Sept. 8: Blake had been away on Friday but was able to get me the free link to the article this morning. It's easier to read than the copy I appended below.
E&E News this morning published the
story below. It seems that the “cyber event” reported to DoE in March and which
became public
(again, due to an E&E News story)
in April, was truly an attack. The attack exploited a new vulnerability in a
firewall; the vendor (previously reported by the E-ISAC as Cisco) had already
issued a patch but the entity involved hadn’t applied it yet. The attack caused
a control center and three generation facilities to repeatedly lose their
connections over a ten-hour period, as their firewalls continually rebooted.
This was
revealed in a Lessons Learned document from NERC, which now seems to be
unavailable at the link that NERC sent out a couple days ago, and which is
repeated in the article. What can I say? If you want to read the document
(which is good, and definitely provides some good lessons), email me and I’ll
send it to you.
Once you see
the NERC document, you’ll know NERC’s Lessons Learned. Now I will tell you
(whether or not you want to hear it) Tom’s Lesson Learned, to wit: There was a lot
of talk downplaying this event as a random one, but an attack on four different
(although linked) networks, which exploited a known vulnerability and which was
repeated continually over ten hours, isn’t random. Of course, even if it had
been a purely random event, it would nevertheless be a cyberattack, and worthy
of analysis. Fortunately, it seems the E-ISAC (which investigated the incident
and presumably wrote the Lesson Learned) pursued their investigation until they
had all the facts; they are to be commended for this.
However, it
seems the downplaying has continued. Reid Wightman of Dragos is quoted as
saying “This was probably just an automated bot that was scanning the internet
for vulnerable devices, or some script kiddie.” Let’s rephrase what Reid said,
to see whether this is really something that’s no big deal: “All it took to
cause this event was some script kiddie. Imagine what a skilled hacker could
do.”
But of
course, we don’t have to imagine that. All we have to do is consider:
- DHS’ four briefings last July on Russian attacks on the US grid,
mostly or all through compromising remote access systems of vendors to
power organizations. These were brought
to the country’s (and world’s) attention by Rebecca Smith of the Wall Street Journal a little more
than a year ago.
- Rebecca’s (and Rob Barry’s) January article, based on their own research, about how the Russians are compromising power industry vendors with phishing emails, and from there reaching into utilities’ IT (and possibly OT) networks.
- At the end of that article (and also of my post linked
above), there is this important paragraph: “Vikram Thakur, technical
director of security response for Symantec Corp., a California-based
cybersecurity firm, says his company knows firsthand that at least 60
utilities were targeted, including some outside the U.S., and about two
dozen were breached. He says hackers penetrated far enough to reach the
industrial-control systems at eight or more utilities.”
- At the end of January, the directors of the FBI and CIA, as well as the Director of National Intelligence, presented to Congress the ONI’s annual Worldwide Threat Assessment. The NY Times article on this event includes this sentence: “It specifically noted the Russian planting of malware in the United States electricity grid. Russia already has the ability to bring the grid down “for at least a few hours,” the assessment concluded, but is “mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.”
- In May, E&E News (with the same author as the other articles above, Blake Sobczak) published an article about the former deputy director of the NSA, which includes this quote from him: “Why are the Russians, as we speak, managing 200,000 implants in U.S. critical infrastructure — malware, which has no purpose to be there for any legitimate intelligence reason? Probably as a signal to us to say: We can affect you as much as your sanctions can affect us."
Of course, you would think that, with all of
these reports and especially given the repeated statements (and implications)
that the Russians have planted malware in grid control networks, there might be
a big investigation, right? After all, if some script kiddy attack was worth a
months-long investigation – and given that the attacks in the Ukraine, which
were far less serious and were of course in the Ukraine not the US, were thoroughly investigated, with reports and
results presented in classified and unclassified briefings within a couple
months of the attacks – you would think the above reports call for a much more
thorough investigation.
You would think
so, wouldn’t you?
Here’s
the article:
|
||||
I
want to thank Blake Sobczak for sending me the text of this article, which is
normally behind a paywall.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. And Tom continues to offer a free two-hour webinar on CIP-013 to your
organization; the content is now substantially updated based on Tom’s nine
months of experience working with NERC entities to design and begin to
implement their CIP-013 programs. To discuss this, you can email me at the same
address.
No comments:
Post a Comment