simply, we need to base our assessments on facts and, like Secretary Nielsen, not take the bait.
Switching gears a bit, allow me to offer some of my key takeaways from both the joint Technical Alert and this week’s webinars.
First, as with most reconnaissance and staging operations, the threat actors exploited trust as much as they exploited technical vulnerabilities. Many of the compromised victims were third parties to the critical infrastructure providers. These staging targets were carefully selected vendors based on the fact that phishing attempts are most successful when emanating from organizations with whom the ultimate target shares a close relationship. In some cases, these vendors were provided exceptions to certain cybersecurity policies, such as two-factor authentication. As a result, the threat actors didn’t require a presence on these networks — they simply leveraged stolen credentials against external-facing single-factor systems such as VPN, Outlook Web Access (OWA), and Remote Desktop.
Second, the threat actors exfiltrated a lot of ICS data from corporate information technology (IT) networks. This too is a common tactic, technique, and procedure (TTP) observed during the reconnaissance stage. It highlights, among other things, the value of establishing a single governance authority over IT and operational technology (OT) security. Confidential and proprietary ICS data is often not sufficiently locked-down. From a defensive perspective, keeping this data out of the hands of hackers can fundamentally change their operational planning posture. At the very least defenders should aim to increase the time and cost it takes to acquire for threat actors to acquire this information.
Finally, the NCCIC did a great job of illustrating a user interface for what appears to be a distribution asset that the threat actor had accessed. They did so by reconstructing the bits and bytes that were exfiltrated from the target. This image is powerful because it highlights the degree to which actors with persistence can achieve physical effects almost immediately upon accessing a human-machine interface (HMI) or engineering workstation (EW). It’s important to note that those effects would often be limited in the context of a large industrial environment or electric utility infrastructure and without knowing the function of the controlled device or the configuration of any safety systems, it is nearly impossible to assess the potential consequences associated with this particular access.
There is much to be learned from NCCIC’s recent reporting and despite some initial messaging flaws, they should be applauded for growing awareness of this threat and how it can be defeated. After all, many of the TTPs observed in this campaign are hardly unique to Russia and as defenders, we should all understand how attackers think and operate.