In an unprecedented move this past week, the US CERT revealed details of Russian hacking of U.S. critical infrastructure operators, including energy, nuclear, water, aviation, and critical manufacturing facilities. What was announced and where is this heading next? Most important, how can your public- or private-sector organization respond? Let’s explore.
The level of nation-state sponsored cyberattacks against civilian businesses crossed a dangerous new threshold this week.
In a series of briefings, press releases and well-timed reports, the United States accused Russia of cyberattacks on our power grids and other critical infrastructure facilities:
“The US government has accused Russia of remotely targeting the US power grid, as part of its newly unveiled sanctions on the country.
The Department of Homeland Security released details Thursday of what it called a multi-stage effort by Russia to target specific government entities and critical infrastructure.”
Here are a few of the other related headlines with related reports from different news sources:
Why Is This an Escalation in Threats?
As reported by SC Magazine UK: “The US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) took the unusual step Thursday of issuing an alert naming the Russian government for targeting US critical infrastructure with cyber-attacks.”
While there have been numerous reports, surveys discussions about foreign infrastructure being hacked, and quiet back-room discussions among cyberpros that these activities have been going on for a while, never before has this level of detail been revealed to the public.
I really like the interviews and analysis of the situation offered by TheCipherBrief.com. They called the Russian targeting of critical infrastructure our “Achilles Heel."
Here are some of the noted experts and their comments:
“What I read out of the DHS note is that it’s a pretty broad effort to get into a number of critical infrastructures: energy; nuclear; commercial facilities; water; aviation; critical manufacturing — there’s almost nothing off the list. So the Russians are doing a fairly broad penetration.
“There is no question that the Russian cyber activity as reported Thursday, but observed for years, should be interpreted both as preparation of the battlefield and as a message to the U.S. of Russia’s cyber capabilities, and possible use of kinetic cyber activity in response to a U.S. action such as, for example, a strike against Syrian leader Bashar Assad.”
“In the Cold War, Russia and the U.S. floated reconnaissance satellites over each other to identify targets for attack. This cyber reconnaissance is the same thing. It identifies targets and sends a threatening message.”
These announcements come the same week when the United Kingdom (UK) expelled 23 Russian diplomats for over ex-spy’s poisoning, and U.S. officials supported the U.K. regarding this incident.
The situation is so heated that some countries are threatening a 2018 FIFA World Cup (soccer) boycott.
Meanwhile, the Washington Post reported that the U.S. is getting tougher on Russia with new sanctions. "In its toughest challenge to Russia to date, the Trump administration accused Moscow on Thursday of an elaborate plot to penetrate America’s electric grid, factories, water supply and even air travel through cyber hacking. The U.S. also hit targeted Russians with sanctions for alleged election meddling for the first time since President Donald Trump took office. …”
Finally this week, a new report coming from Blackhat Asia revealed that 70 percent of security professionals expect a major attack to bring down critical infrastructure in their region in the next two years. You can download the full report Cybersecurity Risk in Asia, here: blackhat.com/latestintel/03122018-cyber-risk-in-asia.html
More Background on Cyberattack Reports on Critical Infrastructure over the Past Year
Earlier this year, Inc. Magazine reported that 2018 will be a year that cyberattacks on critical infrastructure soars. “There was a stunning cyberattack on a critical Middle Eastern infrastructure site recently and it hasn't gotten the public scrutiny it deserves. Triton (a.k.a. Trisis), a new strain of malware, was discovered last month via intelligence sharing reports provided by the security vendors FireEye and Dragos. The news was the latest in a series of public disclosures about progressively more sophisticated energy plant hacks.”
Earlier this year, I posted this blog on cybersecurity for energy’s critical infrastructure which highlighted a U.S. Senate Energy and Natural Resources Committee hearing on March 1, 2018, on efforts to improve the resiliency and reliability of critical energy infrastructure.
That piece closed with these thoughts: The hearings and experts seem to think that smaller regional outages are very possible, and perhaps even probable over the next few years. Their emphasis on reliability and resiliency is constant, and they point out that weather-related electricity outages happen all the time.
However, the feeling of most of the experts seems to be that a nationwide “major grid outage” is very unlikely. They say: “Great work is ongoing. However, many of the smaller utilities have a long way to go.”
And other reports on hacking critical infrastructure accelerating go back several years. Still, these new reports detailing Russian hacking this week point to a major acceleration beyond anything reported previously.
Three Actions for State and Local Governments
So what should state and local governments be doing now — given this new cyberthreat environment?
1) Read US CERT Alerts issued this past week — First, in Alert (TA18-074A) “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors”, the US CERT lays out the various ways that Russian “government actors” have recently targeted U.S. critical infrastructure, from U.S. government entities to key industries like “energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”
Here’s a high-level excerpt: “Since at least March 2016, Russian government cyber actors — hereafter referred to as “threat actors” — targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.
Analysis by DHS and FBI, resulted in the identification of distinct indicators and behaviors related to this activity. Of note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign.  (link is external)
This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.”
2) Work with owners/operators on coordinated plans — Once your organization has a good understanding about what actually happened this past week, federal agencies and state and local governments need a response plan. There are a number of excellent options from NIST, The National Association of State CIOs (NASCIO) and states like Michigan that are detailed in this article from late last year titled: How to Recover From Cyber Incidents in Government. The federal government is certainly reaching out to the affected critical infrastructure owners and operators that were hacked, so government officials need to be a part of that conversation. I recommend reaching out to law enforcement in your area to learn more.
3) Finally, you need to be testing your government plans with private-sector owners and operators of critical infrastructure. Using a cyber-range, is certainly one important piece of the cyberdefense puzzle. Several public- and private-sector organizations have been running tabletop exercises going back several years, but this is a new concept for many. Also, ensure that your communication plans regarding cyber are up to date.
The events of the past week point to much more cybertrouble ahead. My personal opinion is that for the US CERT and others in government to reveal this amount of specific information, more serious attacks are likely occurring now (that they are not revealing). In other words, our vulnerable situation is actually worse than previously reported.
The trend toward critical infrastructure disruption is now clear, and nation-state actors have the ability to cause substantial harm. This cybersituation is no longer about a rogue country or some random hactivist group. We now have examples of Russian cyberattacks against civilian critical infrastructure, and they will use this attack capability when the time is right.
We can hope for the best, but we must prepare for the worst. Cyberprotection efforts must be stepped up.
Our cybertemperature just got hotter for critical infrastructure. What are you doing to prepare?