Do you go fishing? You may or may not, but we see far too much phishing going on in the Internet ocean, and it scares us. The risk of over-phishing is not necessarily our concern. Our concern rests in that phishing is so easy, and big fat phish of this Internet ocean are getting gobbled up. And that’s not good for us because many of us don’t really know what is in the ocean, like critical infrastructure (CI).
As the title suggests, our biggest concern as it relates to ICS/SCADA connected devices is us. We are an incredible vulnerability to CI, and seeing as though everything we depend on runs on some form of CI, its best we protect it.
Let’s start with some basics. Our CI is for the most part old. Devices are stuck with legacy software and cannot be updated or patched because they are simply too old and out-of-date are a potential problem, as these systems have vulnerabilities that hackers can take advantage of. Yes, there is a flip side to the argument here that some of these systems are so old they cannot be hacked or are extremely difficult to be hack, as is the case in the US nuclear system. (But don’t think for a moment that nobody is trying!)
If there is a smidgen of silver lining, it is this: some of these 40-year-old systems are notoriously reliable, and there is a regular supply of “spare parts and new floppies” and recognition that the “biggest security issue isn’t that the computer is 40 years old, but rather the quality of the lock on the door where the computer is housed.”
One concern we have is “how” devices, specifically ICS-connected, “talk” to each other. We are seeing a greater roll-out of encryption to secure communications, which we consider a very positive step, but unfortunately, a full upgrade cannot happen overnight. Let’s just feel blessed that there is a viable solution out there to secure communications, meaning that taking care of this issue is simply a matter of “getting it done” instead of funding some new R&D project.
So far so good with the “stuff” (tech), but now our concerns begin to grow with “us” (behavior). Default passwords on devices are a problem, but this also is an issue that is relatively easy process to fix. Much like securing communications, changing default passwords is another matter of “getting it done.”
Notice, though, that these steps require a human to make a decision and to take action. And because we humans do have the tendency to get things wrong and make mistakes and just, well, be dumb at times, we add a layer of vulnerability to all our systems that is worrisome. If you get locked out of your laptop for clicking a wrong link, that stinks. If you get locked out of your control system in a nuclear power plant because you clicked the wrong link, oh dear!
Social Engineering, Human Error and Human Manipulation
Given that the threat which concerns us most is effectively preying on humans, our concern is warranted. And that is why we feel that the biggest problem the power grid faces today is phishing, spear-phishing, and pretexting, all of which we will define in this set of articles.
Why these threats?
Because these social engineering attacks are designed specifically to circumvent all the expensive defensive technological measures put in place by an enterprise. These tactics manipulate the individual, using them as the vector to attack the network as opposed to going for the organization’s network directly. Social engineering tactics range from the “smash-and-grab” approach (phishing) to taking advantage of the naïve (spear-phishing) to the ultra-sophisticated manipulation (pretexting).
Emails that are designed to look like they are coming from your immediate boss or “big boss” (such as a CFO or CEO) get your attention. They create a type of emotional response, usually a sense of urgency (in some cases, even fear, which can be a powerful motivator for “instant action”). And in that emotional moment of urgency, opening a seemingly legitimate attachment may unleash the payload to infect the network with malware, ransomware, or whatever type of digital nastiness you wish. It is worth noting that the top emotional motivators are: curiosity, fear, and urgency.
Manipulation does not stop with work-related material, either. If you have been tagged as a high-value target within your organization by a nefarious actor, do not think for a moment that the bad actor has limitations. If the malicious actor feels the best way to get your attention is to pretend to be your spouse or your child’s school principal, they will go that far. In our societal obsession to make information as readily available as possible, we have given up so much of ourselves and our personal lives that all can be used against us. And you would be shocked what is out there, particularly when we lose control of that information.
But let us illustrate the point of how you can – quite easily actually – target somebody. One of us, years ago (and for totally legitimate business reasons), was able to stumble across the personal mobile phone number of one of CEOs of one of the biggest companies in the United States.
How did we come across this phone number?
Because a foundation this person donated to listed the phone number on their organization’s public documentation. See, and that’s the scary thing because once our information goes into somebody else’s hands, what sort of confidence do we have this information will be safeguarded? These days, it’s not feeling too good.
This type of deep digging is not new. In political activity, this type of digging is sometimes called opposition research, but do not believe for one moment that a nefarious actor will not conduct this type of digging also.
You see, to these actors, this behavior is “all business” and part of their daily routine, particularly if they truly wish to seek out, and exploit, a target. For transparency purposes, especially when there is some public entity involved, we list so much information online (name, title, phone number, email address, work address, and so on). This is very much true for those in position of responsibility and authority. All of this information can be used against us. And once this information is captured by a malicious actor, it is manipulated or used in a manner to exploit.
For example, this information reaches the desk of the employee, say, in the form of an email from a superior. More likely than not, within the first hour or two, that email will be opened. In fact, there is an 87% chance that the email will be opened within the same day. There is a simple elegance to email attacks in that they are a proven attack channel, do not rely on technological vulnerabilities for success, and use simple deception to lure victims.
And that is the critical moment where everything can fall apart. It is often said that the “person sitting behind his or her computer terminal” is the biggest risk and hazard to the network and data security. We agree. Many others do too, noting that
“[h]uman mistakes are inevitable. Yet they can be very costly. For many organizations the risks associated with human error can be more serious than the insider threat. In some cases, it is considered the biggest threat to the ICS system.”
This Type of Attack Works and Works Well
With the effort, skill, and detailed reconnaissance of a determined actor, it has been demonstrated that one successful spear-phish attack, followed quickly by the theft of administrative privileges, could unleash tremendous pain upon the power plant workers and its network, in turn, causing a tremendous inconvenience upon the customers, clients, and businesses dependent upon the grid. Keep in mind that a successful attack on the grid has secondary and tertiary effects, as well. A power grid going down in the dead cold of winter could impact lives, leaving people stranded, and at worst, putting their lives at risk. Similarly, in the middle of a heat wave, in addition to lives at risk, emergency responders will have their resources taxed.
This is not a hypothetical scenario. In fact, a horror of this type has already happened – in the Ivano-Frankivsk region of Western Ukraine – during the dead of winter, in December 2015. The regional power company Prykarpattyaoblenergo fell victim to a highly sophisticated cyberattack.
How did it all happen?
The first myth we wish to dispel with is that hackers are “smash-and-grab” artists or opportunists trying to test out their newest abilities. In our professional experience, we hear this argument far too often and is worthy of putting down. The days of script kiddies and grey hat hackers looking for kicks are likely gone. Sure, there are plenty who enlist “hackers-for-hire” to do their dirty work or just download malware packages to deploy through a network, but for the most part, we prefer to err on the side of caution and assume we are dealing with pros.
Let us be honest, there are plenty of black hat hackers out there looking to make a buck, promote an ideology, feed their ego, or serve some national interest (which, surprise, surprise, may be in direct opposition to another national interest). For the most part, we are not scared of the 100 (or thousands) of grey hats out there looking to tickle themselves silly for what they have just done; but we are terrified of the one, or small group of, black hats who have the resources, determination, skill, stealth, and conviction to get what they want. This was the case in the Ukraine.
According to details of the investigation the nefarious actors were:
- Skilled and stealth strategists;
- Carefully planned an assault over months;
- Conducted reconnaissance and study of the networks;
- Siphoned operator credentials; and
- Launched a synchronized assault in a well-choreographed dance.
If this process sounds more like traditional tradecraft, you would be right to assume that. Robert M. Lee, a former cyber warfare operations officer in the US Air Force and who assisted in the investigation said:
“[i]t was brilliant. In terms of sophistication, most people always [focus on the] malware [that’s used in the attack]. To me what makes sophistication is logistics and planning and operations and … what’s going on during the length of it. And this was highly sophisticated.”
So this first article of the series was designed to let you know the following: yes, it can happen. It’s time to rid ourselves of the thought that it cannot happen. In the upcoming articles, we are going to give you some clear and easy to remember definitions, a bit more on how manipulation is extremely easy over the Internet, why threats to ICS/SCADA should really worry us, and a very brief walk through of what happened at Prykarpattyaoblenergo.
Just as a final note, we want to make note of a specific threat to CI (but one that is not directly linked to social engineering) because it is worth knowing about: APTs. We view APTs as a given happening all the time, almost robotic-like in their existence. With increased use of AI/ML, we believe that APT detection and response rate will improve in the coming years. And we also see APTs like papercuts to a paper handler. You are going to get them in the process of your daily work. The trick, therefore, is not to get killed by them. If you are a power grid member and are not a victim of APTs, you are either doing something absolutely incredible (and we are sure the rest of the industry would love to know more about what you are doing) or you are asleep at the switch.
For information on how Tripwire can protect your ICS systems, click here.
About the Authors:
Paul Ferrillo is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them.
George Platsis has worked in the United States, Canada, Asia, and Europe, as a consultant and an educator and is a current member of the SDI Cyber Team (www.sdicyber.com). For over 15 years, he has worked with the private, public, and non-profit sectors to address their strategic, operational, and training needs, in the fields of: business development, risk/crisis management, and cultural relations. His current professional efforts focus on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.