A friend of
mine sent me this
link today, and I found it to be a very good read. Of course, I’ve known
about how NotPetya happened, and I knew that it had caused widespread damage,
especially to Maersk – although I didn’t know the details. But I think it
teaches three important lessons.
The first
lesson is fairly simple: Be sure to back up your domain controllers! The second
is much more far-reaching: We need to start holding nation-states legally liable for cyber attacks – of course,
this means Russia in the current case, but Iran, North Korea and China have
also attacked the US with cyber weapons. The US did impose sanctions on Russia
for this (although as the article points out, the message was muddled since the
sanctions were attributed to several Russian transgressions, not just
NotPetya), but sanctions don’t address the problem of liability.
Maersk says
it lost $250-300 million due to NotPetya, but the article points out that some
Maersk employees state anonymously that the real cost must have been much
larger (Merck said it lost $870 million. Of course, Merck is a public company
and has to report accurate numbers. Maersk is privately owned, although it has
87,000 registered shareholders. Presumably they have been told the real cost). The
article describes the huge payments to customers that Maersk made to make up
for at least some of the costs and losses they incurred. Then it goes on to
point out that other groups of people incurred big losses as well, but they
received no monetary compensation. The example used is the many trucking
companies that lost money due to having picked up loads bound for the Maersk
terminals but not being able to deliver them when the terminals shut down
because of the systems outage; however, there are certainly many more third-party
victims. The article points to a White House assessment that supposedly
estimated the total damages (worldwide, I believe) at more than $10 billion.
Of course,
there are (and will be) the usual lawsuits, etc. against Russia by the many
victims, and I’m sure at least some of those will bear some fruit many years
from now. But this doesn’t seem to be sufficient deterrent since, as we well
know, Russia continues to target US elections and the electric
power industry. How about this?
- We label Russia’s actions an act of war;
- We order immediate freezing or seizure of Russian
government assets (and perhaps private assets of individuals that the US
intelligence agencies have already identified as doing the bidding of the
Russian government in these matters – i.e. some of the oligarchs), sufficient
to pay all of the documented losses incurred by any US citizens or
companies; and
- Within a year, if the Russian government hasn’t
demonstrated that NotPetya wasn’t their fault, those assets are liquidated
to compensate those losses.
If a car
driven by a Russian embassy employee hits my car while on an urgent government
errand, I will be entitled to compensation from the Russian government. Yet
when Russia recklessly launches a cyber attack on the Ukraine as part of their
undeclared war on that country, knowing full well that it will spread elsewhere
(and, as the article points out, spreading outside the Ukraine was probably one
of the goals of the attack – in order to damage Ukraine’s reputation as a safe
place to do business), there is no compensation for its victims unless they
spend a lot of time and money pursuing lawsuits. This isn’t right.
(And while
we’re at it, where is the compensation for the families of the victims of the
shooting down of Malaysian Airlines flight 17 over the Ukraine in July, 2012?
Sure, a commission finally concluded last year that a Russian launcher loaned
to the Russian-backed rebels in the Ukraine brought the plane down. And there
are now various lawsuits going on against Russia. So maybe in 5-10 years the
families of those victims – those still alive - will be compensated in some
way. But a member of the Duma - the Russian parliament - admitted 1-2 weeks after the incident that Russia
was at fault.[i]
I think Russian aircraft should have been immediately banned from all
international airspace until full compensation was paid to all victims. And it’s
still not too late to do that)
The third
lesson is this: There should be some sort of mandatory cyber security regulation
on all critical infrastructure, not just the electric power industry. I’ve
always thought of the power industry as unique, because of the great harm that
a serious attack on the grid would cause to lots of people. And it’s
indisputable that a grid cyberattack would cause more harm than an attack on any
other CI industry.
But the
Maersk attack did cause a huge amount of damage to a lot of entities and people
other than Maersk. And it’s pretty clear that Maersk didn’t take some of the
basic measures that the power industry now takes for granted. The most important
of these is separation of the IT and OT networks. Since the disturbance began
on what should have been the IT network, a proper separation would most likely
have prevented this from spreading to their operational systems.[ii] Another
is – of course – regular patching, since Microsoft had patched the primary vulnerability
that NotPetya exploited.
So am I
advocating that the current NERC CIP standards be applied to all CI industries?
Of course not. But I am advocating that a flexible format for mandatory cyber
security standards be developed, which would apply to all CI industries, to
greater (electric power) or lesser (say, food and agriculture) degree.[iii]
And this is
a note to the huge surge of Russian readers I had during my posts on the DHS
briefings and news stores on the Russia cyberattacks on the power industry[iv]: Please
let your boss Mr. P know that the world isn’t going to stand by much longer and
pretend that Russian cyberattacks are just one of those hazards like storms
that we all have to live with. There’s some amount of pressure that will get
him to stop. We obviously haven’t reached that point yet, so we need to try
harder.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. And if you’re a security vendor to the power industry, TALLC can help
you by developing marketing materials, delivering webinars, etc. To discuss any
of this, you can email me at the same address.
[ii]
I realize that separating IT and OT networks would probably be a lot harder for
Maersk, since there are so many IT-type documents – orders, bills of lading,
invoices – that play an actual role in the OT processes. Separation of IT and
OT would probably have prevented the Target breach of 2013 as well, but again
it would be much harder to separate the two in a retail environment.
[iii]
Of course, describing this format is the end goal of the book I am currently
working on.
[iv]
It seems those readers have almost entirely left me, not that I’m shedding
bitter tears about that. So if you happen to know who they were, please drop
them a friendly email suggesting they read this post.
No comments:
Post a Comment