Forget The Sony Hack: This Could Be The Biggest Cyber Attack Of 2015
Patrick Tucker writes on the December 19, 2014 website, DefenseOne.com, that “technology journalists were quick to point out, that even though the cyber attack [on Sony] could be attributable to a nation-state actor, it wasn’t particularly sophisticated.” Ars Technica’s Sean Gallagher likened it to a “software pipe bomb,” with limited fallout, Mr. Tucker notes. “But, according to leading cyber security professionals, “the Sony hack may be a prelude to a cyber attack on the United States [critical] infrastructure that could occur in 2015 — as a result of a very different, self-inflicted document dump by the Department of Homeland Security (DHS) this past July.”
2015: The Year Of The Aurora?
“Here’s the background,” Mr. Tucker writes: On July 3, DHS, which plays [a] key role in responding to cyber attacks,” against the U.S. homeland — replied to a Freedom of Information Act (FOIA) request regarding a malware attack on Internet giant Google — Called Operation Aurora.
“Unfortunately, as Threatpost writer Dennis Fisher reports, “DHS officials made a grave error in their response. Indeed, Mr. Tucker observes that DHS “released more than 800 pages of documents related not to Operation Aurora; but rather, Project Aurora, a 2007 research effort led by Idaho National Laboratory — demonstrating how easy it was to hack,” critical components in power and water systems.”
“The Aurora Project exposed a vulnerability common to many electrical generators, water pumps, and other pieces of infrastructure, wherein an attacker remotely opens and closes key circuit breakers, throwing machine’s rotating parts out of synchronization causing parts of the system to break down,” Mr. Tucker warns. “In 2007, an effort to cast light on the vulnerability that was common to many electrical components,” researchers from the Idaho National Lab staged an Aurora attack live on CNN.”
“How widespread is the Aurora vulnerability?,” Mr. Tucker asks. In an article from Power Magazine last year, (2013), the publication warned: “The Aurora vulnerability affects much more than rotating equipment inside power plants. It affects nearly every electricity system worldwide; and, potentially any rotating equipment — whether it generates power, or is essential to an industrial commercial facility.” The article was written by Michael Swearingen, then manager for regulatory policy for Tri-County Electric Cooperative (now retired), Steve Brunasso, a technology operations manager for a municipal electric utility, Booz Allen Hamilton, critical infrastructure specialist Dennis Huber and Joe Weiss, a Managing Partner for Applied Control Solutions.”
Mr. Tucker notes that “Weiss today is a Defense Department subcontractor working with the Navy’s Mission Assurance Division. His specific focus is fixing Aurora vulnerabilities; and, he calls DHS’s error — “Breathtaking.”
“The vast majority of the 800 or so pages, are of no consequence,” Weiss said, “but, a small number contain information that could be extremely useful to someone looking to perpetrate an attack.” “Three of their slides constitute a hit list of critical infrastructure. They tell you, by name, which [Pacific Gas and Electric] substations you could use to destroy parts of the grid. They give the name of all the large pumping stations in California.”
How Easy Is It To Launch An Aurora-Style Attack On U.S. Critical Infrastructure?
“Perpetrating an Aurora-style attack is not easy,” Mr. Tucker argues, “but it becomes much easier the more knowledge a would-be attacker has on specific equipment they may want to target.” In a 2011 paper for the Protective Relay Engineers’ 64th Annual Conference, Mark Zeller, a service provider with Schweitzer Engineering Laboratories lays out — broadly — the information an attacker would have to have, to execute a successful Aurora attack.” “The perpetrator must have knowledge of the local power system, know and understand the power systems interconnections, initiate the attack under vulnerable system load and impedance conditions — and, select a breaker capable of opening and closing quickly enough to operate within the vulnerability window.”
“Assuming the attack is initiated via remote electronic access, the perpetrator needs to understand and violate the electronic media, find a communications link that is not encrypted, or is unknown to the operator, ensure no access alarm is sent to the operators, know all the passwords, or enter a system that has no authentication.”
“That sounds like a lot [of hurdles] to jump over,” Mr. Tucker writes, “but, utilities commonly rely on publicly available equipment and common communication protocols (DNP, Modbus, IEC 60870-5-103, IEC 61850, Telnet, QUIC4/QUIN, and Cooper 2179) to handle links between different parts of their systems. It makes equipment easier to run, maintain, repair, and replace. But, in that convenience — lies vulnerability.”
“In the Power Magazine article, article, the authors point out that “compromising any of these protocols would allow the malicious party to control these systems…outside utility operations.”
Mr. Tucker notes that DefenseOne “reached out to DHS to ask them if they saw any risk in this accidental document dump. A DHS official, he writes, wrote this back in response: “As part of the Freedom of Information Act (FOIA) request related to Operation Aurora, the DHS National Programs and Protection Directorate provided several previously released documents to the requestor. It appears that those documents may not have been specifically what the requestor was seeking; however, the documents were thoroughly reviewed for sensitive, or classified information — prior to their release…to ensure that critical infrastructure security would not be compromised.”
Weiss, “called the response — nonsense,” Mr. Tucker noted.
“The risk posed by the DHS accidental document release may be large, as Weiss argues, or nonexistent as DHS would have you believe; but, even if it’s the latter, Aurora vulnerabilities remain a key concern,” Mr. Tucker warns. Perry Pederson, who was the Director of Control Systems Security Program at DHS in 2007, when the Aurora vulnerability was first exposed said as much in a blog post in July after the vulnerability was discovered. He doesn’t lay blame at the feet of DHS,” Mr. Tucker writes, but, “his words echo those of Weiss in their urgency: “Fast forward to 2014. What have we learned about the protection of critical cyber-physical assets? Based on various open source media reports in just the first half of 2014, we don’t seem to be learning how to defend at the same rate as others are learning to breach.”
Aurora Versus The Sony Hack
“In many ways, the Aurora vulnerability is a much harder problem to defend against — than the Sony hack — simply because there is no obvious incentive for any utility operator to take any of the relatively simple costs necessary to defend against it,” DefenseOne reports. “And, they are simple. Weiss says a commonly available device installed on vulnerable equipment could effectively solve the problem, making it impossible to make the moving parts spin out of synchronization. There are two devices on the market, iGR-033 rotating equipment isolation device (REID) and SEL 751A, that purport to shield equipment from “out-of-phase” states.”
“Aurora is not a “zero-day” vulnerability, an attack that exploits an entirely new vector — giving the victim “zero days’ to figure out a patch. The problem is there is no way to know that they are being implemented until someone, North Korea, or someone else — chooses to exploit them.”
“Can North Korea pull an Aurora vulnerability?? Mr. Tucker asks. Weiss says yes. “North Korea and Iran are capable of doing things like this.”
An Aurora-Style Vulnerability Attack — Leaves No Digital Exhaust
Attribution in the cyber realm is extremely difficult, if not impossible — when a clever and sophisticated adversary is the culprit. But, in the case of an Aurora-style hack — few, if any digital clues — save maybe a single IP address [which can also be camouflaged] are likely. “Unlike the Sony hack, [an Aurora-style] it doesn’t require specially written malware to be uploaded into a system, malware that could indicate the identity of the attacker, or at least his or her affiliation,” Mr. Tucker wrote. “Exploiting an Aurora attack is simply a matter of gaining access, remotely, possibly because equipment is still running on factory-installed passwords, and then turning a switch off and on.”
“You’re using the substations against whatever’s connected to them. Aurora uses the substations as their attack vector. This is the electric grid being the attack vector,” said Weiss, who calls it a “very, very, insidious attack.”
“The degree to which we are safe from that eventuality depends entirely on how well utility companies have put in safeguards. We may know the answer to that in 2015,” Mr. Tucker concludes.
Yes, We Are Extremely Vulnerable To A Catastrophic Cyber Event; But, The Adversary Isn’t 10ft. Tall And, We Have A Few Surprises Of Our Own
Certainly, upgrading and strengthening the resilience of our critical infrastructure: restoration, mitigation, reconstitution, restoring trust, reverse-engineering, etc. is extremely important. But, we could spend ourselves into oblivion and still not he “safe.” We could have impregnable firewalls, and the trusted insider could be the Achilles heel. And, even if the firewalls of our critical infrastructure facilities are “impregnable,” the adversary will use second and third tier suppliers to gain entry — as they did in the case of Target in November 2013. Playing defense in this area is very — or can be — very expensive. Manual work-arounds, best cyber hygiene practices, two-step authentication, encrypting data at rest, dispersing data around to various/numerous iClouds, and practicing to “fight” disconnected — to fully appreciate and understand just how dependent the corporation or government entity is on network-enabled operations are all important steps.
But, the best defense in the cyber area — as of now — is a great cyber offense. Creating and nurturing a “Cyber SEAL Team, and an Intelligence Collection and Operations Elite Cyber entity are mandatory. The U.S. shouldn’t necessarily respond to a cyber attack like the Sony hack — strictly with cyber weapons. We must use all of our available options to make it painful on the adversary; and, hopefully make them think long and hard before undertaking future Sony-like attacks on our critical infrastructure. We must have a robust cyber deterrence strategy; and. our military commanders and critical infrastructure/Wall Street, need to practice continuity of operations — disconnected from the Internet — to fully appreciate how network dependent — or not — we are; and, what are manageable and sensible work-arounds that need to be implemented. We need to exercise and wargame a cyber catastrophic event — across industry, finance, health care, military, intelligence, and so on. And, we must have the very best, elegant, exquisite, talented, and thoughtful cyber warriors — capable of carrying out offensive cyber operations — in defense of the homeland. V/R, RCP