News broke that hackers working for Russia claimed “hundreds of victims” last year in a giant and long-running campaign that put them inside the control rooms of U.S. electric utilities where they could have caused blackouts, federal officials said. They said the campaign likely is continuing. IT security experts commented below.
Tim Helming, Director of Product Management at DomainTools:
“The goals of nation-state actors are various, but in the case of Russian cyber actions against the United States, it is known that among their chief aims is to destabilize American institutions and to sow uncertainty and fear. With the recent reports of Russian adversaries gaining access to electric utilities in the United States last spring, we could be seeing the leading edge of what most security practitioners have predicted for years–that the next attack on our nation will be one of cyber, rather than kinetic, warfare. However, it is important to note some subtleties in the reporting–it is far from certain that these attacks have resulted in the actual ability to achieve a destructive attack. (There may be hundreds of *victims* but it’s not clear that they breached hundreds of control centers; also, the screenshots that the attackers showed do not necessarily prove that they are able to seize actual control.)
It is not farfetched to foresee adversaries causing a major disruption at some point since the frequency of breaches is on the rise. But, again, while the attackers seem to have gained a worrisome level of access, it is not clear that they have the ‘keys to the kingdom’. If a utility attack attack were to succeed, the level of damage could be high because the electric grid is susceptible to cascading faults, where a localized disruption can rapidly spread. Adversaries could theoretically do a lot of damage. In other regions of the world, we have already seen attacks on hospitals, the electric grid, public transit, entire cities, and more. Recognizing the gravity of the threat is not meant as a scare tactic–cybersecurity practitioners are already aware of all of the risk, and work very hard to minimize the attack surfaces of all critical infrastructure.”
Sean Newman, Director Product Management at Corero Network Security:
“As the old adage goes, you’re only as strong as your weakest link. And, reports from the US Dept of Homeland Security now suggest this is exactly the situation US utility companies are facing, with respect to alleged nation-state infiltration. In fact, any organisation which relies on contractors, for specific services they cannot deliver internally, can find themselves in a similarly compromised situation, however strong their own security practices are. Unfortunately, this is not the preserve of organisations delivering critical national infrastructure, as those at US retailer Target can testify, after their massive data breach, back in 2013, which resulted from the attackers compromising their systems via their HVAC contractor.
“This is a stark reminder that organisations of all types and sizes should assess all aspects of their IT security, including those of their contractors and supply chain, and this doesn’t just pertain to hacking attempts but, also includes their resilience to DDoS attacks, which could impact the ability to provide their regular services, and the knock-on impact that creates.
“As more ICS infrastructures, such as those used by utility companies, are connected to their broader networking infrastructure, then the risk will continue to grow.”
Ray DeMeo, Co-Founder and COO at Virsec:
“The threat of disruption to our critical infrastructure is very real, as recent attacks in the Middle East and Ukraine have shown. The outcomes may depend on the motivations of the hackers, but recent attacks have included ransoming critical data, service disruptions, or serious damage to control systems and physical equipment.
“The government is raising awareness, but responses need to be more aggressive and coordinated. The needs to shift from chasing endless elusive external threats, to directly protecting systems from attack in real-time.”
“Defense strategies need to pivot away from sole focus on conventional perimeter defenses – the latest attacks have easily bypassed the perimeter. It’s crucial to detect and stop attacks in progress. Vendors need to do more to bridge a wide gap in technology and understanding between IT and OT (operational technology). We are far too dependent on air-gapping as our primary defense, despite the fact that systems are increasingly connected.”
Michael Magrath, Director, Global Regulations & Standards at OneSpan:
“Hackers, including state sponsored Russian hackers, exploit the weakest link in the security chain – the people. This was noted in great detail in the Mueller Investigation’s indictments against 12 Russian nationals on July 13 where they spearfished unsuspecting users to steal passwords to gain access to the Clinton Campaign and DNC systems. Do we really expect Russian hackers to exclude critical infrastructure?
As certain as the sun will rise tomorrow, hackers will continue to compromise systems requiring username and password-only authentication. Weak authentication is akin to having a multi-million dollar physical security system and leaving the front gate unlocked.
Unlike other countries, in the U.S. the private sector owns and operates a vast majority of the nation’s critical infrastructure. NIST’s Framework for Improving Critical Infrastructure Cybersecurity (CSF) is voluntary consisting of standards, guidelines, and best practices to manage cybersecurity-related risk. Included in version 1.1 is the recommendation for a risk-based approach to identity proofing and authentication. With lives at risk coupled with the repeated successful attacks it is negligent if a facility relies on easily compromised passwords to gain entry.
As noted in the WSJ article, DHS is trying to determine whether “the Russians have figured out ways to defeat security enhancements like multifactor authentication.” To be clear, multifactor authentication is not “one size fits all” there are numerous approaches and technologies available with varying degrees of security and usability. For example, one time passwords transmitted via SMS are very convenient and widely deployed, however this multifactor authentication approach has been proven to be unsecure with OTPs being intercepted. Other solutions such as fingerprint biometrics, adaptive authentication, and utilizing public key cryptography techniques are far more secure and have gained widespread adoption. It remains to be seen what DHS learns.
Given the potential catastrophic harm that could be carried out by a hacker on a power plant or water supply, critical infrastructure facilities should patch all software, encrypt all data and deploy the latest identity management and authentication technologies.
David Vergara, Head, Security Product Marketing at OneSpan:
“This is “big game hunting” for cybercriminals. The motivation may pivot between political and monetization, but the impact to the target is the same, terror through vulnerability and exposure. It’s not difficult to extrapolate the outcome when an entire power grid goes offline during peak hours and the attack follows the weakest link, unsophisticated utility vendors or third parties. I would draw a similar parallel to open banking/PSD2 in Europe where third parties are entrusted with vast amounts of bank customer data in order to provide various financial services and all this done via API connections to the large banks. So how are banks securing access and connections? The short answer is multi-factor authentication, risk analytics and mobile application security technology. And don’t think for a second that open banking is just a European thing, US banks are already pressured to satisfy consumer demands for more holistic financial services and visibility. This may happen through commercial partnerships over legislation, but the fact remains, it’s coming.”
Andrea Carcano, Founder and Chief Product Officer at Nozomi Networks:
“The U.S. government has been warning organizations about the vulnerability of critical infrastructure to attack from foreign adversaries. The unprecedented levels of information that is being made public in unclassified settings is a signal that these threats are growing quite rapidly. The successful attack on the Ukraine power grid has continued to serve as a reminder for the wide-spread consequences of this type of attack. In this most recent campaign, attackers used conventional tools to exploit weak third-party vendors in a way that could have led to blackouts – demonstrating that even unsophisticated methods can be successful.
However, blackouts did not occur, which makes us question if the attackers intentionally only went so far. Attacks on the grid will be difficult to control and will undoubtedly lead to lots of collateral damage. This, combined with the risk of retaliation, may be keeping attackers at bay. It is reminiscent of the mutually assured destruction model of the Cold War when restraint was used on all sides. We are likely in the midst of a Cyber Cold War with all sides holding back from enacting the destruction they are truly capable of.”
Pravin Kothari, CEO at CipherCloud:
“The cyberattackers were very successful in their efforts and penetrated completely through to the utility control rooms where they had the ability to disrupt power flows.
The big questions remain open. We still don’t know how many of these utilities, if any, were nuclear powered but the implications obvious. If they had the ability to “throw switches” per an official at DHS, exactly how could they disrupt the operation of nuclear power plants and what risks did this present? How long were they inside the networks of any nuclear-powered plants?
Most utility plants and certainly nuclear-powered utilities are protected by “air gaps.” This implies that there is no network connectivity allowed to the “air-gapped” network. Of course, persistent state-sponsored attackers had the resources to carefully research and identify the key vendors that had trusted relationships with the targeted utilities. These key vendors likely had special network connections into the supposedly “air-gapped” networks. Once identified, the cyberattackers could target and compromise them directly, apparently yielding access to the utility infrastructure.”