The U.S. Cyber Emergency Response Team (US-CERT) issued an alert March 15, “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors” – Alert TA18-074A. It wasn’t necessarily an ah-ha moment for those in the information security profession, but the level of detail provided within the alert served to goose Main Street USA and garnered their seemingly undivided attention (even if only for one 24-hour news cycle). The Russians have been busy in the realm of espionage.
The US-CERT’s alert detailed how over the period of the past two years the Russians have been systematically coming at the U.S. energy sector, both providers and suppliers. Their efforts, according to the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), were focused on making a beach head with trusted third-party suppliers with “less secure networks” and the pivot to exploit the trusted access between the trusted supplier and the intended target—in this case, energy suppliers.
In a nutshell, the US-CERT points to three areas of primary concern:
- Domain Controllers
- File Servers
- Email Servers
“After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS),” according to the alert.
Security company CrowdStrike, in its “2018 Global Threat Report” (page 16) details how Russia’s use of surrogates (and pseudo surrogates) are launching cyberespionage attacks against the United States on a regular basis.
As noted, media has picked up on the US-CERT advisory and the many specific steps an infrastructure services provider should be taking to secure its own data and service networks.
The global director for industrial control systems, Christopher Blask, and the senior program manager for critical infrastructure, Stuart Phillips, of Unisys noted that it has been just 10 years since the ICS-CERT was stood up at the Idaho National Labs. “ISAC/ISAO information-sharing within the industry is both robust and constant. The voluntary standards with which the energy sector is operating are comprehensive, and maturing,” Blask said, specifically calling out the North American Electric Reliability Corporation (NERC) and the Department of Energy’s “Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) as two such standards/models.
In discussing how the internet of things (IoT) is providing a cost savings to industries, Phillips said: “Customers [providers] want this interconnectivity, as it saves time and expenses.” Having remote reset and diagnostics and not having to dispatch a lineman to climb a pole in the midst of storm are attractive, he said. Where attention is needed, he added, is the security and privacy of these devices.
“Cybersecurity systems continue to mature, and the mating of cybersecurity with national infrastructure” is ongoing and is part of the longterm road maps within industry, Blask said.
Déjà Vu All Over Again: Dusting Off the Espionage Playbook
Is this the first time Russia has been fingered getting into the U.S. infrastructure and technologies? Not in the least. It appears they’ve dusted off their Cold War espionage playbook.
In the early 1980s, the approximately 200 KGB Directorate T, Line X officers abroad were eating the west’s lunch with respect to harvesting intellectual property and technological devices/know-how.
The breadth of the Russian’s success in the 1980s was not known until documentation came from Colonel Vladimir Vetrov, a senior KGB operations officer within Directorate T. Vetrov, provided information to the French DST, which shared it with other nations, including the United States. When the United States was made aware of the depth of the Russian success, the reaction was, in a word, sobering.
History Shows, Turnabout is Fair Play, or, The Best Defense is a Good Offense
While we don’t know how the United States may be engaged in leveling the playing field today, we do know that they may be somewhat hamstrung, given the theft of the NSA cyber toolkit by Shadow Brokers. What also know success has not been fleeting with respect to targeting Russian communications and energy infrastructure by the U.S. intelligence.
These include a gutsy CIA intelligence operation that took place beneath the streets of Moscow in the 1980s and compromised the USSR (Russia) nuclear research secrets between the Krasnaya Pakhra Nuclear Research Institute and the Ministry of Defense. The multiyear operation was compromised separately, by two CIA officers: Aldrich Ames, who shared general information about the operation, and Edward Lee Howard, who upon his defection shared more specific information, allowing the then KGB counterintelligence department to locate the device tapping the defense communications link.
Then there was the instance in which a judo-like move was used by allied intelligence to compromise the Soviet Union’s industrial and energy infrastructure. The information was garnered from the Russian intelligence officer by the French.
The White House policy advisor on technology, Gus Weiss, was made privy and contacted CIA Director William Casey. They then cooked up a plan to seed software and hardware into the Line X collection process.
As detailed in the article, “The Farewell Dossier, Duping the Soviets” the effort caused infrastructure to fail, turbines in gas pipelines to fail, chemical plants to stop producing and the Soviet Space Shuttle plans to be scrapped. Some attribute the summer of 1982’s massive Siberian pipeline failure/explosion to this effort.
As Blask and Phillips noted, those who are energy providers and suppliers are taking the threat described in the US-CERT advisory very seriously. And as maturity models advance within industry, the U.S. infrastructure will become less vulnerable and present a much more difficult target to the remote attack vector, be it Russia, China, Iraq, North Korea or any other adversary or potential adversary to the United States. While the seas are changing, answers exist to security the nation’s infrastructure.