Cybercrimes are perpetrated 365 days a year yet sometimes seasonal patterns emerge, writes Chris Day, chief cyber security officer at Cyxtera, a cyber security product company.
Since 2014, the holidays have been a harbinger for attacks on critical infrastructure. These incidents have gone largely unnoticed outside the cyber security world; and that needs to change. Many people are aware of famous holiday hacks, like the Target breach of 2013. Far fewer know that adversaries are routinely trying to infiltrate the systems that run critical infrastructure, like electrical grids, gas pipelines, and industrial plants. These menacing attacks can disrupt our way of life – and put lives in danger.
A Primer
Modern critical infrastructure involves automated processes that are handled by Industrial Controls Systems (ICS). In layman’s terms, ICS are the digital brains behind the operation of physical equipment associated with critical infrastructure. ICS uses the ‘industrial’ Internet, which is typically segmented from the ‘everyday’ internet. However, technology innovations are blurring the lines. ICS may communicate with networked hardware and software for a variety of reasons; to improve service, collect analytics, process changes and more. So as the integration between these networks increase, the risk to critical infrastructure rises.
A 2016 report by Booz Allen revealed that 34 percent of respondents operating ICS around the world indicated they were breached more than twice during 2015; 44 percent of those were unable to identify the source of the attack. The problem is expected to grow as technology becomes more interconnected.
December 2014, Germany
On December 22, 2014, a report surfaced that adversaries breached a German steel mill and destroyed a blast furnace. Fortunately, no one was injured. The hackers used a spear-phishing attack to gain access to the corporate network. From there, they moved laterally, uncovering vulnerabilities that led to the heart of the steel mill’s operations. According to Germany’s Federal Office for Information Security, the attackers were sophisticated and understood the relationships between different networks and systems.
Proper network segmentation could have stopped this attack. But maybe not. As previously mentioned, the inter-connectivity of networks is becoming more common. We should assume that threat actors will exploit this weakness. We must seek to eliminate over-privileged network access, which grants users entirely too much freedom. Instead, we must carefully control levels of application access so people ‘see’ only the resources they are authorized to use.
December 2015, Ukraine
It was two days before Christmas 2015. Without raising a single alarm, Russian cyber-attackers took remote control of circuit breakers controlling a section of the Ukrainian power grid. In an instant, nearly 250,000 people were without power for six hours. Hackers got into the ICS of the electrical company via a phishing email and executed malware known as BlackEnergy.
This was the first confirmed case of cyber-attackers taking down a power grid. In the investigation that followed, security experts unearthed a well-orchestrated attack that was planned for many months. The United States’ Industrial Controls System Cyber Emergency Response Team (ICS-CERT) described the event:
The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.
The last two sentences should raise the hackles of security professionals everywhere. Threat actors used legitimate credentials to establish a VPN connection; from there, they got access to the ICS – and took down the power.
Virtual private networks have been around for decades. Once thought to be effective mousetraps, that’s no longer the case. VPNs hand out network privileges like Halloween candy. They operate on a “connect first, authenticate second” basis. Once a legitimate or illegitimate user is unauthenticated by the VPN, it’s too late to ‘walk back’ access to network resources.
December 2016, Ukraine (again)
Another holiday season underway. Once again, Russian cyber-attackers hack into the Ukrainian power grid. They cut a main artery and plunge parts of the country into darkness for about an hour. The attack was much more sophisticated than the 2015 Blackout. Adversaries used a variety of techniques including a specialized malware, known as “Crash Override “or “Industroyer,” that sent nefarious, automatic commands to the grid’s ICS. Security pros now believe the malware is smart enough to adapt to a variety of industrial specifications; making it frighteningly easy to repurpose in other geographies.
Clearly, these well-organized adversaries could have created more chaos than they did. We are left to wonder what they are holding back and why.
One thing is certain. Advanced persistent threats (APT) like those involved in critical infrastructure attacks, are patient, skilled and disciplined. Countries like Russia and China have made an industry of it. Attackers treat their ‘work’ like a nine-to-five job and release malicious code on an industrial scale. It’s impossible for signature-based tools, like Firewalls, NAC or VLANs, to keep up. Each fall short of meeting security and management requirements in dynamic IT environments. To change the narrative, we must change how we view network security. Failing tools won’t produce different results.
Software Defined Perimeter
The concept of a software defined perimeter (SDP) was initiated by the Department of Defense. The premise is that network access should be proportional to the security context the user presents at the time they’re trying to connect. Resources are only revealed on a need-to-know basis.
SDP can dynamically create a segment of one between the user and the network resources they are entitled to access. The more benign the context they present, such as physical presence on a company network, one-time password, or certificates, the more network resources they can access. Ultimately, each user’s access entitlements are dynamically altered based on identity, device, network, and application sensitivity. These are driven by easily configured policies. By aligning network access with application access, users remain fully productive, while the attack surface area is dramatically reduced.
December looms in front us. In an era of global interconnectivity coupled with ever-evolving political dynamics, the threat of a successful critical infrastructure attack is a real and present danger. Boundaries have already been tested. As an industry, we must respond with smarter ways to secure our networks.
