Last week, Kevin
Perry, former Chief CIP Auditor of SPP Regional Entity, sent me the link to this
article from Politico, which pointed
out that Russia probably came a lot closer to directly hacking the 2016
election than most of us thought – in fact, it seems they might have directly affected
the results (perhaps not the outcome itself, although there’s no way to know
that) in at least one locality - Durham, NC.
This is of
course quite scary, since if people don’t trust elections to provide accurate
counts, all sorts of havoc could ensue (and that is, of course, exactly the purpose
of the Russian election hacks!). However, Kevin was most interested in the fact
that this successful or near-successful attack came through the supply chain –
specifically a vendor in Florida, VR Systems, that provides software for local
governments nationwide.
The article
(and a predecessor article
linked in it, which fills in details not in the main article) says that VR
Systems was probably compromised through spear phishing emails, but that in
itself was just half of the attack. It seems that VR was using remote access to
troubleshoot software problems (including the problems that appeared in Durham
a few days before the election), and it’s possible that the hackers, who
already were present in VR’s network,
utilized that connection to get into Durham’s systems, and perhaps those of
other governments as well.
Of course,
having direct remote access into critical election systems is the equivalent of
having direct access (i.e. not through an Intermediate System) into an
Electronic Security Perimeter – it’s something that should never have been done
in the first place, and VR wasn’t supposed to be doing it now (although there
aren’t any regulations governing election system cybersecurity, of course).
However, the
story here is the vector of the attack. A lot of people talk about hacks on the
power grid as being direct assaults on the firewalls of major utilities. Of course,
these assaults are occurring every second. But they’re not getting through, and
the bad guys – especially the Russians (or am I wrong? Are they now good guys
and I’m the bad guy? I can never be too sure about these things…) – have figured
out that they’re wasting their time with any further assaults on the front gate.
Instead of trying to take the castle by storm from the front, it’s much better
to go around to the rear in the dark of night, and break in the door that’s
there for the tradesmen to use.
In a
conversation with me, someone recently pointed to the CRISP
system as providing great security for utilities. It certainly provides great
security against frontal assaults, just as the Maginot Line provided
impenetrable security against German frontal assaults during World War II. Of
course, the French had nothing protecting the border with Belgium and the
Ardennes Forest, and that’s how the Germans came in. In the same way, anyone who thinks CRISP is all we need to protect the North American power grid from cyber attacks will be pretty surprised when the Russians break through on the supply chain front (and it seems they already have, if the FBI, CIA and NSA are to be believed. Of course, what do they know about anything?).
And look at
other Russian attacks, including:
- The NotPetya attack, the most devastating cyber attack ever, which started off as a supply chain attack on Ukrainian companies (in fact a huge percentage of them) that used a certain supplier of tax software.
- The DHS
briefings in July 2018, at which Jonathan Homer said that some number
(anywhere between three and two hundred, depending on who you talk to. Of
course, if it were just one, that alone would be huge) of US utilities had
been penetrated at the control
system level, and the Russians could have caused outages if they
wanted to – and presumably they planted malware so they could come back
later if they decided it was time for an outage. These attacks came
completely through vendors, who had been penetrated through their (i.e.
the vendors’) remote access systems, as well as phishing emails.
- The Wall Street
Journal article
of January 2019, describing in
great detail – and naming names – how the Russians had used phishing
emails to gain footholds in vendors, and thence to penetrate electric
utilities. While the reporters didn’t themselves cite instances of
penetration of utility control networks, the article quoted Vikram Thakur
of Symantec as saying at least eight utility control centers had been
penetrated.
While the
most recent WSJ article – by the same
reporters, Rebecca Smith and Rob Barry - describes attacks that may have occurred
in some cases through phishing emails sent directly to utilities, it’s certain
that supply chain attacks are still going on. And the new Politico article confirms that the Russians like supply chain
attacks for election infrastructure as well. Why change tactics when what you’re
doing now is working?
So listen to your good friend Uncle Vladimir: When you really want to get the hack done
and cause damage, there’s no better vector than the supply chain! He’s a
man who should know…
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep
in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP
issues or challenges like what is discussed in this post – especially on
compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for
your organization, remains open to NERC entities and vendors of hardware or
software components for BES Cyber Systems. To discuss this, you can email me at
the same address.
No comments:
Post a Comment