A year ago, we pondered our incredible lack of visibility into the attack horizon and the fact that we can’t predict future attacks … or even tomorrow’s new malware strain.
A leading global provider of advanced threat solutions announced an update to a study conducted on the cybersecurity challenges faced by organizations just in the energy sector alone. The updated study included over 500 IT professionals in the energy, utilities, and oil and gas industries.
Just as in last year’s study, this update found that 100% of the respondents said a cyber-attack on the operational technology (OT) in their organization would cause difficult to repair physical damage yet this time more than 8 in 10 said they lacked any ability to track cyberthreats targeting their OT networks. OT refers to the hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise. So, like a manufacturing production line or a power grid or a nuclear plant or a pace-maker … for instance.
Think about that. 100% said they would get hit and 80% said they were helpless to prevent it.
To make matters worse, more than 75% believe their organizations are targets for cyber-attacks and almost 90% said they are probable targets for nation-state cyber-attacks. This is the energy sector remember, so it isn’t really all that critical. Just oil, gas, electricity, water, wind, nuclear.. you know, just stuff like that.
And what are they doing about it?
According to the Department of Homeland Security, the energy sector faces more cyber-attacks than any other industry, and attacks on industrial control system networks continue to increase. If successful, these energy sector cyber-attacks could have a dramatic physical impact, like the simple example we saw in December 2016 when the BlackEnergy malware was used in an attack against a power plant in the Ukraine and left over 700,000 customers without electricity for weeks.
So, it appears that this class of threat is a widely-accepted fact. We know that our own power grid is ripe for a cyber-attack and we also agree that we are grossly unprepared.
In August of 2015, a discussion panel of “distinguished” cyber security and electrical industry stakeholders examined what could be done to protect all U.S. public utilities from cyber-attacks, and chatted about the steps that might be taken during a high-risk event to mitigate the effects on the grid. And did … nothing.
This sounded a lot to me like the ads for LifeLock where the “security monitor” tells the Bank manager that “Yep, it looks like a robbery”. Except, those are supposed to be funny. This is not.
Fast forward one year later and … still, nothing.
It turns out that we continue to rely on our DoE regional coordinators in each of the 10 Federal Emergency Management Agency (FEMA) regions to work with first responders in the event of a natural disaster or a terrorist attack (which may be the same thing).
The panel cited an agreement signed by the Secretary of Energy in February, 2016 that identified these individuals as points of contact to share information with the DoE and states in the event of an energy supply disruption, as “an important step toward cyber-security preparedness.”
This would supposedly serve to improve information sharing and communication during critical response activities.
But it gets much worse. They went on to applaud the fact that they are working on preparedness exercises that will be conducted by federal agencies and the private sector that would include annual studies on the risks and hazards that might affect the energy sector.
I have been on the front lines of the Cybersecurity battlefield for a long time and this sort of response freaks me out.
Someone should point out to this group that despite their heroic preparedness efforts, U.S. cyber security is not prepared at all and based on the survey data we have seen, it is clear we are in fact woefully under-prepared.
The ocean is made of pink lemonade. No, it’s not.
As Arthur House, commissioner for the state of Connecticut Public Utilities Regulatory Authority, warned one year ago, “The thing to remember about cyber security, is that we are far better prepared on paper to take care of things than we are operationally. It’s not as if the president could turn to the secretary of energy in the event of a grid cyber-attack and say ‘turn it back on.” It remains true today. But the threats are more active and substantially more sophisticated.
As we should have seen in the Ukraine power grid attack, the varied attack vectors that disrupted restoration attempts immediately following the grid attack itself were the real problem faced by the Ukrainian security engineers and not just the initial strike on the grid.
We are not even close to addressing let alone planning for a similar recovery disruption here.
It doesn’t take much imagination to conjure a scenario where an attack on the electric grid would be accompanied by an attack on our financial sector or another attack on our water supply at the same time.
Or, simply an attack on our recovery efforts through brute force against all of our FEMA sites and disruption of our communication protocols. This is not rocket science, nor does it require some tricky future technology. This is easily doable today. By a guy in his room with a $35 exploit kit and a high speed Internet connection. The economics are on his side; in fact he may just use a service instead. He knows where all the sites are, but we don’t know where he is, so the information dynamic tilts to his side. His technology is better than ours, so that advantage goes to the guy in his room as well.
Essentially, an asymmetrical wet-dream. For that guy. Not for us.
As confirmed by Jeh Johnson, our former Secretary of Homeland Security, we have no backup versions of large power transformers (LPTs) which are essential to the functioning of the grid.
Because they are very expensive, only the largest and most profitable power companies can afford to keep them on hand, and because the transformers are custom-made, they are not easily interchangeable. Because the equipment is huge, they are not easily transported.
Because the current transformers are on average, thirty-eight to forty years old, some of them were originally delivered by rail systems that no longer exist. Because the vast majority of LPTs are built overseas, it takes a very long time to replace them; like a year or more
The federal response to Hurricane Sandy is an interesting case in point. In addition to hitting major sections of New Jersey and Long Island, Sandy flooded New York City streets, tunnels, and subways, effectively cutting off all electric power to Lower Manhattan.
They brought in power trucks, flown in from places as far away as California on Department of Defense planes, to begin replacing the poles and the lines. At one point FEMA had about eighteen thousand people working in that area going door-to-door, bringing people food and removing them from unsafe buildings until they could get the power back on.
That was just lower Manhattan.
It took more than thirteen days before power was restored to 95% of New York’s customers. Even with a relatively small emergency caused by a hurricane, thousands of homes were lost throughout the region and tens of thousands were rendered homeless. Imagine a cyber-induced power outage in an entire region for an extended period.
Where then, might you and I find advice on how to cope with the aftermath of such an attack?
Howard A. Schmidt, the former cybersecurity coordinator for the Obama administration, a principal in Ridge-Schmidt Cyber LLC, a Washington consultancy company in the field of cybersecurity before passing away in March of this year, said, “There is no answer.
No government agency has guidelines for private citizens because, according to Schmidt, there’s nothing any individual can do to prepare.
“We’re so interconnected,” he said, that in terms of disaster preparation “it’s not just me anymore: it’s me and my neighbors and where I get my electricity from. There’s nothing I can do that can protect me if the rest of the system falters.”
The electrical industry discussion panelists agreed that best practices for cyber security protection include layered defenses, regulatory oversight, external third party assessments and internal governance.
That may arguably be a good start, but it is a long way away from what is necessary.
There have been a whole lot of companies started in the last 12 months who offer some form of “threat intelligence” product, all of which claim to use deep machine learning, predictive analytics and actionable threat intelligence.
A sudden market leader offers aggregate feeds from 3rd party, ISAC, open source, etc., normalized threat feed data, integrated IOCs with SIEMs, firewalls, endpoints, and 2-way sharing and trusted circles for vetted collaboration. Another offers advanced threat hunting and forensic search that can identify threats in your network, search IOCs against 365 days’ worth of historical data and find associated indicators, actors, TTPs, blah, blah, blah.
This stuff is fundamentally great but all of the STIX/TAXII feeds in the world are not going to stop the next cyber-attack on our energy infrastructure. None of these companies actually use predictive analytics, adaptive machine learning, NLP, IA or AI technologies to even try to forecast attacks in advance, and it is what is sorely needed. Instead, it appears as though the model has been reduced to slapping a few technologies together under the banner of threat intelligence, AI and machine learning and then advancing on Sand Hill road with the singular objective of getting wealthy. This is fine and wonderfully capitalistic, but it won’t solve the problem.
More than $112 billion was invested in the Cybersecurity space in the past few years and what we have to show for it is over 400 software technology companies exhibiting at RSA and more than 2,200 successful breaches through July with over 6 billion records exposed, an increase of 1,000% over the prior year.
One more time: An INCREASE of 1,000% over the prior year.
Our inability to predict even some of the activity that leads up to an attack is impeded by our lack of demonstrated concern about the severity of the threat. We, in the cybersecurity industry seem to be far more focused on immediate gratification through M&A of barely marginally effective products rattling around in the cyber-defense space, than we are with an effort to go beyond the “box” and create truly breakthrough technology that could tip the scale back toward a more balanced attacker-defender dynamic.
Until we do, we will be facing rapidly increasing threats against far more serious targets in airport or seaport transportation communications, water supplies, computing infrastructure or waste management, and we will have seen it coming and done nothing to stop it.
This is a Security Bloggers Network syndicated blog post authored by Steve King. Read the original post at: News and Views – Netswitch Technology Management