Power Play: Resilience & Infrastructure
Print Issue: June 2017
Standardization is often seen as a positive in modern society, but there are risks in creating a monoculture—a homogenous culture lacking diversity—especially in cyberspace.
In a paper published in 2003 by the Computer & Communications Industry Association, a team of researchers outlined the risks of a Microsoft monopoly on global cybersecurity. A majority of the world’s computers at the time were running Microsoft’s operating system, so they were vulnerable to the same kinds of viruses and worms.
“Because Microsoft’s near-monopoly status itself magnifies security risk, it is essential that society become less dependent on a single operating system from a single vendor if our critical infrastructure is not to be disrupted in a single blow,” the authors of CyberInsecurity: The Cost of Monopoly, said. “The goal must be to break the monoculture.”
The authors suggested that governments create policies and regulations that would require critical infrastructure operators to diversify the operating systems they were using, thereby preventing a single virus from wreaking global havoc.
In 2010, two of the authors wrote an essay explaining that their views on the monoculture threat had changed. One reason for their change in perspective was because, in 2003, they had assumed that the IT monoculture was relatively simple, but it’s not.
“Two computers might be running the same [operating system] or applications software, but they’ll be inside different networks with different firewalls and [intrusion detection systems] and router policies; they’ll have different antivirus programs and different patch levels and different configurations, and they’ll be in different parts of the Internet connected to different servers running different services,” wrote Bruce Schneier, now chief technology officer at IBM Resilient, for Information Security magazine. “That’s one of the reasons large-scale Internet worms don’t infect everyone—as well as the network’s ability to quickly develop and deploy patches, new antivirus signatures, new IPS signatures, and so on.”
The risks of a monoculture on critical infrastructure were brought to light outside of cyberspace in December 2015 when Ukraine’s electric grid was hit by a cyberattack, leaving approximately 225,000 people without power. Ukraine recovered, but was hit by another cyberattack in the fall of 2016, which again cut the power.
The electric grid in Ukraine, as in most of eastern Europe, was created when it was part of the Soviet Union. Ukraine’s system was standardized and designed to operate exactly the same way, across the board. Since Ukraine became an independent nation in 1991, it has built some diversification into its electric grid.
“But the culture, the thinking, the older system are all fairly standard across the country and look just like Russia—its adversary to the east—because it was all built on the old Soviet model,” says Marcus Sachs, CSO of the North American Electric Reliability Corporation (NERC). “That becomes a weakness when you repeat things and you don’t have diversity in thinking, and diversity in the way you run stuff.”
THE UKRAINE ATTACK
On December 23, 2015, three Ukrainian regional electrical distribution centers—called oblenergos—went down within 30 minutes of each other, cutting power to approximately 225,000 people. The cause of the outage: a coordinated cyberattack that was the first publicly acknowledged attack to result in a power outage.
The oblenergos were forced to use manual operations to restore power to the electric grid and restored power quickly after an initial outage of several hours. However, the impacted oblenergos continued to run their distribution systems in an “operationally constrained mode,” according to Analysis of the Cyber Attack on the Ukrainian Power Grid, issued by SANS Industrial Control Systems and the Electricity Information Sharing and Analysis Center (E-ISAC).
After restoring power, Ukraine worked with security vendors and government partners—including the U.S. Department of Homeland Security (DHS) and NERC—to investigate how the cyberattack was carried out.
They discovered that the attackers used spear phishing emails sent to administrative or IT network operators to gain access to the oblenergos’ business networks. The emails included an attachment—an Excel spreadsheet—that was embedded with BlackEnergy malware that, once opened, installed Secure Socket Shell backdoors on the oblenergos’ networks.
These backdoors allowed the attackers to gather information on the environment and enable access to other areas of the network more than six months before the December 23 attack.
“One of their first actions happened when the network was used to harvest credentials, escalate privileges, and move laterally through the environment,” the analysis says. “At this point, the adversary completed all actions to establish persistent access to the targets.”
The attackers used these stolen credentials to pivot into network segments where supervisory control and data acquisition (SCADA) dispatch workstations and network segments were located. Using these connections, the attackers learned how to interact with the oblenergos’ distribution management systems (DMSs) and developed malicious firmware to use later.
They gained access to the oblenergos’ industrial control systems (ICS) components, and installed a malicious software—called a KillDisk—across the environment. The attackers then combined their work to execute the attack, opening the oblenergos’ breakers and taking at least 27 substations offline. They also uploaded the malicious firmware they had created to prevent operators from using remote commands to bring the substations back online.
“During the same period, the attackers also leveraged a remote telephonic denial-of-service attack on the energy company’s call center with thousands of calls to ensure that impacted customers could not report outages,” the analysis says. “Initially, it seemed that this attack was to keep customers from informing the operators of how extensive the outages were; however, in review of the entirety of the evidence, it is more likely that the denial of service was executed to frustrate the customers since they could not contact customer support or gain clarity regarding the outage.”
The analysis authors also note that the power outage was not caused by BlackEnergy, the backdoors, KillDisk, or the malicious firmware. Instead, these components of the attack were used to access the oblenergos’ systems and then delay the restoration of power.
“However, the strongest capability of the attackers was not in their choice of tools or in their expertise, but in their capability to perform long-term reconnaissance operations required to learn the environment and execute a highly synchronized, multistage, multisite attack,” according to the analysis.
No one has claimed responsibility for the attack on Ukraine’s electric grid. Ukraine’s Security Service has pointed a finger at Russia, but has not offered publicly available evidence to corroborate that claim.
However, there are many reasons that an attacker would see Ukraine as an attractive target for this kind of cyberattack, says Ernie Dennis, a cyber intelligence analyst at the Retail Cyber Information Sharing Center who was formerly with Arbor Networks.
Russia annexed part of Ukraine—Crimea—in 2014 and has stationed military troops along the border of eastern Ukraine since then. After the annexation occurred, there was not a great deal of pushback from the European Union or the United States, except in the form of sanctions.
If Russia had been developing the ability to conduct a cyberattack on an electric grid, and wanted to test the method and face few consequences for doing so, targeting Ukraine might be a good idea, Dennis says.
“Ukraine makes a great playground to test your neighbor’s resiliency to push more boundaries,” he explains. “If [the attackers] were to have done this in a legitimate European Union nation or a NATO ally, there’s a whole lot of other concerns that they have to worry about.”
Those concerns include being able to stay on the distributor’s network, facing a more robust defensive posture, and retaliation.
“But if you muck around in a country you’re already playing around in, and you haven’t had any issues, why not push it a little bit further and see what else you can get away with?” Dennis adds.
His thinking is in line with findings from Booz Allen Hamilton, which released the report When the Lights Went Out: A Comprehensive Review of the 2015 Attacks on Ukrainian Critical Infrastructure. The report says the December 2015 cyberattack was just the latest in a series of attacks.
“This long-running campaign likely reflects a significant, concerted effort by a single threat actor with a well-organized capability and interest in using cyberattacks to undermine Ukraine’s socio-political fabric,” the report says.
For instance, other cyberattacks were carried out against Ukraine’s electric sector, railway sector, television sector, mining sector, and regional government and public archives beginning in 2014. BlackEnergy—the malware used in the December 2015 cyberattack—was used in some of these previous attacks.
These attacks could have been undertaken to send a message because they were not designed to provide the attackers with a financial return, says the report.
“While politically motivated cyberattacks are not a novel foreign policy tool, the industries and organizations that serve as potential targets are expanding,” the report says. “Cyberattacks present a powerful political tool, particularly those against critical infrastructure providers. Industrial control systems operators are not above the fray in geopolitical rows, and may in fact be the new primary target.”
WHAT THE HACK MEANS FOR DEFENDERS
While it’s not definite who was behind the December 2015 cyberattack, the culprit was well-resourced, well-organized, and able to identify the biggest points of failure in Ukraine’s electric grid system: the operator’s security posture that allowed remote access to the control environment without two-factor authentication.
The attack also marked an escalation from previous destructive attacks that targeted computers and servers—like the Saudi Aramco hack in 2012 and the Sony Pictures attack in 2014.
“Several lines were crossed in the conduct of these attacks, as the targets could be described as solely civilian infrastructure,” the SANS report found. “Historic attacks, such as Stuxnet [attack on Iran’s nuclear program]…could be argued as being surgically targeted against a military target.”
Some areas of the world also might be at greater risk of a similar type of cyberattack, Dennis says.
“If someone really wanted to affect Africa and take out the power, I believe that they would have similar success to what they did in Ukraine,” he explains. “The reason why the United States and the European Union are so headstrong about their power infrastructure is because they know for a fact that they’ve taken the time, money, and effort to make it robust and secure, in light of ongoing thoughts of doom and gloom that it could happen any day.”
A destructive cyberattack has not hit U.S. critical infrastructure, but in fiscal year 2015, members of the U.S. energy sector reported 46 cybersecurity incidents to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), according to the Booz Allen report.
“ICS-CERT does not publish a breakdown of the types of incidents by sector, but it revealed that 31 percent of total incidents reported across all sectors involved successful intrusion into operators’ assets, a third of which included accessing control systems,” the report says.
One of the few disclosed incidents was a BlackEnergy campaign that the U.S. government suspected was sponsored by the Russian government. However, the campaign did not attempt to “damage, modify, or otherwise disrupt” the electric grid.
This type of campaign is in line with the findings from a DHS Office of Intelligence and Analysis intelligence assessment that found that the “threat of a damaging or disrupting cyberattack against the U.S. energy sector is low.”
Nation-state cyber actors are targeting the U.S. energy sector enterprise networks, the report found, but mainly to conduct cyber espionage.
“The APT activity directed against sector industrial control system networks probably is focused on acquiring and maintaining persistent access to facilitate the introduction of malware, and likely is part of nation-state contingency planning that would only be implemented to conduct a damaging or disruptive attack in the event of hostilities with the United States,” the assessment says.
The DHS analysis was released in the spring of 2016, and DHS did not respond to requests for an updated threat analysis for this article.
However, other experts doubt that an attack—like the one against Ukraine—would be effective against the U.S. or Canadian electric grids because regulators have taken steps to address cyber risks to the grid.
In 2006, NERC started the effort to create reliability standards for cybersecurity for the North American bulk power system, which is a major target with more than 450,000 miles of high voltage transmission lines and more than 55,000 transmission substations, says Brian Harrell, CPP, director of security and risk management for Navigant Consulting and former director of critical infrastructure protection programs at NERC.
“NERC and the industry have gone through multiple iterations of mandatory Critical Infrastructure Protection Standards (CIPS) that focus on security protections,” Harrell says. Not complying with these standards can result in fines of up to $1 million per day, per violation.
And, Harrell adds, “it’s important to remember that these are minimum standards, and should be looked
at as a baseline from which to improve. Utilities should constantly be assessing their systems, patching their software, and testing their recovery procedures.”
Also aiding the United States in preventing a similar attack from being effective is a robust information sharing system between NERC, the E-ISAC, the federal government, and the private sector.
“Over the past few years, DHS, the FBI, and the U.S. Department of Energy have made considerable strides in improving information sharing and giving classified access to intelligence products, such as bulletins, alerts, and secret-level briefings,” Harrell says. “These data points have been used to mitigate threats, reduce risk, and update internal security policies.”
This system exists in the United States and NERC is working with the Canadian government and Canadian power companies to create a similar information sharing network, Sachs says.
However, Sachs says it’s important that these information sharing centers remain a voluntary practice for private companies to participate in.
“There’s very little critical infrastructure that’s government owned, and that’s frustrating because you can’t really demand the private sector share with the government, because if you do that, they will only share the bare minimum required to meet the law,” Sachs explains. “You want to encourage voluntary sharing, that way they’ll share more.”
To help bolster the electric grid in the United States and Canada, NERC has sponsored four biennial exercises, called GridEx, to provide utility operators with the opportunity to demonstrate how they would respond to and recover from a simulated coordinated cyber and physical security threat.
The first exercise took place in November 2011, and NERC will hold its next exercise—GridEx IV—in November 2017. NERC will provide participants with a detailed scenario that grid operators can then adapt to their own training needs, Sachs says.
“We try to build an exercise that stresses the operator community, makes them think about how they would respond and not so much looking into how the electricity is turned off,” Sachs says. “This helps eliminate people reading into a scenario and saying, ‘Well, that physically can’t happen.’”
But the final factor that bolsters North America’s electric grid security is the fact that it is a mostly privately owned and operated system that is diverse, despite its regulatory framework.
“Even though we may agree on what the outcome needs to look like, we will allow an asset owner to have maximum flexibility in designing a system that can achieve that outcome,” Sachs says. “So then you have all these different approaches, and a bad actor who is trying to get in, if he finds success somewhere, that success isn’t necessarily going to work elsewhere because the approaches were different.”
The North American system wasn’t initially designed to be diverse, Sachs says, but was instead designed to be resilient and adapt to problems.
“What tends to work here is you adapt the design of the grid to the local conditions, and working on our behalf in North America is the culture in the U.S. and Canada of diversity—a culture that says, ‘It’s okay to do things differently. We don’t have to be uniform, by the book, precise,’” Sachs says.
And this diversity in the design and implementation of security makes the North American grid more secure, Sachs says, because an attacker couldn’t use the exact same approach to take down multiple aspects of the grid.
“But that also doesn’t mean we turn off our vigilance,” Sachs adds. “When we’re up against a thinking enemy—a human mind—the defenders have to be on the lookout for new methods on the attacker side and never let their guard down. They have to use the strengths they have, and diversity is one of those big strengths.”