The announcement from the Department of Homeland Security (DHS) at the end of July that Russians had again attacked US electric grids raised a new round of alarms. It’s not the first time Russia has been caught breaking into US utilities. Now it looks like they’ve gone deep enough to be able to cause disruptions if they so choose.
DHS's National Cybersecurity and Communications Integration Center (NCCIC)
Judging by the level of detail provided in their last unclassified briefing, the DHS found this latest attack, along with prior attacks, extremely concerning. They described how the Russian attackers began by targeting key vendors working with industrial control facilities. Though they didn’t specify who is included in this list of victims, the victims’ list reaches into the hundreds and goes beyond the realm of just the electrical grids. Some may be outside utilities such as substations, vendors or partners.
The hackers used stolen confidential information about the utilities to learn how the industrial control systems worked. The DHS confirmed they had enough access to throw switches and disrupt service. In other words, a shut down would be a very real possibility.
In an effort to educate utility providers, the DHS’s National Cybersecurity and Communications Integration Center (NCCIC) has offered a series of webinars. They will continue to provide information and briefings in the interest of keeping these facilities informed on Russian activity against critical infrastructure.
ICS – Rife with Intrinsic Vulnerabilities
Relying on older systems, ICS infrastructures are rife with vulnerabilities. One important misconception is that the air-gapped nature of critical infrastructure provides isolated protection from the outside world. While perhaps true many years ago, this is no longer the case and any sense of security here is a false one. Even though these systems may be segmented, remote access systems are in place by which proper administrators log in to control the systems from afar. And if legitimate users can gain access this way, so too can illegitimate users.
Attackers not only can, but clearly are finding ways in, using a number of stealthy methods to gain access. Often they get initial entry through the trickery of spear phishing efforts where hackers get login credentials by deceiving true users. Or, as noted here, they get in through vendors whose systems are often even less secure. Other means can even include stray infected flash drives, such as used by the Stuxnet masterminds.
Whichever way they first get in, from there, they work their way deeper to eventually compromising critical systems. It only takes one successful break in through the easiest or weakest link to ultimately get through the layers of the security system.
So-Called “Air-Gapping” Is No Protection
Ray DeMeo, COO and co-founder of Virsec, explained to Search Security that "Relying on air-gapping for security is a dangerous anachronism. Air gaps are easily being bridged by social engineering, password theft, or, in the case of Stuxnet, a few rogue USBs left in Tehran coffee houses. With the increasing convergence of IT and OT systems, the control systems that manage critical infrastructure are increasingly networked and connected. Plus, conventional security tools that rely on signatures must be connected in order to get the latest updates. Almost all of the recent attacks, successful attacks on power plants and other critical infrastructure have bypassed air gaps."
Ray also shared with Brilliance Security Magazine: “The threat of disruption to our critical infrastructure is very real, as recent attacks in the Middle East and Ukraine have shown. The outcomes may depend on the motivations of the hackers, but recent attacks have included ransoming critical data, service disruptions, or serious damage to control systems and physical equipment. The government is raising awareness, but responses need to be more aggressive and coordinated. The needs to shift from chasing endless elusive external threats, to directly protecting systems from attack in real-time.”
He also added, “Defense strategies need to pivot away from a sole focus on conventional perimeter defenses – the latest attacks have easily bypassed the perimeter. It’s crucial to detect and stop attacks in progress. Vendors need to do more to bridge a wide gap in technology and understanding between IT and OT (operational technology). We are far too dependent on air-gapping as our primary defense, despite the fact that systems are increasingly connected.”
Challenges with Two-Factor Authentication
The Wall Street Journal, the first to report on the story, also noted concerns that the DHS could be investigating whether the Russian hackers as part of their tactics had found ways to overcome multifactor authentication. Some methods of two-factor authentication are more susceptible to hacking, while some provider greater protection, such as biometrics (fingerprints, etc.). Results of that investigation are pending.
Read full articles:
