Electric Sector Targeting in Context

As we move into late December (I started writing this on 23 December 2018), all eyes in the information security and especially the industrial control system (ICS) security space typically turn to Ukraine. In 2015 and again in 2016, malicious entities – likely Russian in origin – gained access to and successfully manipulated Ukrainian electric distribution and transmission (in 2015 and 2016, respectively) to create outages within the greater Kiev/Kyiv region. The last two years (2017 and 2018) have (so far) not witnessed a publicly-disclosed electric utility disruptive event in Ukraine. In the meantime, multiple adversaries probed electric infrastructure closer to many of my readers’ homes: several events targeting US electric infrastructure, related entities compromising UK and German electric utilities, and potential activity linked to North Korea. Notable in all of these instances: a complete lack of (known) disruptive effects as a result of such intrusions.

The lack of a provable, known outage resulting from these events makes hyperbolic reporting about “the grid” being attacked seem like Chicken Little ceaselessly crowing that the sky is falling. For the most part, I agree with this assessment that much popular reporting of electric utility-focused events resides well within the realm of pieces meant to generate fear, uncertainty, and doubt (FUD).

But as a consequence of this “cry wolf” syndrome and the disconnect between initial intrusion and ultimate effect, many people (including national and cyber security experts) overlook the true nature and consequences of recent events. Much of the difficulty stems from viewing “cyber” events as singular, near-instantaneous occurrences (like the WannaCry or NotPetya events, where infection was rapidly followed by disruption) instead of seeing cyber-induced impact as just the final stage in a multi-step, lengthy process. When adopting this view, individual observable elements of a cyber intrusion become steps leading toward some ultimate “action on objectives” at the end of the process. Thus, identifying something like initial access but no disruptive effect or exfiltration of data does not mean the campaign was “inert” or somehow more benign than others – it simply means that attacks were caught at an earlier stage of the attack lifecycle.

In light of the above observation, one must examine recent intrusions – even though they are yet to result in noticeable disruptive events – in light of past activities to gain a full appreciation for their meaning and potential risk. For example, looking at the Ukraine events, the time from intrusion to final effects delivery (a power disruption) was measured in weeks at least, and most likely several months. Other targeted ICS events – such as the TRISIS/TRITON event – feature similar lengthy timelines between initial network breach to intrusion into control system networks culminating in a final impact in the ICS environment. Therefore, the identification of initial intrusions into US, UK, German, and other electric utility networks in all likelihood represents not discovery of a complete event, but rather unearthing an event in progress.

Looking at publicly-available reporting on intrusions into US electric infrastructure since 2017, the US Department of Homeland Security (DHS)/National Cybersecurity and Communications Integration Center (NCCIC)  provide what on first glance appears to be a very complex operation stemming from initial compromise of various vendors and contractors leading to ultimate compromise of control system networks for utility companies. While subsequent DHS/NCCIC public statements walked-back previous comments on adversaries “having their hand on the switch,” the situation remains that adversaries (attributed to Russia by DHS as well as the UK’s NCSC) established access to relatively isolated sections of electric utility networks. Based on items such as an infamous screenshot released by DHS/NCCIC, attackers were able to get access to sensitive sections of victim networks where the possibility of an impact (created by nothing more than manipulation of the control system in question – similar to the 2015 Ukraine event) is quite plausible. However, in noting that the adversary quite literally was in position at some facilities with their hands “on the (HMI) switch”, one also needs to recognize that creating an outage or disruption of significance would require intrusions at multiple facilities and coordinated actions across multiple sites – non-trivial items based on what is presently known.

The above is concerning, but when viewed in scope of the overall ICS Cyber Kill Chain, such discoveries merit short-term concern – while avoiding panic. Based on publicly-available evidence, the adversaries in question managed to transition from Stage 1 activity (enterprise IT network intrusion and preparatory actions for ICS intrusion) into Stage 2 events (information gathering and development for an ICS-specific event). This alone is concerning, as the corpus of ICS-specific, deliberate intrusions remains thankfully rather small (a topic I’ll cover at the 2019 SANS ICS Summit). But when viewed in light of the overall Kill Chain, there are two, non-exclusive reactions to discovering these intrusions:

1. The attacks were caught at a relatively early state relative to ICS-specific effects delivery, and thus represents a potential “win” for network defenders.
2. The attacks as discovered were still immature, and it is very likely that additional such intrusions exist that were not discovered – or sufficient access remains in known victims that adversaries could regain entry in the future and proceed toward further effects.

We can and should be proud of the first reaction, as our goal as defenders within the ICS space should be to identify and mitigate intrusions as early as possible along the Kill Chain so as to circumvent any designs toward a disruptive impact. Yet the mitigate portion is critical here – if an attack is discovered but not completely mitigated or expelled from the victim network, the risk remains of a disruptive impact in the future. Furthermore, this even assumes that all victims were identified in the campaign of current concern, let alone that all such intrusions were successfully defeated.

The second reaction is more concerning, especially given the possibilities of both incomplete remediation or not identifying some victims in the first place. In this case, attacks may have initially been identified in some cases – but in others they were not. And the ultimate goal of intruding into an ICS network – and especially one related to electric power – is not to just “look around” or steal information. Rather, the typical (if not the only) motivation for attempting such access is to manipulate the underlying process in some fashion. Such a desire need not manifest itself immediately – hence the time lag between initial intrusion (or intrusion discovery) and potential effect at a later date. Rather, from a traditional military perspective, such an intrusion represents “operational preparation of the environment” (OPE), setting the stage through gaining appropriate access and capabilities to deliver a disruptive effect at a later date.

This last part is most concerning – for we just do not know (at least with certainty) just what the intention of these campaigns were prior to discovery. And by intention, I do not mean ultimate intent since this is reasonably clear: the most likely, if not the only plausible, reason to gain access to an electric utility control station or similar ICS equipment is to manipulate it at some point in a fashion undesired by its owners and operators. Rather, what remains for analysts to determine (and for attackers to reveal) is a question of timing. This goes to the earlier point of intrusion lifecycles. For especially mature adversaries, the actions in the US, UK, Germany, and potentially elsewhere may have simply been developing points of access and laying the groundwork for future manipulation that could then be called upon in times of crisis or in response to other events. While it is possible such intrusions were designed for immediate manipulation leading to disruption, this seems less likely given the targets and the possibilities for response (cyber or physical) as a result.

Thus for the campaigns in question, we are left with the following concern: no disruptive effect took place, but one may yet occur in the future, either because attacker access is restored or because other entities were compromised but intruders were not detected. Toward the former point, the nature of these intrusions is concerning as they relied on the subversion of trusted relationships with vendors to achieve initial access, then largely relied upon credential capture and re-use within victim environments to further the intrusion. While IT-centric passwords can be changed fairly easily (when their compromise is identified), harvesting credentials within the control system environment raises more concern: the frequency of hard-coded, difficult to change, and re-used credentials in ICS networks allows credential theft to not only pay greater dividends for an adversary, but makes credential change and refresh more difficult for defenders and ICS operators. Thus an intrusion that was caught in 2017 or 2018, and potentially mitigated through IT-centric measures, may nonetheless yield significant ICS-specific information such that an attacker need only restore access to the initial victim IT environment to then gain access to the target ICS network using previously-discovered logon credentials. Furthermore, the vendor relationships exploited in initial actions likely remain (or simply move to other vendors and contractors), continually putting utility organizations at the mercy of another entity’s security posture.

Overall, while I do not wish to outline a story calling for panic about imminent attacks on electric infrastructure, I strongly believe that much existing discussion misses the point of just what these intrusions may mean in the near future. Specifically, I want to emphasize how these events, even though none appear to have resulted in an actual disruption, nonetheless represent actions best understood in the context of a complex, multi-staged operation designed to conclude with a future attack. Such an attack may never manifest itself (just as building a weapon system may never result in its actual use), but nonetheless represents clear and deliberate preparations to have a specific, concerning capability against civilian critical infrastructure.

Viewed in this light, events since 2017 require two general responses:

1. Continued emphasis on and efforts toward building greater security within the control system space – not simply the purchase and installation of new blinking boxes in network closets, but fundamental actions such as increasing visibility across network, host, and process elements of the ICS environment.
2. While prevention and detection are ideal, organizations (and populations) must also ready themselves for response and recovery – thus designing operational and process-related resilience within the systems themselves is necessary. In both Ukraine events, an oft-overlooked element is how quickly Ukrainian personnel restored operations after the attacks. While preventing events is ideal, organizations must be ready to execute plans to restore not just attacked networks but actual industrial processes to known good, safe states in a relatively quick and efficient manner following a disruptive event.

As we enter 2019, the threats are not going away, and detection of events from 2017 to 2018 may simply have given us a glimpse of malicious entities building out “options” for future, yet-to-be-determined operations. In addition to trying to meet this threat head-on, we as defenders, owners, and operators – as well as policymakers, consumers, and citizens – need to appropriate the true and nuanced risk posed by such events, and begin articulating ways to respond and maintain those fundamental processes and operations that make modern life possible.