Critical Infrastructure Is Cyberterrorism’s Next Likely Target
DHS teams of cyber experts provide prevention and remediation efforts.
The next big cyber attack likely will strike critical infrastructure assets in the United States, which could bring the world’s remaining superpower to its knees, according to cybersecurity experts. This would constitute a crippling assault against national assets such as power facilities, transportation networks, nuclear plants or the drinking water supply, these experts warn.
While attackers’ modus operandi of using emails to gain entry into a network might be old school, the sophistication and meticulous focus on selected targets have become ominously modern. “In general, when you look at what the adversary is doing and how they’re approaching their methodology in a breach, they’re very focused in their efforts. They will try to find ways into critical infrastructure,” says Frank Mong, vice president and general manager of Solutions, Enterprise Security Products for Hewlett-Packard Company. “However, the playbook that they use and the framework that they use is very common. An approach that an adversary would take to break into Sony Pictures, for example, is the same approach they would try with a utility [company]. The most common tool they will use is email. They will use email first, find the system administrator and try to spear phish that guy or try to get some access through that person’s credentials.”
System administrators and those with privileged access pose a widely exploitable weakness to networks if infiltrated by hackers, who have increased the number of cyber attacks on critical infrastructure and already have targeted power facilities, traffic systems, water treatment plants and factories. The softer targets of infrastructure and businesses often are earmarked first and “present a significant vulnerability to our nation,” offers Gen. Martin E. Dempsey, USA, chairman of the Joint Chiefs of Staff. “We have authorities and capabilities that allow us to do a pretty good job of defending ourselves,” Gen. Dempsey says of military cyberdefense. “But the vulnerability of the rest of [the United States] is a vulnerability of ours, and that’s what we have to reconcile.”
From the Department of Homeland Security (DHS) spawns the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which operates cybersecurity centers in Virginia and Idaho to focus on control system security as a component of the National Cybersecurity and Communications Integration Center (NCCIC). ICS-CERT “works to reduce risks within and across all critical infrastructure sectors by forming a partnership with law enforcement agencies and the intelligence community and coordinating efforts among federal, state, local and tribal governments and control system owners, operators and vendors,” says Marty Edwards, its director. “Additionally, ICS-CERT collaborates with international and private-sector computer emergency response teams to share control systems-related security incidents and mitigation measures.” Analysts provide a round-the-clock cyber situational awareness and incident response, often conducting on-site visits when requested to discern how a company was breached.
“One of the things I think ICS-CERT has done is try to organize together intelligence around malware that’s relevant” for all entities within the critical infrastructure community, Mong says. “They have a distinct purpose. Their goal is to at least be an early warning to the industry about problems that could have a broad implication if they are not addressed quickly. The question becomes how well are they making their voice heard to the relevant folks. I think their content is actually meaningful.”
The lack of information sharing has hamstrung progress and continues to present a key challenge for the DHS across the board, not just amid the critical infrastructure community, offers Rob Roy, federal chief technology officer with HP Enterprise Security Products. “The concept of threat sharing among government agencies and between the public and private sector is lacking. It’s a huge challenge there. In the private sector, there are the fears that releasing certain pieces of information to the government or to somebody within their own industry could provide information for potential lawsuits,” Roy says. “The concept of liability is very real. Lawyers within organizations are going to be very protective.”
President Barack Obama recently opened a door with proposed legislation that would include language for increased information sharing between government and industry. “No foreign nation, no hacker should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism,” the president said during his State of the Union address in January.
In October, the DHS issued an alert that malware called BlackEnergy, designed to target critical energy infrastructure, had infected industrial critical infrastructure systems. “ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware,” reads a portion of the alert. “Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).”
Attackers might use old-school email scams, but with tailor-made precision that enables the malware to differentiate between a retail business, for example, and a power plant, Mong evokes. “The malware that you see, like a BlackEnergy malware, targets very specific types of devices that would normally be used in a critical infrastructure environment.”
ICS-CERT has averaged about 250 reports of incidents each year over the past two years, Edwards says. “Any time ICS-CERT assists an organization with a cyber incident, ICS-CERT focuses on understanding the threat and initial infection vector so that tailored mitigation strategies can be applied to harden their networks and prevent future infections from occurring.”
The Advanced Analytical Laboratory (AAL) examines malware threats and provides analysis to support discovery, forensics and recovery efforts. An AAL survey of data in fiscal 2013 showed that phishing or spear-phishing attacks made up 21 of the 73 investigated incidents. Though the difference between the two is subtle, spear-phishing attempts typically come from organizations closely related to the target, such as particular companies with which employees interact on a regular basis. The hackers’ emails are sent to groups with common interests, jobs or characteristics. Phishing attempts appear more broad or general and look like they come from financial institutions, social media sites or the prince of an African nation looking to give away millions of his relatives’ money.
Among the 16 critical infrastructure sectors in fiscal 2013, energy had the highest number of ICS-CERT responses to specific cybersecurity threats, with 56 percent of the 257 threats; critical manufacturing had the second highest, with 15 percent. The 16 sectors are chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.
The fiscal 2015 budget for the DHS is $60.9 billion. Of that tally, the department wants to earmark $1.25 billion for overarching cybersecurity activities. More precisely, the department wants to allocate $67.5 million for cybersecurity/information analysis research and development in the science and technology directorate and $8.5 million to establish a voluntary program and an enhanced cybersecurity services capability to support the administration’s Improving Critical Infrastructure Cybersecurity executive order.
The department’s cybersecurity effort is not just a reactive endeavor. For example, in fiscal 2013, the program enabled more than 5,000 downloads and distribution of the Cybersecurity Evaluation Tool and trained 639 professionals on control system security best practices. The ICS-CERT conducts free training courses, performs assessments, provides alerts and advisories, conducts incident response activities and performs technical analysis of malware, artifacts and vulnerabilities. “These services are free to asset owners or operators of critical infrastructure as well as for those that support the network defense and protection of control systems,” Edwards says. Working with ICS-CERT is completely voluntary and at the request of the organization. Additionally, Edwards says, ICS-CERT takes proactive measures to raise awareness of threats through briefings, outreach, assessments, training and information products, and it works at a tactical level to provide guidance to specific organizations that might be targeted by malicious activity.
“The adversary is an ecosystem,” Mong concludes. “It’s very hard for us to pinpoint a specific actor, and what we find is that the threat actors have organized, and they’re working together. So whether they’re cybercriminal gangs to nation-states or hacktivists, they’re all collaborating and are very specialized. Some are very good at doing certain things, and they can sell that specialization to somebody else with a particular intent or a particular project or plan. We’re talking an entire marketplace, an entire ecosystem of highly specialized, highly talented people who have the ability to do lots of different things.”