A new report of attackes on Critical Infrastructure from Trend Micro and the Organization of American States (OAS) shows both a sharp increase in frequency and sophistication. Some of the related stats from this report include;
- 53% of respondents have seen an increase in cyberattacks against critical infrastructure over the past year.
- 76% said cyberattacks were getting more sophisticated.
- Destructive hacking was way up, with 44% of respondents reporting attempts to delete or destroy data.
- 54% of respondents said attackers had tried to “manipulate equipment” through an industrial control system (ICS).
- 44% of survey respondents said attackers tried to destroy information.
- 40% had attempted to shut down computer networks altogether.
On Wednesday night, parties claiming to belong to the Islamic State (ISIS) blacked out broadcasts on 11 channels of French television station, TV5Monde, as well as breached and defaced the network’s social media accounts.
The massive hack-attack – which took the station off the air for hours and disrupted normal operations for nearly a day – was certainly not the first assault directed by Islamic extremists at media outlets, but, the technological sophistication of this week’s broad takedown of a network does seem to represent a significant escalation of capabilities; if this action was truly carried out by ISIS, it is evidence that the group may have far more advanced cyberwar capabilities than was conventionally believed to be the case.
Just a few weeks ago, I spoke with Eugene Kaspersky, cybersecurity pioneer and CEO of the renowned cybersecurity firm, Kaspersky Lab, who told me that one of the greatest cyberthreats facing society today is cyberterrorism. According to Kaspersky, while terrorists historically did not invest in cyberattacks because their value versus cost-to-execute was uncertain, recent intelligence suggests that terrorists now view the success that criminals have achieved with their cyberattacks as indicators that the time to invest in cyberattacks has arrived.
ISIS’s taking out of a television network for under a day may not have caused any deaths – but it clearly has significant propaganda value and represents a major victory for the terrorist organization. Thankfully, the group achieved only a disruption – not the ability to broadcast its own propaganda and gruesome videos to millions of unsuspecting viewers. But media outlets should beware – the present attack is likely the tip of the iceberg, and numerous attacks are probably being planned and executed as I write this article.
Human mistakes, and a lack of proper cybersecurity, seem to have been at least partial enablers of the breach. There is evidence that people working at TV5Monde were using weak passwords to secure access to sensitive systems, and, after the breach occurred, the station even allowed one of its reporters to be interviewed on television with images of passwords written on notes attached to a wall clearly visible in the background. It hardly instills confidence when a media outlet announces to the world that its passwords are literally posted on walls, and that the password for its YouTube account is “lemotdepassedeyoutube” – the French equivalent of “thepasswordofyoutube.” On top of these issues, it also appears that the channel’s business operations networks and broadcasting systems were not adequately separated from one another, dramatically increasing the potential for hackers to black out broadcasts. While these mistakes may or may not have been factors in enabling the breach, they are tell-tale signs of inadequate cybersecurity; it’s hard to believe that an entity with such glaring and obvious problems was getting the more complex nuances of cybersecurity right.
Based on the clear information-security problems at TV5Monde I’m not sure how much sophistication was really needed on the part of ISIS in order to carry out this attack; carelessness on the part of the victim may have played a large role. But, regardless of the expertise needed to achieve the blackout this week, there is little doubt that the ISIS’s success will lead to both it – and other terrorist groups – spending resources pursuing cyber attacks in the future. From a propaganda perspective, ISIS is a heavily utilizer of videos; hacking a major network and airing its own videos would be to it the cyber equivalent of hitting the jackpot.
Business owners must take note; cyberterrorism should not be a concern for only large enterprises and utilities considered to be critical infrastructure. There are sufficient computer systems and data in the hands of smaller businesses for terrorists to wreck havoc and execute economy-crippling attacks without ever having to target a large organization. (For obvious reasons I will not describe any such potential attacks.) If you utilize the services of a lawyer and an accountant because you realize the value of professional expertise in these areas, and understand that you cannot possibly be an expert in these areas and run your business at the same time, you should be taking the same approach vis-à-vis cybersecurity as well. Had TV5Monde had a proper information-security audit, many of the glaring mistakes would likely been caught before it was too late. When it comes to cybersecurity, an ounce of prevention can be worth many tons of cure.
Today, President Obama declared a national emergency and signed an executive orderempowering the government to impose sanctions against anyone viewed as a cyberthreat to the United States.
This is a rather historic day for our industry, where the importance of information security has evolved from the IT department, to the boardroom, into politics and now, center stage as a critical component to our economy and way of life.
The primary objective of the order is to place sanctions on criminal hackers targeting American infrastructure and businesses from outside the US. The order gives authority to freeze assets and more power to block potential threats from the US. The order not only covers the harming of US infrastructure but also covers the stealing of intellectual property from American companies, as well as committing fraud against citizens, all of which hurt the US economy.
With the plague of retail breaches that continue to hit US-based retailers, it’s critical we look at these instances not just as individual breaches, but as a wholesale attack against our financial system. Many of those involved in these activities are overseas and are able to operate with impunity within borders of countries who shield them from US prosecution. Often times, many of these actors also work within these governments.
We have seen robocallers from outside the US defraud people claiming to be from the IRS, successfully scaring people particularly senior citizens into giving them credit card numbers using VOIP networks. The perpetrators of these acts have been able to get away with it due to available technologies that make it easy to evade detection.
I believe it is the goal of the Obama administration with this order to give the US government more power to go after criminal syndicates and fraudsters overseas.
The challenge, however, will still be attribution—you may be able to identify from what country an attack is routed through, but identifying who is behind the keyboard or phone is a different story altogether.
One of the reasons cyber attacks and technology-enabled fraud have been so prevalent is due to the ease of evading detection and relative anonymity that a number of tools available provide.
It will be interesting to see how the Obama administration looks to enforce this act, and what resources will be applied to implement it.
Devices and interconnected systems are finding a foothold not only in our homes but in mainstream organizations. Here are three tips to mitigate the risk.
It’s a Monday morning and time to go into the office and kick off the week. But before leaving the house, I need to write an executive summary for a client report that’s due by 8:00 a.m. I pull out my Livescribe 3 pen to write, which automatically synchs to my iPhone 6, plus allows me to email the summary to my CEO. Once the email is launched, I open the OnStar application on my iPhone and start my vehicle remotely so that it’s nice and toasty once I’ve braved a 10-degree jaunt to the car.
Inside the car, I pop my Jawbone ERA Bluetooth headset into my ear for a hands-free option while I take calls on my drive into the office. My CEO calls as I back out of the garage asking for a meeting to discuss my email. After hanging up, I ask Siri to set up the meeting. When I get to the office, I use Apple Pay on my iPhone to pay for parking. I get to my desk, open my MacBook Pro with the Knock iPhone application without typing in a password.
How many different, interconnected mobile devices are mentioned in that short anecdote? Devices and interconnected systems are finding a foothold not only in our homes but mainstream organizations. Apple TV, LiveScribe 3, and others are being used and connected to other devices or systems that connect directly to our locked down corporate infrastructures. Unfortunately, meeting the issues posed by complex networks overwhelms people. As such, scant attention is being paid to the security of the devices we are using in business. Given that these devices are inherently insecure, we have a problem, Houston!
Getting started Recently, a financial organization asked me to test Apple’s AirPlay service: the sales team wanted to stream their presentations from their corporate-managed iPads. This organization did the right thing by first assessing the risk instead of rushing out to implement something new and shiny.
The goal of the project was to quickly connect to any Wi-Fi access point from the AppleTV and iPad, and then show the content on a customer, or potential customer’s overhead projectors. Think about all of the implications: a managed device, with sensitive data, streaming to an unmanaged device, on an untrusted network. This scenario presents so many unknowns, even before the security posture of Apple TV and AirPlay is assessed. Plus, there is no way to specifically disable AirPlay. The only way to dis-allow AirPlay is to block the iPad from connecting to ad-hoc access points completely, which would defeat the iPad’s purpose entirely.
This scenario is rapidly becoming commonplace as unknown devices slowly infiltrate our personal and business lives through known and unknown mechanisms. As security professionals, it’s our job to develop policies and procedures that vet and lock down any IoT device that is used inside our organizations. But where to begin? Here are my three recommendations:
Pick three to five IoT devices that may help your organization provide better service to your customers, employees, and business partners (i.e., AppleTV, LiveScribe 3, etc.).
Perform a security verification of the devices. This undertaking should include testing relevant security control areas such as: Sensitive Data Protection (at rest, in use, and in transit), Authentication (both user and device), Authorization, Accountability, and Cryptography. If you have the know-how to do this internally, GREAT. If not, look to third-party consulting organizations that have expertise in assessing the security of IoT and Mobile devices.
Design specific policies and procedures around when and how the IoT devices should and can be used. When appropriate, work with the device vendors to provide a more secure, business secured firmware, software, or hardware for future implementations of their device.
Just like with mobility, IoT technology is creating a new class of bring-your-own devices within the corporate infrastructure. The IoT movement will only increase -- and at a staggering pace that may surpass that of mobile. As a business, we should acknowledge and embrace IoT device usage but also understand and mitigate risk where we can.
By David (Dave) Lindner. Global Practice Manager, Mobile Application Security Services, for Aspect Security
The Sony hack may have gotten a movie pulled from theaters, but it’s not the cyber war you’re looking for.
On Friday, December 19th, the FBIofficially named North Korea as the party responsible for a cyber attack and email theft against Sony Pictures. The Sony hack saw many studio executives’ sensitive and embarrassing emails leaked online. The hackers threatened to attack theaters on the opening day of the offending film, “The Interview,” and Sony pulled the plug on the movie, effectively censoring a major Hollywood studio. (Sony partially reversed course shortly after, allowing the movie to show in 331 independent theaters on Christmas Day and to stream, online.)
Patrick Tucker is technology editor for Defense One. He’s also the author of The Naked Future: What Happens in a World That Anticipates Your Every Move? (Current, 2014). Previously, Tucker was deputy editor for The Futurist, where he served for nine years. Tucker's writing on emerging technology ... Full Bio
Technology journalists were quick to point out that, even though the cyber attack could be attributable to a nation state actor, it wasn’t particularly sophisticated. Ars Technica’s Sean Gallagher likened it to a “software pipe bomb.” The fallout, of course, was limited. And while President Barack Obama vowed to respond to the attack, he also said it was a mistake for Sony to back down.
“I think all of us have to anticipate occasionally there are going to be breaches like this. They’re going to be costly. They’re going to be serious. We take them with the utmost seriousness. But we can’t start changing our patterns of behavior any more than we stop going to a football game because there might be the possibility of a terrorist attack; any more than Boston didn’t run its marathon this year because of the possibility that somebody might try to cause harm. So, let’s not get into that — that way of doing business,” he said at a White House briefing on Friday.
But according to cyber-security professionals, the Sony hack may be a prelude to a cyber attack on United States infrastructure that could occur in 2015, as a result of a very different, self-inflicted document dump from the Department of Homeland Security in July.
2015: The Year of Aurora?
Here’s the background: On July 3, DHS, which plays “key role” in responding to cyber-attacks on the nation, replied to a Freedom of Information Act (FOIA) request on a malware attack on Google called “Operation Aurora.”
Unfortunately, as Threatpost writer Dennis Fisher reports,DHS officials made a grave error in their response. DHSreleased more than 800 pages of documents related not to Operation Aurora but rather the Aurora Project, a 2007 research effort led by Idaho National Laboratory demonstrating how easy it was to hack elements in power and water systems.
Oops.
The Aurora Project exposed a vulnerability common to many electrical generators, water pumps and other pieces of infrastructure, wherein an attacker remotely opens and closes key circuit breakers, throwing the machine’s rotating parts out of synchronization causing parts of the system to break down.
In 2007, in an effort to cast light on the vulnerability that was common to many electrical components, researchers from Idaho National Lab staged an Aurora attack live on CNN. The video is below.
“The Aurora vulnerability affects much more than rotating equipment inside power plants. It affects nearly every electricity system worldwide and potentially any rotating equipment—whether it generates power or is essential to an industrial or commercial facility.”
The article was written by Michael Swearingen, then manager for regulatory policy for Tri-County Electric Cooperative (now retired), Steven Brunasso, a technology operations manager for a municipal electric utility, Booz Allen Hamilton critical infrastructure specialist Dennis Huber and Joe Weiss, a managing partner for Applied Control Solutions.
Weiss today is a Defense Department subcontractor working with the Navy’s Mission Assurance Division. His specific focus is fixing Aurora vulnerabilities. He calls DHS’s error “breathtaking.”
The vast majority of the 800 or so pages are of no consequence, says Weiss, but a small number contain information that could be extremely useful to someone looking to perpetrate an attack. “Three of their slides constitute a hit list of critical infrastructure. They tell you by name which [Pacific Gas and Electric] substations you could use to destroy parts of grid. They give the name of all the large pumping stations in California.”
The publicly available documents that DHS released do indeed contain the names and physical locations of specific Pacific Gas and Electric Substations that may be vulnerable to attack.
Defense One shared the documents with Jeffrey Carr, CEO of the cyber-security firm Taia Global and the author of Inside Cyber Warfare: Mapping the Cyber Underworld. “I’d agree…This release certainly didn’t help make our critical infrastructure any safer and for certain types of attackers, this information could save them some time in their pre-attack planning,” he said.
Perpetrating an Aurora attack is not easy, but it becomes much easier the more knowledge a would-be attacker has on the specific equipment they may want to target.
How Easy Is It To Launch an Aurora Attack?
In this 2011 paper for the Protective Relay Engineers’ 64th Annual Conference, Mark Zeller, a service provider with Schweitzer Engineering Laborites lays out—broadly—the information an attacker would have to have to execute a successful Aurora attack. “The perpetrator must have knowledge of the local power system, know and understand the power system interconnections, initiate the attack under vulnerable system load and impedance conditions and select a breaker capable of opening and closing quickly enough to operate within the vulnerability window.”
“Assuming the attack is initiated via remote electronic access, the perpetrator needs to understand and violate the electronic media, find a communications link that is not encrypted or is unknown to the operator, ensure no access alarm is sent to the operators, know all passwords, or enter a system that has no authentication.”
That sounds like a lot of hurdles to jump over. But utilities commonly rely on publicly available equipment and common communication protocols (DNP, Modbus, IEC 60870-5-103,IEC 61850, Telnet, QUIC4/QUIN, and Cooper 2179) to handle links between different parts their systems. It makes equipment easier to run, maintain, repair and replace. But in that convenience lies vulnerability.
In their Power Magazine article, the authors point out that “compromising any of these protocols would allow the malicious party to control these systems outside utility operations.”
Defense One reached out to DHS to ask them if they saw any risk in the accidental document dump. A DHS official wrote back with this response: “As part of a recent Freedom of Information Act (FOIA) request related to Operation Aurora, the Department of Homeland Security (DHS) National Programs and Protection Directorate provided several previously released documents to the requestor. It appears that those documents may not have been specifically what the requestor was seeking; however, the documents were thoroughly reviewed for sensitive or classified information prior to their release to ensure that critical infrastructure security would not be compromised.”
Weiss calls the response “nonsense.”
The risk posed by DHS accidental document release may be large, as Weiss argues, or nonexistent, as DHS would have you believe. But even if it’s the latter, Aurora vulnerabilities remain a key concern.
Perry Pederson, who was the director of Control Systems Security Program at DHS in 2007 when the Aurora vulnerability was first exposed, said as much in a blog post in July after the vulnerability was discovered. He doesn’t lay blame at the feet of DHS. But his words echo those of Weiss in their urgency.
“Fast forward to 2014. What have we learned about the protection of critical cyber-physical assets? Based on various open source media reports in just the first half of 2014, we don’t seem to be learning how to defend at the same rate as others are learning to breach.”
Aurora vs. the Sony Hack
In many ways the Aurora vulnerability is a much harder problem to defend against than the Sony hack, simply because there is no obvious incentive for any utility operator to take any of the relatively simple costs necessary to defend against it. And they are simple. Weiss says that a commonly available device installed on vulnerable equipment could effectively solve the problem, making it impossible to make the moving parts spin out of synchronization. There are two devices on the market iGR-933 rotating equipment isolation device (REID) and an SEL 751A, that purport to shield equipment from “out-of-phase” states.
To his knowledge, Weiss says, Pacific Gas and Electric has not installed any of them anywhere, even though the Defense Department will actually give them away to utility companies that want them, simply because DOD has an interest in making sure that bases don’t have to rely on backup power and water in the event of a blackout. “DOD bought several of the iGR-933, they bought them to give them away to utilities with critical substations,” Weiss said. “Even though DOD was trying to give them away, they couldn’t give them to any of the utilities because any facility they put them in would become a ‘critical facility’ and the facility would be open to NERC-CIP audits.”
Aurora is not a zero-day vulnerability, an attack that exploits an entirely new vector giving the victim “zero days” to figure out a patch. The problem is that there is no way to know that they are being implemented until someone, North Korea or someone else, chooses to exploit them.
Can North Korea pull of an Aurora vulnerability? Weiss says yes. “North Korea and Iran and are capable of doing things like this.”
Would such an attack constitute an act of cyber war? The answer is maybe. Speaking to reporters at the Pentagon on Friday, Pentagon Press Secretary Rear Adm. John Kirby said “I’m also not able to lay out in any specificity for you what would be or wouldn’t be an act of war in the cyber domain. It’s not like there’s a demarcation line that exists in some sort of fixed space on what is or isn’t. The cyber domain remains challenging, it remains very fluid. Part of the reason why it’s such a challenging domain for us is because there aren’t internationally accepted norms and protocols. And that’s something that we here in the Defense Department have been arguing for.”
Peter Singer, in conversation with Jason Koebler at Motherboard, says that the bar for actual military engagement against North Korea is a lot higher than hacking a major Hollywood movie studio.
“We didn’t go to war with North Korea when they murdered American soldiers in the 1970s with axes. We didn’t go to war with North Korea when they fired missiles over our allies. We didn’t go to war with North Korea when one of their ships torpedoed an alliance partner and killed some of their sailors. You’re going to tell me we’re now going to go to war because a Sony exec described Angelina Jolie as a diva? It’s not happening.”
Obama said Friday that there would be some sort of response to the hack, but declined to say what. “We have been working up a range of options. They will be presented to me. I will make a decision on those based on what I believe is proportional and appropriate to the nature of this crime,” he said.
Would infrastructure vandalism causing blackouts and water shutdowns constitute an act of war? The question may be moot. Before the United States can consider what sort of response is appropriate to cyber attacks, it must first be able to attribute them.
The FBI was able to finger North Korea for the hack after looking at the malware in the same way a forensics team looks for signs of a perpetrator at the scene of the crime. “Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks,” according to the FBI statement. (Attribution has emerged as a point of contention in technology circles, with many experts suggesting that an inside hack job was more likely.)
An Aurora vulnerability attack, conversely, leaves no fingerprints except perhaps a single IP address. Unlike the Sony hack, it doesn’t require specially written malware to be uploaded into a system, Malware that could indicate the identity of the attacker, or at least his or her affiliation. Exploiting an Aurora attack is simply a matter of gaining access, remotely, possibly because equipment is still running on factory-installed passwords, and then turning off and on a switch.
“You’re using the substations against whatever’s connected to them. Aurora uses the substations as the attack vector. This is the electric grid being the attack vector,” said Weiss, who calls it “a very, very insidious” attack.
The degree to which we are safe from that eventuality depends entirely on how well utility companies have put in place safeguards. We may know the answer to that question in 2015.
Monday, April 13, 2015 at 10:49AM 
