In our first blog post on Critical Infrastructure Net (CINET) and subsequent post on the public accessibility of industrial control systems, we outlined an attack on a water company that could have been prevented with CINET implementation and demonstrated how specific devices are vulnerable and publicly accessible.
In this blog post we frame CINET against the backdrop of worrying new reports from March of 2018 which outline how Russian cyber actors carried out prolonged operations for over two years that “targeted government entities and multiple U.S. critical infrastructure sectors including energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors” throughout the United States. The technical details of the attacks are described in detail by the Department of Homeland Security’s (DHS) Computer Emergency Readiness Team (US-CERT) in Joint Technical Alert (TA18-074A) and also in a report by security company Symantec which refers to the Russian group as “Dragonfly”.
The attack thrived on in depth reconnaissance and weak internal controls like single factor authentication for user accounts. The reconnaissance focused on compromising ‘watering holes’ which are third party websites frequented by those in the targeted sector and aggregating/stealing user information. The information was then used to create specific ‘spear phishing’ emails and leverage weak access control to gain access to corporate networks. A troubling aspect of the compromise of corporate networks was that the hackers were able to use their foothold to specifically target human machine interfaces that were linked to actual industrial control systems (ICS) and gain access to remote access profiles and configuration information of ICS. Further reporting by Symantec indicated that the attacks were carried out using open source exploits, standard system tools and minimal customization and no ‘zero days’ making the attackers very hard to trace.
The breadth and scope of the Russian activity had Joel Brenner, a former NSA inspector general and counterintelligence head at the Office of the Director of National Intelligence liken the attacks in a March radio interview to a “preparation of the battle space” by Russia for more potentially more advanced cyber action against critical infrastructure, to include “turning the lights off”.
When this prolonged and advanced intelligence and reconnaissance attack are put into context with CINET, the need for swift action is startlingly apparent. Industrial Controls and access to them must be moved from the public internet and de-associated as much as possible with corporate and third-party networks that remain vulnerable. Brenner backed this in his interview saying “isolating [critical controls] from the public internet is absolutely essential”. CINET would lay the physical backbone for this isolation. The information sharing component of CINET would also greatly assist in preventing attacks like this as CINET would already be hardened against open source exploits and promote sharing of custom and advanced indicators of compromise.
The ultimate resilience of critical infrastructure systems cannot be limited to just technical tools though. Even with a CINET implementation creating effectively an ‘air gap’ between corporate and ICS controls, human interaction with both public and separated systems would still occur and present a weakness. Every user therefore must understand the role that their participation in forums, professional communities, email interaction as well as their general online footprint plays in a potential attacker gaining access to their corporate account and network.
Along with awareness of employees and corporate users, the public must be educated in what the serious implications of foreign power cyber operations are and demand that controls like CINET be implemented. In today’s ever turning news cycle, the aforementioned Russian actions were barely covered for more than a few days and then were lost in the noise to a casual viewer, making that a challenge.
The government is attempting to work on policy to address issues in the critical infrastructure sector with Executive Order 13800, which looks to “promote innovation, build coalitions and increase awareness as well as identify a clear pathway forward” when it comes to Critical Infrastructure cyber security. The order, released in May of 2017 prior to the public knowledge of the Russian intrusions, is too broadly focused on distributed and automated attacks, which do pose a threat, but not nearly of the magnitude that is nation state sponsored targeted reconnaissance and compromise in attempts to control the systems that underpin our daily lives.
Learn more about CINET: globalresilience.northeastern.edu/research/cinet/