The subject of Industrial Control Systems (ISCs) came up frequently at Black Hat 2018. The threats are very real, with serious potential consequences in the event of a successful attack. Talking to various experts at the conference, the state of industrial cyber security seems to be on a trajectory of improvement, but with much work to be done in many “spheres of activity.
The Importance of Industrial Safety Knowledge in OT Security
One of the first things that struck me was how firms with backgrounds in industrial operations and safety are now parlaying their expertise into successful cyber security businesses in the Operational Technology (OT) space. PAS Global, for example, which cut its teeth in industrial safety in the oil and gas industry over two decades, is now offering products and services for OT cyber security.
It’s a natural evolution for PAS. Indeed, CEO Eddie Habibi remarked that it would be quite difficult for a traditional IT-centric security firm to get a good grip on how the OT world functions. “It’s just a totally different environment,” Habibi said. “For example, in OT, one of the biggest questions in security revolves around how long it will take, and how safe it will be, to turn a system back on after an incident. In IT, you flip a switch. In OT, people’s lives might be in danger if you do it wrong.”
“It’s about safety. Your unknown, Reagan-era hardware might control valves and pipes that could explode if they get overloaded by an attack.”
Industrial safety practices and ICS cyber security practices are deeply linked. One issue in OT, per Habibi, is the age of the equipment. “You might have an electronic control device installed in 1980 and forgotten about, honestly,” he said. “But then, it becomes connected to an Internet-connected set of devices and all of a sudden, you have a black box, essentially, affecting your security. And again, it’s not just about hacking. It’s about safety. Your unknown, Reagan-era hardware might control valves and pipes that could explode if they get overloaded by an attack.”
PAS works with industrial companies to understand their ICS cyber risk exposure, starting with a discovery process for devices that affect security. It can be an eye-opening experience. “In one case, a client told us at the start that his oil refinery had 500 endpoints to protect. The actual number was closer to 30,000 once we were done. They had a lot of work to do there.”
Studying an ICS Hack in Real Time
Cybereason, which made news at RSA with its financial institution honeypot project at RSA, was back at it at Black Hat 2018. This time, they set up a fake electrical power station to see what kind of malicious mischief they could attract. It was an elaborate process, according to Israel Barak, Cybereason’s CISO.
They built a network that closely resembled that of an electric utility, with IT and OT components. They then gave various elements in their “power station” architecture IP addresses that are commonly used in such operations. To a hacker, it looked legit.
After opening up their honeypot to the Internet, they watched for two days as seemingly random “noise” and a huge number of automated probes hit the site. Then, as they expected, they were compromised by an automated tool that was most likely a discovery point for dark web sale of stolen access.
Five days later, actual attackers showed up. Their approach was to start at the IT level, taking over IP-enabled devices, but then quickly moving into the OT segment of the “power station.” This is where things got interesting, from Barak’s perspective. “They absolutely pounded on controls until they broke through to what they wanted,” he said. “We were not expecting this. We assumed the attackers would be highly sophisticated and set about getting OT access through quiet, stealth means. They were setting off all sorts of alarms.”
“We were not expecting this. We assumed the attackers would be highly sophisticated and set about getting OT access through quiet, stealth means. They were setting off all sorts of alarms.”
What did this mean? Barak’s interpretation was that it was a criminal attack, not the kind of nation state security agency operators that have gotten so much attention in recent news stories. “This was not an APT,” he concluded. Is this good news? It’s hard to say.
The apparent lack of sophistication in ICS attacks also drew the attention of Duncan Greatwood, CEO of Xage Security and Sergio Caltagirone, Director of Threat Intelligence at Dragos. Both men have observed a wide range of attack techniques, some of them quite crude. Greatwood, for example, is seeing a rise in OT ransomware schemes, where attackers try to lock up industrial systems until they can be paid off in Bitcoins.
Caltagirone, who has studied numerous attacks in the electrical sector, felt that the majority of attackers are relatively low-level in terms of skills, with only about a quarter of attacks actually resulting in ICS disruption. “It’s early, though,” he said. “Give them time and things may get a lot worse.”
Just How Bad Could It Get?
I posed the same question to several experts: Could attackers take down entire sections of the United States’ power supply? Could they, as Ted Koppel warned in his bestselling book “Lights Out,” shut off the electricity in the US for years—by triggering an explosive overload of the grid while simultaneously masking the monitoring tools a la Stuxnet? Opinions were mixed on this question.
“There is no grid. That’s the first fallacy.”
Xage’s Greatwood, while dismissing the potential of the kind of total attack Koppel fears, is concerned about how easily attackers can penetrate the IP-connected edge of electrical networks. He felt that malware could spread far faster and further than many people assume. Power outages could be widespread with a successful, sophisticated attack.
For Dragos’ Caltagrione, the Koppel-level scenario seemed far-fetched. “There is no grid,” he said. “That’s the first fallacy. There are over 3,000 separate entities in the American power supply system, an agglomeration of generation stations, transmission line operations and so forth. No group in the world has enough manpower to disrupt such a big thing.” That said, he is still worried about localized damage, which could be quite destructive and disruptive. Caltagirone’s point resonates with a recent Axios article called “There Is No Grid to Crash.”
Ryan Brichant, VP/CTO – Global Critical Infrastructure Cyber Security at ForeScout, offered a comparable take. “This would be very difficult for any adversary to do today, and I don’t believe it is possible,” he noted. He then added, “Although power transmission is interconnected, the individual IT networks of power companies are not, and thus would prevent overloading all of the lines at once or an ‘infection’ (i.e. malware) cannot spread like ‘wildfire.’” This opinion puts him at odds with Greatwood. We’ll have to set up an arm-wrestling match to resolve the matter at next year’s Black Hat. Stay tuned.
“These were developed over a century in locations all over the country before they were interconnected. An adversary would have to coordinate several tailored attacks, which ups the level of difficulty significantly.”
Brichant also felt that the considerable amount of diversity among power generation systems offered another layer of protection. “These were developed over a century in locations all over the country before they were interconnected,” he said. “An adversary would have to coordinate several tailored attacks, which ups the level of difficulty significantly.”
However, Brichant is not worry-free. He explained, “The key thing to focus on is that our adversaries appear to be persistently targeting control systems. So, whereas it is not possible today for them to create an attack that would infect wide swaths of our power infrastructure in one fell swoop, they may be intent on penetrating them methodically over time. We need to be concerned that our adversaries seek not just the ability to interrupt power, but the ability to destroy infrastructure with the (presumed) intent of being able to disrupt parts or all of American society.”
He elaborated by commenting, “Right now, the physical systems that comprise our power grid do not have the redundancy to withstand destructive attacks (localized or widespread) and this is one reason why DHS has announced a greater focus on identifying and managing risk to the critical sectors.” Brichant concluded by sharing, “What the power industry does have – worth noting – is a strong culture of mutual assistance. Much as we have seen with recent major storms, the entire industry responds to incidents.” He does agree with Koppel’s other premise, though, which is that the United States needs to be better prepared for possible attacks on the electric al system.