Learning Lessons from Ukraine – Ensuring Cybersecurity for Critical Infrastructure
Earlier this year, we interviewed Ed Cabrera, the Vice President of Cybersecurity Strategy at global security software company, Trend Micro, and the former CISO of the United States Secret Service. During our discussion, Ed detailed the evolving threat landscape facing critical infrastructure organizations, and while our nation’s mass transit, utility and power companies are becoming increasingly hot targets for malicious actors.
In the lead-up to the Q&A part of Ed’s article, I reference two separate critical infrastructure cyberattacks – one that impacted NY’s Little Dam, and one that was executed against the Ukraine. Since I published that article, additional information about the Ukraine attack has been unveiled, and I’d like to take a deeper look at what occurred, how it was perpetuated, and what could have been done to better protect the people of Ukraine.
The attack against Ukraine’s power grid has been a hot topic in the cybersecurity space over the past few months. The breach was the result of a massive attack that impacted utilities and infrastructure that mostly serves civilians, contributing to power loss that could have been more than devastating to the country – it could have been deadly.
Overall, the attack impacted approximately 27 disparate substations of three different power companies – Prykarpattyaoblenergo, Chernivtsioblenergo and Kyivoblenergo. Of the three, only Prykarpattyaoblenergo experienced an outage, but similar malware and attacks were reported across all three.
Fortunately, power only went out for many of those affected – estimated at about 225,000 Ukrainians in the western part of the country – for approximately six hours. But it could have been far worse. A service disruption and blackout for that long or longer could be much more than a minor convenience in today’s electronic, connected world. It could be catastrophic.
So, what happened?
According to eWeek’s Robert Lemos, “The attackers used a variety of common techniques to infiltrate the energy companies’ systems, such as spearphishing, malware-laden Microsoft Office documents and a common malware program known as BlackEnergy 3.” The hackers also utilized custom malware to impact the individual substations and cause the blackout.
And this wasn’t a hastily thrown-together operation. Experts believe this was a highly organized and well executed attack. And the malicious actors responsible took their time. According to the same eWeek article, “attackers controlled some systems within [the] power companies’ networks for more than six months.”
This attack on a nation’s critical infrastructure was more than just frightening, it’s also a wake-up call. It shows that malicious actors have the skills, tools and motivation needed to deny essential services to private citizens. And every nation has to be prepared for a similar attack in the future. But that could be easier said than done.
In our discussion with Ed, he laid bare just how vulnerable the industrial control systems are within critical infrastructure organizations. According to Ed, “Critical Infrastructure and the industrial control system (ICS) networks within them have enjoyed for many years a level of security through obscurity. Historically isolated ICS networks were not supported by corporate networks. The demand for third party support, remote access and automation has converged Corporate and ICS networks like at no other time in history. This convergence has led to complexity and dependency creating technical and systemic vulnerabilities exposing ICS networks to vulnerable corporate networks and even the Internet.”
In other words, these systems are akin to native plant or animal species that had no natural predators. Then, due to contact with the outside world, they were exposed to invasive species and outside threats that they hadn’t evolved to protect themselves against. Many of these legacy systems were simply not equipped or designed to defend themselves against today’s more sophisticated malicious actors, and they’re suddenly exposed to them at a time when attacks against critical infrastructure organizations are becoming more commonplace.
That’s a scary combination, and one of the reasons why the House Transportation and Infrastructure Committee’s Subcommittee on Economic Development, Public Buildings and Emergency Management held a hearing on this subject last week. The purpose of that hearing being to discuss the federal government’s role in helping critical infrastructure organizations at the state and local level prepare for and respond to attacks that result in emergency situations.
While it’s encouraging that the House of Representatives is taking this threat seriously enough to hold a hearing on it, some of the sentiment coming out of the hearing was not as uplifting. In fact, some comments made it painfully obvious that we’re simply not ready as a nation to protect our critical infrastructure against a large-scale cyberattack.
One of the individuals that shared that sentiment was Representative Lou Barletta, a Republican from Pennsylvania, that was quoted as saying, “The federal government does not have this basic planning scenario for a cyber threat to the power system…there is a huge disparity in what different groups think is a potential scenario for which states and local governments should prepare.”
That sentiment was echoed by Marty Edwards, the Director of the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). In a quote published by Reuter’s Jim Finkle, Mr. Edwards stated, “I am very dismayed at the accessibility of some of these networks … they are just hanging right off the tubes.”
Since that quote was published in January, some steps have been taken to help critical infrastructure organizations recover from an attack – especially in the power and energy space. One of them occurred late last month when the Federal Energy Regulatory Committee (FERC) issued a positive order to Grid Assurance. This positive order effectively allows power transmission companies to purchase spare equipment from Grid Assurance should a major event – such as a cyberattack – render their very large, very expensive power equipment nonoperational.
And while a positive step, this move really only helps power companies recover more quickly from an attack – while their customers potentially live without power. But there are steps that these companies can take to help mitigate these instances altogether – and they all involve getting stronger security in place to help reduce the number and effectiveness of cyberattacks.
One of the many areas these organizations need to focus on is authentication. As Ed Cabrera stated in our previous interview, many of these ICS networks are being opened up to allow remote access, third party access and automation. When enabling remote access and third party access, it’s essential that those individuals logging in remotely have their identities confirmed and authenticated. And it can’t just be as simple as having the proper log-in credentials or passwords – too much is on the line.
This is why today’s next generation of authentication solutions is essential for these systems. These solutions utilize and analyze available data to learn more about each authentication event. They look at the location and intent of the individual logging in to determine if the person that is looking to gain access is – in fact – who they claim to be. This can help to ensure that only those that are qualified to access the network can do so.
These solutions also enable out-of-band authentication, ensuring that the authentication process is done away from any malicious actors.
This is something that could have been useful in Ukraine, when malware and spear phishing attacks were used successfully to gain illicit access to networks by hackers. In that instance, any password that was socially-engineered or gained by spear-phishing, key-word logging or man-in-the-middle attack simply wouldn’t have been enough to enable access to sensitive networks.
The Ukraine cyberattacks are a wake-up call to every nation across the globe. Attacks against critical infrastructure are coming. It’s time to get prepared to stop them before they start, and before they can cause catastrophic problems to private citizens. And part of that preparation needs to be the adoption of next generation authentication.