A friend of mine sent me this link today, and I found it to be a very good read. Of course, I’ve known about how NotPetya happened, and I knew that it had caused widespread damage, especially to Maersk – although I didn’t know the details. But I think it teaches three important lessons.
The first lesson is fairly simple: Be sure to back up your domain controllers! The second is much more far-reaching: We need to start holding nation-states legally liable for cyber attacks – of course, this means Russia in the current case, but Iran, North Korea and China have also attacked the US with cyber weapons. The US did impose sanctions on Russia for this (although as the article points out, the message was muddled since the sanctions were attributed to several Russian transgressions, not just NotPetya), but sanctions don’t address the problem of liability.
Maersk says it lost $250-300 million due to NotPetya, but the article points out that some Maersk employees state anonymously that the real cost must have been much larger (Merck said it lost $870 million. Of course, Merck is a public company and has to report accurate numbers. Maersk is privately owned, although it has 87,000 registered shareholders. Presumably they have been told the real cost). The article describes the huge payments to customers that Maersk made to make up for at least some of the costs and losses they incurred. Then it goes on to point out that other groups of people incurred big losses as well, but they received no monetary compensation. The example used is the many trucking companies that lost money due to having picked up loads bound for the Maersk terminals but not being able to deliver them when the terminals shut down because of the systems outage; however, there are certainly many more third-party victims. The article points to a White House assessment that supposedly estimated the total damages (worldwide, I believe) at more than $10 billion.
Of course, there are (and will be) the usual lawsuits, etc. against Russia by the many victims, and I’m sure at least some of those will bear some fruit many years from now. But this doesn’t seem to be sufficient deterrent since, as we well know, Russia continues to target US elections and the electric power industry. How about this?
- We label Russia’s actions an act of war;
- We order immediate freezing or seizure of Russian government assets (and perhaps private assets of individuals that the US intelligence agencies have already identified as doing the bidding of the Russian government in these matters – i.e. some of the oligarchs), sufficient to pay all of the documented losses incurred by any US citizens or companies; and
- Within a year, if the Russian government hasn’t demonstrated that NotPetya wasn’t their fault, those assets are liquidated to compensate those losses.
If a car driven by a Russian embassy employee hits my car while on an urgent government errand, I will be entitled to compensation from the Russian government. Yet when Russia recklessly launches a cyber attack on the Ukraine as part of their undeclared war on that country, knowing full well that it will spread elsewhere (and, as the article points out, spreading outside the Ukraine was probably one of the goals of the attack – in order to damage Ukraine’s reputation as a safe place to do business), there is no compensation for its victims unless they spend a lot of time and money pursuing lawsuits. This isn’t right.
(And while we’re at it, where is the compensation for the families of the victims of the shooting down of Malaysian Airlines flight 17 over the Ukraine in July, 2012? Sure, a commission finally concluded last year that a Russian launcher loaned to the Russian-backed rebels in the Ukraine brought the plane down. And there are now various lawsuits going on against Russia. So maybe in 5-10 years the families of those victims – those still alive - will be compensated in some way. But a member of the Duma - the Russian parliament - admitted 1-2 weeks after the incident that Russia was at fault.[i] I think Russian aircraft should have been immediately banned from all international airspace until full compensation was paid to all victims. And it’s still not too late to do that)
The third lesson is this: There should be some sort of mandatory cyber security regulation on all critical infrastructure, not just the electric power industry. I’ve always thought of the power industry as unique, because of the great harm that a serious attack on the grid would cause to lots of people. And it’s indisputable that a grid cyberattack would cause more harm than an attack on any other CI industry.
But the Maersk attack did cause a huge amount of damage to a lot of entities and people other than Maersk. And it’s pretty clear that Maersk didn’t take some of the basic measures that the power industry now takes for granted. The most important of these is separation of the IT and OT networks. Since the disturbance began on what should have been the IT network, a proper separation would most likely have prevented this from spreading to their operational systems.[ii] Another is – of course – regular patching, since Microsoft had patched the primary vulnerability that NotPetya exploited.
So am I advocating that the current NERC CIP standards be applied to all CI industries? Of course not. But I am advocating that a flexible format for mandatory cyber security standards be developed, which would apply to all CI industries, to greater (electric power) or lesser (say, food and agriculture) degree.[iii]
And this is a note to the huge surge of Russian readers I had during my posts on the DHS briefings and news stores on the Russia cyberattacks on the power industry[iv]: Please let your boss Mr. P know that the world isn’t going to stand by much longer and pretend that Russian cyberattacks are just one of those hazards like storms that we all have to live with. There’s some amount of pressure that will get him to stop. We obviously haven’t reached that point yet, so we need to try harder.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. And if you’re a security vendor to the power industry, TALLC can help you by developing marketing materials, delivering webinars, etc. To discuss any of this, you can email me at the same address.
[ii] I realize that separating IT and OT networks would probably be a lot harder for Maersk, since there are so many IT-type documents – orders, bills of lading, invoices – that play an actual role in the OT processes. Separation of IT and OT would probably have prevented the Target breach of 2013 as well, but again it would be much harder to separate the two in a retail environment.
[iii] Of course, describing this format is the end goal of the book I am currently working on.
[iv] It seems those readers have almost entirely left me, not that I’m shedding bitter tears about that. So if you happen to know who they were, please drop them a friendly email suggesting they read this post.