The US grids have been cyber attacked –industry response and information sharing has failed

Nov. 14, 2016

According to “official” sources, the US electric grid has never been cyber attacked. However, that is not true. There have been several cases where nation-states and others (not identified) have cyber attacked the US electric grid.

According to “official” sources, the US electric grid has never been cyber attacked. However, that is not true. There have been several cases where nation-states and others (not identified) have cyber attacked the US electric grid.

I think most people would agree that using the Internet to compromise Windows systems and then stealing information would be considered a cyber attack. I think most people would also consider uploading root kits to shut down a computer system a cyber attack. In the 2004 time frame a US utility had their SCADA system shut down for 2 weeks by a cyber attack that installed root kits in the SCADA system (this was presented at the 2004 ICS Cyber Security Conference). The attacker was traced to Eastern Europe and from there the trail got cold. The Russians cyber attacked the US grid in the 2014 time frame using Havex and Black Energy. BlackEnergy is a malware threat that has been around since at least 2011 with capabilities like port scanning, password stealing, system information gathering, digital certificate theft, and remote desktop connectivity. At the October 2014 ICS Cyber Security Conference, iSight Partners gave a presentation about BlackEnergy being in our US grids and that it targeted both Siemens and GE platforms. About a month later, DHS held a series of classified briefings on BlackEnergy. Yet, to this day, neither the NERC CIPs nor NEI-0809 require that malware be removed. Additionally, both NERC CIP and NEI-0809 exclude many systems (as not being “critical”) that could have BlackEnergy, or other, malware installed.

According to the DHS ICS CERT Monitor (https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Mar-Apr2015.pdf), “Over the last year, ICS-CERT and the Federal Bureau of Investigation (FBI) have been responding to sophisticated cyber exploitation campaigns against United States critical infrastructure ICS. These two campaigns have involved different sets of malware, both of which have used tactics to target and gain access to control systems environments. ICS-CERT is highly concerned because the sophistication of the threat actors and exploitation techniques used represent an elevated level of risk for critical infrastructure asset owners and operators. In response, ICS-CERT has provided both onsite and remote assistance to various critical infrastructure companies to perform forensic analysis of their control systems and conduct a deep dive analysis into both Havex and Black Energy malware. Subsequently, ICS-CERT has provided detailed information and analytic findings in various alerts that were disseminated through the Secure Portal and web site. These alerts provided information about the attack methodologies; tools, tactics, and procedures used by attackers; malware functionality; recommended practices and mitigation strategies for intrusion detection; and improvement of existing cybersecurity.”

According to the DHS ICS CERT Monitor (https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_May-Jun2015.pdf), “If You’re Connected, You’re Likely Infected! Some asset owners may have missed the memo about disconnecting control system from the Internet. Our recent experience in responding to organizations compromised during the BlackEnergy malware campaign continues to bring to light this major cybersecurity issue—Internet connected industrial control systems get compromised. All infected victims of the BlackEnergy campaign had their control system directly facing the Internet without properly implemented security measures. The BlackEnergy campaign took advantage of Internet connected ICS by exploiting previously unknown vulnerabilities in those devices in order to download malware directly into the control environment. Once inside the network, the threat actors added remote access tools, along with other capabilities to steal credentials and collect data about the network. With this level of access, the threat actor would have the capability to manipulate the control system.” This is a straight forward statement by DHS that the US grid has been hacked.

There is much about the 2014 Havex/BlackEnergy campaign against the US electric grid that remains obscure to this date. The capabilities of BlackEnergy2 are known. But what is not known are the specific plugins used by the attackers, nor has the public been told how successful the Russians were with their Havex/BlackEnergy. What is apparent is the agility of the BlackEnergy developers to adjust the toolkit to evoluting IT systems, although the strong focus on Microsoft Windows applications as platforms for BlackEnergymalware remains. Neither industry nor federal agencies have been forthcoming on the extent of the Russian effort. US-CERT’s announcement of the attack in June 2014 provided the first public alert; and their announcement of Havexreconnaissance and the supply chain penetrations of HMI-sensitive product installers on vendor websites should have set off alarms but obviously didn’t.

It is evident the Russians learned much about US Grid vulnerabilities and put considerable effort into improving BlackEnergy, with an upgrade to BlackEnergy3the result.  By early 2015, Russia used the BlackEnergy enhancements learned from the US grid against the Ukrainian Grid with the end result being the successful December 2015 Ukrainian cyber attack. Isn’t this an interesting twist that the malware used to cause the Ukrainian cyber attack was used against the US grids first.

As far as industry information sharing and disclosure, cybersecurity incident reporting by both NERC and DOE has unexpectedly declined since the 2013 Havex/BlackEnergy buildup. DOE has a mandatory requirement (OR 417 Reports) on incidents satisfying a set of criteria for significant events. (The same is true for nuclear plant unanticipated incidents.) There is a supplemental set of additional cybersecurity criteria that leaves little room for judgment on what to report. Yet only 3 cybersecurity incidents were recorded for 2014 and none for 2015. However, ICS-CERT incident reporting alone, reveals far more than this, as does multiple NERC Lessons Learned reports. Surely the 2014 Russian attack on the US electric grid produced dozens of reportable incidents to say nothing about the attack’s residue still in the grid in 2015. Many utilities routinely rely on DHS’s analytic capability to understand unusual cyber events or to request formal assessments of utilities security status.  Further, the NRC uses ICS-CERT’s analytic capability on incidents at nuclear sites. The lack of appropriate information sharing can only negatively impact the viability of adequate industry response and additionally provide a false sense of security.

The utility industry (NERC, industry organizations, and the utilities) have been stating how seriously they take cyber security. The industry, including certain senior DHS and DOE representatives, have stated the grid has never suffered a cyber attack nor can major electric equipment be damaged by a cyber attack. It should be obvious that the grid is not as secure as many people claim nor is information sharing working as advertised.

Joe Weiss