No doubt you saw the flurry of news last week from the U.S. Department of Homeland Security (DHS) about Russian hackers accessing isolated, secure, air-gapped networks at power generation utilities. DHS noted that the hackers gained access by first breaking into the networks of the utilities’ trusted vendors. The hackers were able to do this by using tools like spear-phishing emails and watering holes to get victims to enter their passwords on spoofed websites.
Needless to say, this recent news sounded much like the U.S. Computer Emergency Readiness Team (CERT) alert released last March about Russian hackers gaining access to industrial control systems (ICSs) at both manufacturing and utilities sites.
Considering the similarities between this most recent news from DHS and what we heard in March, I reached out to several people I interviewed for that story to find out if this news was evidence that the attacks reported on earlier this year were continuing or if this represented something new and different.
Michael Rothschild, director of marketing with ICS cybersecurity technology supplier Indegy, said they have not seen any specific information in terms of the methodology to determine if this most recent news is substantially different than that highlighted by the CERT alert in March. “I think we’ll hear more about the methodologies used as investigations continue,” Rothschild added.
However, he did point out that some news reports were indicating that the Russian hackers had gotten access to the utilities’ networks to the point of being able to “throw the switch” and turn power off to some portion of the electrical grid. “That is something we have not seen to date,” he said.
The DHS offered some clarification on this point in a statement to FCW magazine, wherein it reported, "While hundreds of energy and non-energy companies were targeted, the incident where they gained access to the industrial control system was a very small generation asset that would not have had any impact on the larger grid if taken offline.”
DHS said the main achievement of these most recently announced attacks was in gathering information from the utilities to learn how their networks and associated equipment are configured. As noted in a report from The Wall Street Journal, Jonathan Homer, chief of ICS analysis for DHS, said the hackers were doing this “to learn how to take the normal and make it abnormal.”
Eddie Habibi, founder and CEO of PAS, a supplier of process safety, cybersecurity and asset reliability software, said that though this “latest report from DHS is part of the same Dragonfly story we commented on last fall and then again in March 2018, it is a confirmation that U.S. electric utilities were, in fact, compromised. This time DHS provides more detail and highlights, for example, that even air-gapped systems were compromised.”
This most recent DHS news highlights “something we have been preaching for a while regarding the risks that third-party vendors introduce to intended targets,” said Dave Weinstein, vice president of threat research at Claroty, an ICS cybersecurity technology supplier. “The Russians were very selective about which vendors they pursued during the staging phases, and the victimized vendors all have very established and trusted relationships with the intended targets.”
If you’re wondering about who these targeted vendors are, you will have to contact DHS directly with your concerns as an industrial technology user, as the DHS anonymizes this information in their public reports.
Looking more closely at how the hackers used the utilities’ trusted vendors’ networks to gain access to the utilities themselves, Lior Frenkel, CEO and co-founder of Waterfall Security Solutions, a supplier of unidirectional hardware and software for ICS cybersecurity, said that the hackers used remote access credentials stored on the vendor networks. In a blog post on this topic, Frankel noted how these attacks breached even air-gapped networks. “But if we look at the attacks, it was not the Russians who breached the air gaps, it was the utilities themselves. The air gaps were breached by the utilities who installed the firewalls to enable remote access for their vendors,” he wrote. “When we give remote access credentials to one of our people, or to a vendor, we imagine that we are giving that individual permission to log into our systems. What we really do is configure our systems so that anybody with the credentials can log in. The attackers first logged into the vendor networks, and then used the electric utility credentials to connect from the vendors to the utility networks. This way the utility’s sophisticated intrusion detection systems were silenced. To the utility, these connections seemed completely normal, as legitimate vendors log in all the time from vendor networks using legitimate accounts and passwords.”
The important takeaway from this most recent DHS news is that this threat to utilities is equally applicable to discrete manufacturers and processors. Indegy’s Rothschild pointed out that “power utilities are not unique in their technology. Whether it is a power plant, refinery, manufacturing facility or wastewater treatment plant, they all rely on the same type of supervisory control and data acquisition (SCADA) system or distributed control systems (DCS). Once one goes down, it’s too late. Now is the time to prepare for this increasingly serious threat. Doing so will literally keep the lights on and [keep you] safe from those that can do more damage with a keyboard than with a missile.”