Over the past few days, we’ve seen a story about Russian agents hacking the U.S. power grid spread like wildfire across the internet -- only to be debunked as a wild overstatement of the facts at hand.
Yes, a single laptop belonging to Vermont utility Burlington Electric was found to have visited an IP address cited by the Department of Homeland Security and the FBI as being associated with a Russian hacking operation, dubbed Grizzly Steppe, that also hacked the U.S government during the election.
But there’s no evidence that this amounted to anything other than a utility employee checking his or her Yahoo email account, as the Washington Post reported Monday in what amounts to an extensive retraction of its Friday story that started the firestorm.
At the same time, cybersecurity experts see the potential to learn from the whole affair. After all, the very real shutdowns of Ukrainian grid substations in December 2015 -- the first-ever confirmed cyberattack against grid infrastructure -- got started through similarly innocuous intrusions into utility IT systems.
That’s the conclusion of a report from the SANS Institute, a cybersecurity training organization that traced the Ukrainian outage to a sophisticated campaign. The attackers gained entry to utility computers and obtained user credentials and passwords, as well as other key data. They then used that information to infiltrate the industrial control systems (ICS) and automated grid devices such as breakers, serial-to-ethernet data converters and uninterruptible power systems.
There’s no evidence whatsoever that anything like this has happened in Vermont, or elsewhere in reported instances of cyber-intrusions into U.S. grid systems. But that doesn’t mean that these possibilities should be dismissed out of hand, Mihir Kapadia, vice president of engineering for cybersecurity firm N-Dimension, said in a Tuesday interview.
Most of the threat indicators coming from the FBI-DHS Joint Analysis Report (JAR) were “what we would deem weak indicators,” Kapadia said. “When we get information like this, the first step is to analyze and vet it, and start to classify it. There are some weak indicators of compromise -- which by no means people should ignore. But it’s all a starting point for a deeper investigation.”
In the case of the Burlington Electric laptop's visit to a JAR-flagged IP address, “There are a lot of legitimate reasons why you would have traffic between one of your machines and Yahoo,” he said. At the same time, hackers often use servers to launch phishing attacks -- posing as a real company to engage computer users in email exchanges or website visits that deliver malware to their computers -- and then move on to different servers after some time. “If we have recorded timestamps of these events, we can start to piece it together," said Kapadia. "Was this done under suspicious circumstances, or does it represent legitimate traffic?”
Other, stronger threat indicators from the DHS-FBI report include injection flaw techniques that attempt to send commands to a browser or database, or cross-site scripting vulnerabilities that allow attackers to insert and execute unauthorized code in web applications. “Based on our analysis, we’d say that’s not a strong indicator -- it’s probably a medium indicator of compromise, since it’s more specific," Kapadia said.
All of these threat indicators pertain to a “Stage 1” cyberattack on a utility -- the part targeting its business IT equipment and networks. Moving on to “Stage 2” requires the leap from IT systems and into the operations technology (OT) networks, such as the SCADA networks that run power grids.
Companies typically rely on the separation between corporate IT networks and OT systems to bar entry from one to the other. But “we’re too comfortable relying on that separation,” Edgard Capdevielle, CEO of industrial control system cybersecurity startup Nozomi Networks, said in a Tuesday interview. With the increasing level of automation and interconnection between IT and OT, “that is a permeable wall; it is not a brick wall," he said.
Specifically, hackers with access to IT networks can gather credentials and passwords that allow them to access the virtual private networks that connect business networks to OT systems, breach the firewalls between the two, and gain control of devices like remote terminal units and programmable logic controllers that operate automated industrial or grid equipment.
Protecting these OT systems is complicated by the fact that they tend to run on software that’s years out of date, Capdevielle added. “The technology adoption and innovation in the OT side of the fence is lagging,” he said. “These sets of folks are just moving off Windows XP. Windows 7 is just happening right now -- which for IT, happened seven to 10 years ago. So that means they have very little visibility, very little control, very little asset management on the PLC side of the house. The ability to troubleshoot things is not the best.”
Making use of access to OT systems requires a high level of understanding of the industrial or grid systems they command, in order to achieve the effects attackers are after. That’s a more complicated matter than hacking IT systems to steal data or run denial-of-service attacks. “In many cases, there is significantly more value, depending on the attacker’s current goals, in performing espionage than in perpetrating an actual attack that would include the destruction or manipulation of systems,” according to a SANS Institute report on the subject, Industrial Control System Kill-Chain.
Even so, it’s important to identify Stage 1 threats that are leading up to a full Stage 2 “cyber-physical attack,” since “sustained access provides the opportunity for attackers to initiate follow-on actions later if they align with national security or military goals and/or criminal objectives,” the report noted.
In this context, the fact that the Burlington Electric laptop in question wasn’t connected to the utility’s OT network isn’t very reassuring, said Michael Assante, the ICS/SCADA lead at the SANS Institute, who co-authored the reports on the Ukrainian grid cyberattack and the ICS Kill-Chain.
“The whole goal is to get a host, and then start harvesting credentials,” he said. “If that laptop was really associated with [Russian intelligence services] activity, and there’s malware on it, and it was discovered five weeks later, that’s ample time for the bad guy to achieve significant persistence and control. They’re far past that laptop.”
To be clear, Assante isn’t suggesting that’s what happened in the case of Burlington Electric. But he did note that the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has documented attempts by Russia to access U.S. energy infrastructure over the last five years, using malware such as Black Energy 2 and Havex, that were only discovered months to years after their introduction.
“Havex and Black Energy 2 were both campaigns discovered in the 2013-2014 timeframe,” he said. “They were pretty broad-reaching access campaigns, in Europe and the United States, getting into infrastructure through various techniques,” including some complicated efforts such as “Trojan-izing” industrial control system vendor software update files to gain access and compromise systems.
“People are spending money to do this. And when we learned about them, peeled the onion layers back, they had been going for some time -- we caught them later in the game," said Assante. "So I am concerned we have had compromises to the infrastructure.”