News broke that hackers working for Russia claimed “hundreds of victims” last year in a giant and long-running campaign that put them inside the control rooms of U.S. electric utilities where they could have caused blackouts, federal officials said. They said the campaign likely is continuing. IT security experts commented below.
Tim Helming, Director of Product Management at DomainTools:
It is not farfetched to foresee adversaries causing a major disruption at some point since the frequency of breaches is on the rise. But, again, while the attackers seem to have gained a worrisome level of access, it is not clear that they have the ‘keys to the kingdom’. If a utility attack attack were to succeed, the level of damage could be high because the electric grid is susceptible to cascading faults, where a localized disruption can rapidly spread. Adversaries could theoretically do a lot of damage. In other regions of the world, we have already seen attacks on hospitals, the electric grid, public transit, entire cities, and more. Recognizing the gravity of the threat is not meant as a scare tactic–cybersecurity practitioners are already aware of all of the risk, and work very hard to minimize the attack surfaces of all critical infrastructure.”
Sean Newman, Director Product Management at Corero Network Security:
“This is a stark reminder that organisations of all types and sizes should assess all aspects of their IT security, including those of their contractors and supply chain, and this doesn’t just pertain to hacking attempts but, also includes their resilience to DDoS attacks, which could impact the ability to provide their regular services, and the knock-on impact that creates.
“As more ICS infrastructures, such as those used by utility companies, are connected to their broader networking infrastructure, then the risk will continue to grow.”
Ray DeMeo, Co-Founder and COO at Virsec:
“The government is raising awareness, but responses need to be more aggressive and coordinated. The needs to shift from chasing endless elusive external threats, to directly protecting systems from attack in real-time.”
“Defense strategies need to pivot away from sole focus on conventional perimeter defenses – the latest attacks have easily bypassed the perimeter. It’s crucial to detect and stop attacks in progress. Vendors need to do more to bridge a wide gap in technology and understanding between IT and OT (operational technology). We are far too dependent on air-gapping as our primary defense, despite the fact that systems are increasingly connected.”
Michael Magrath, Director, Global Regulations & Standards at OneSpan:
As certain as the sun will rise tomorrow, hackers will continue to compromise systems requiring username and password-only authentication. Weak authentication is akin to having a multi-million dollar physical security system and leaving the front gate unlocked.
Unlike other countries, in the U.S. the private sector owns and operates a vast majority of the nation’s critical infrastructure. NIST’s Framework for Improving Critical Infrastructure Cybersecurity (CSF) is voluntary consisting of standards, guidelines, and best practices to manage cybersecurity-related risk. Included in version 1.1 is the recommendation for a risk-based approach to identity proofing and authentication. With lives at risk coupled with the repeated successful attacks it is negligent if a facility relies on easily compromised passwords to gain entry.
As noted in the WSJ article, DHS is trying to determine whether “the Russians have figured out ways to defeat security enhancements like multifactor authentication.” To be clear, multifactor authentication is not “one size fits all” there are numerous approaches and technologies available with varying degrees of security and usability. For example, one time passwords transmitted via SMS are very convenient and widely deployed, however this multifactor authentication approach has been proven to be unsecure with OTPs being intercepted. Other solutions such as fingerprint biometrics, adaptive authentication, and utilizing public key cryptography techniques are far more secure and have gained widespread adoption. It remains to be seen what DHS learns.
Given the potential catastrophic harm that could be carried out by a hacker on a power plant or water supply, critical infrastructure facilities should patch all software, encrypt all data and deploy the latest identity management and authentication technologies.
David Vergara, Head, Security Product Marketing at OneSpan:
Andrea Carcano, Founder and Chief Product Officer at Nozomi Networks:
However, blackouts did not occur, which makes us question if the attackers intentionally only went so far. Attacks on the grid will be difficult to control and will undoubtedly lead to lots of collateral damage. This, combined with the risk of retaliation, may be keeping attackers at bay. It is reminiscent of the mutually assured destruction model of the Cold War when restraint was used on all sides. We are likely in the midst of a Cyber Cold War with all sides holding back from enacting the destruction they are truly capable of.”
Pravin Kothari, CEO at CipherCloud:
The big questions remain open. We still don’t know how many of these utilities, if any, were nuclear powered but the implications obvious. If they had the ability to “throw switches” per an official at DHS, exactly how could they disrupt the operation of nuclear power plants and what risks did this present? How long were they inside the networks of any nuclear-powered plants?
Most utility plants and certainly nuclear-powered utilities are protected by “air gaps.” This implies that there is no network connectivity allowed to the “air-gapped” network. Of course, persistent state-sponsored attackers had the resources to carefully research and identify the key vendors that had trusted relationships with the targeted utilities. These key vendors likely had special network connections into the supposedly “air-gapped” networks. Once identified, the cyberattackers could target and compromise them directly, apparently yielding access to the utility infrastructure.”