News & Comment: Russian hackers penetrated networks of U.S. electric utilities

COMMENTS:

Sean Newman, Director Product Management, Corero Network Security:

“As the old adage goes, you’re only as strong as your weakest link.  And, reports from the US Dept of Homeland Security now suggest this is exactly the situation US utility companies are facing, with respect to alleged nation-state infiltration.  In fact, any organisation which relies on contractors, for specific services they cannot deliver internally, can find themselves in a similarly compromised situation, however strong their own security practices are.  Unfortunately, this is not the preserve of organisations delivering critical national infrastructure, as those at US retailer Target can testify, after their massive data breach, back in 2013, which resulted from the attackers compromising their systems via their HVAC contractor.

“This is a stark reminder that organisations of all types and sizes should assess all aspects of their IT security, including those of their contractors and supply chain, and this doesn’t just pertain to hacking attempts but, also includes their resilience to DDoS attacks, which could impact the ability to provide their regular services, and the knock-on impact that creates.

“As more ICS  infrastructures, such as those used by utility companies, are connected to their broader networking infrastructure, then the risk will continue to grow.”

Ray DeMeo, Co-Founder and COO, Virsec:

“The threat of disruption to our critical infrastructure is very real, as recent attacks in the Middle East and Ukraine have shown. The outcomes may depend on the motivations of the hackers, but recent attacks have included ransoming critical data, service disruptions, or serious damage to control systems and physical equipment.

“The government is raising awareness, but responses need to be more aggressive and coordinated. The needs to shift from chasing endless elusive external threats, to directly protecting systems from attack in real-time.”

“Defense strategies need to pivot away from sole focus on conventional perimeter defenses – the latest attacks have easily bypassed the perimeter. It’s crucial to detect and stop attacks in progress.  Vendors need to do more to bridge a wide gap in technology and understanding between IT and OT (operational technology). We are far too dependent on air-gapping as our primary defense, despite the fact that systems are increasingly connected.” 

Tim Erlin, VP of product management and strategy at Tripwire:

“There’s no requirement that attackers have a single end game in mind. The reality and ability to effectively compromise utility control systems could be valuable for terrorism, for ransom, or as an educational exercise for future operations.

“There have been warning signs that state-sponsored attacks on utilities were increasing. Some of these warnings were very public, like the Ukraine attack, and others were well-known inside the industry itself. The US electric grid isn’t one system with a consistent risk profile. It’s distributed across thousands of entities, operating independently. Distribution and independence means a variety of systems, risks and defences. A widespread national outage is unlikely in such a system, but significant regional disruptions are certainly possible. It can be difficult to walk the line between hyperbole and appropriate concern.

“It’s not really possible to define the potential damage because it’s a question of unknown unknowns. Governments and industry researchers gather as much data as they can, but successful attacks are those that go undetected. Triggering a disruption discloses the level of access that attacker had. It’s clear, however, that there’s more to be done defensively. Cybersecurity isn’t a one-time event. Cybersecurity requires consistent work, diligence and continuous improvement.

Pravin Kothari, CEO of CipherCloud:

“The cyberattackers were very successful in their efforts and penetrated completely through to the utility control rooms where they had the ability to disrupt power flows.

The big questions remain open. We still don’t know how many of these utilities, if any, were nuclear powered but the implications obvious. If they had the ability to “throw switches” per an official at DHS, exactly how could they disrupt the operation of nuclear power plants and what risks did this present? How long were they inside the networks of any nuclear-powered plants?

Most utility plants and certainly nuclear-powered utilities are protected by “air gaps.” This implies that there is no network connectivity allowed to the “air-gapped” network. Of course, persistent state-sponsored attackers had the resources to carefully research and identify the key vendors that had trusted relationships with the targeted utilities. These key vendors likely had special network connections into the supposedly “air-gapped” networks. Once identified, the cyberattackers could target and compromise them directly, apparently yielding access to the utility infrastructure.”