Navigant Research Blog

Honeypots Teach Us About Attackers

— April 11, 2014

Security researchers will try almost anything to find out who is attacking their clients and how.  One of their best-loved and most effective techniques is a honeypot.  First developed about a decade ago, a honeypot is a decoy system or network – a tempting target for attackers that is not really a target at all, but a trap.  The objective is to lure attackers into the honeypot and then watch how they work.  Attackers’ methods are almost like fingerprints; researchers who are familiar with a number of attackers can often identify the attackers simply by watching their step-by-step process of discovery through the honeypot.  Researchers do have other methods as well, such as tracing IP addresses or even fingerprinting the attackers’ browser – adding source code to the attackers’ browser that reveals more about their identity.

Attackers are, of course, aware that honeypots exist, so preparation of an effective honeypot must be extremely detailed.  To set up a honeypot requires a fair bit of planning to make the target look as realistic as possible.  Eventually, the attackers will realize that they’ve been had, so the objective is to keep them in the honeypot as long as possible to gather as much information as possible about their methods and their identity.

One security researcher described one of his honeypots in a talk at the SANS 9th Annual ICS Security Summit.  Kyle Wilhoit of Trend Micro described a scenario in which he set up juicy but fake targets on five continents and then watched them be attacked.   Each was a model of a control system for a small municipality water pump.  Connected directly to the Internet and with insufficient protection, this water pump looked like easy pickings, and it was attacked nearly 100 times.  Again, the attackers were not attacking an actual water pump but were instead sending commands to a simulation of a water pump – the honeypot.

Disturbing Motives

Perhaps most disturbing to me is that most of the attacks that Wilhoit reported were attempted sabotage, not data exfiltration.  Nearly all of my recent research indicates that large-scale persistent attacks against control networks have been data exfiltration for competitive advantage.  In this case, however, data exfiltration attempts were a minority of all attacks.  Even some well-known attack teams supported by hostile nation-states attempted to disable the water pump, not simply exfiltrate its data.  For me, this requires a rethink:  Is all that data exfiltration really just for competitive advantage or are attack plans being prepared?  As ever, only the attackers know, but this one project suggests that there may be more attack planning than has been assumed.

You might think that attackers seeing a control device connected directly to the Internet would say, “Nah, this is too good to be true.”  And then seeing a control device directly connected to the Internet with little or no security – “It just has to be fake, right?”  Sadly, no.  Attackers are accustomed to discovering real systems like this all day long – directly connected to the world and with no protection.

My conclusion is mixed.  Honeypots are an effective tool for learning about our adversaries.  Yet, honeypots work because the unprotected systems that they mimic are commonplace in our industry.

 

Innovation Is Booming in the Water Industry

— April 9, 2014

As part of the events to mark World Water Day, the United Nations (UN) has launched a new report highlighting the challenges of ensuring an adequate global water supply over the coming decade.  In particular, the World Water Development Report focuses on the growing interdependency of water and energy.  The report looks at the water industry’s energy requirements for production, distribution, and treatment, as well as at the growing demand for water resources from the energy industry.

We have written about the impact of the growing global demand for water before, but the World Water Development Report yet again highlights the challenges ahead.  According to the report, water demand will increase by 55% by 2050, with the biggest impact coming from the growing demand from manufacturing (400%), thermal electricity generation (140%), and domestic use (130%).  More than 40% of the global population is projected to be living in areas of severe water stress through 2050.

Countries, cities, and communities need to improve their ability to assess and plan for future water needs.  However, developing new water supplies, storage facilities, or treatment plants will remain a hugely expensive endeavor, and so the industry must look to technologies that can mitigate the need for capital investment by improving the efficiency of existing systems and maximizing the benefits of new investments.  For this reason, we are seeing a host of innovative technologies and solutions targeted at the water industry.  Entrepreneurs and developers from the IT, telecom, and smart grid sectors are now looking to water as the next industry where they can make a major impact on the way the business operates.  This opportunity is attracting a wide range of technology and service suppliers, including established water metering vendors, water network engineering companies, water service companies, infrastructure providers, IT software and service companies, and a variety of startups and innovators.

The recent World Water-Tech Investment Summit in London gave me a good opportunity to survey a range of companies.  Among a host of other innovators at the show were companies we looked at in our Smart Water Networks report, including TaKaDu, which has been pioneering the use of cloud-based analytics for leak detection.  Also present was i2O, which is providing water utilities with an intelligent pressure management solution that also uses cloud-based advanced analytics, but integrates them directly into the pressure management system.  Other companies new to me included Acoustic Sensing, a U.K. startup that has developed a new acoustic sensing solution to allow the rapid identification of structural defects and blockages in sewerage systems; Syrinix, another U.K. company that provides intelligent pipe monitoring systems for burst detection and pressure monitoring, among other applications; IOSight, an Israeli-based company providing advanced business intelligence and data management for the water industry; and Optiqua, which provides sensor networks for real-time water quality monitoring.

Keeping Afloat

While there is no shortage of innovation in the industry, it is still a challenge to find ways of investing in new technologies in a heavily regulated industry.  With no stimulus funding or mandated smart meter rollouts to boost the market, the industry needs to find other ways to finance innovation.  One option is the use of a software-as-a-service (SaaS) model to defer capital expenditures and reduce resource needs.  For example, both TaKaDu and i20 provide their software as a cloud-based service.  Innovative approaches to regulatory and investment programs will also be important.  In the United Kingdom, OFWAT is currently working with the country’s water utilities on the next regulatory pricing period, to run from 2015 to 2020.  The aim is to increase the ability of utilities to invest in water metering and other networks’ management technologies.

The smart water market is attracting a wide range of new players and presenting established players with the opportunity to expand their business into new areas.  Both sets of players face challenges in an industry that is hungry for change but also conservative in its operations and restricted in its financial options.  As stated in our Smart Water Networks report, while there are strong drivers for growth, the challenges of transforming a conservative industry faced with a physically and technically challenging deployment environment mean that the growth in this market will always be steady rather than explosive.  However, the direction of travel is clear.

 

Cyber Security Community Finally Faces Reality

— April 8, 2014

It’s springtime, so the Navigant Research team is on the road again, speaking at conferences.  This spring’s cyber security conferences have confirmed what I’ve said in this blog for some time now:  the hype is over; the hard work is here to stay.

At SMi’s European Smart Grid Cyber and SCADA Security conference in London, traditionally a showplace for vendors to hawk their wares, there was a decidedly more technical focus this year.  Enel of Italy gave a detailed description on the various projects running in its lab in Pisa, describing how cyber security is integral to each.  It was inspiring to see cyber security integrated at the outset of a project, rather than after a bad audit.  Equally instructive was the description of Enel’s experimental area in Livorno, where many of the company’s new technologies first see public adoption.  Other speakers at this conference continued the technical thread, with topics such as descriptions of self-learning network anomaly detection, and traditional devices such as firewalls and intrusion detection that have been specifically reengineered for control networks.  The unmistakable message that I brought back from London: cyber security vendors have finally accepted that the utility industry is like no other.

Future at Risk

The SANS ICS Cyber Security Summit in Orlando, Florida offered similar but more technical fare.  Adam Crain and Chris Sistrunk described their eponymous vulnerabilities.  They have demonstrated how to disable a utility substation or control console via the serial protocol DNP3.  This is critical because DNP3, which is non-routable, had been previously considered immune to attack.  Another safe assumption bites the dust.  Eric Byres of Tofino Security gave a surprisingly accessible description of deep packet inspection in control networks – a topic normally best saved for researchers and PhDs.  There was also a fascinating Trend Micro report on a control network honeypot deployment, which will be the subject of my next blog.

The unifying theme at both conferences was that protecting control networks is hard work that is never really finished.  Our reports, including Industrial Control Systems Security, have been saying this for 4 years now.  Utility cyber security vendors are finally getting the message.  And to be fair, a few vendors have always understood.

Nonplussed

But challenges remain.  At both conferences, my remarks described the existential threat facing many utilities.  One U.S. utility CEO declares that the grid’s days are numberedThe Economist reports that European utilities have lost half a trillion euros of market cap since 2008.  Reactions to that news were often blank stares or utter confusion – as if the financial health of utilities has nothing to do with their deployment of cyber security.

This too must change.  Security vendors are not competing with each other, so much as they are wrestling with the future of the industry.  Just as understanding settles upon the community, the odds become daunting.

 

Cyber Security: The Struggle Continues

— March 10, 2014

Cyber security is, at the best of times, still barely knowable.  The best deceptions are discovered long after they are done.  The greatest heroes and the most heinous villains are unknown – except to each other.  The spy wars of the 1960s have moved online and are still waged undetected, right under our noses.  Recently, a number of home devices, including one smart refrigerator, were compromised and used to send out 750,000 spam emails.  Junk email from your fridge!

Preparing for a talk at SMi’s European Smart Grid and SCADA Security conference in London, I checked in with some of my frequent research contacts for their views.  The consensus:  there has been a lot of movement in cyber security during the past 12 months – by the attackers.  Cyber defenses haven’t appreciably improved.  There is more talk about security architectures and assessments, but talk is not protection.

My contacts relate tales of hostile infiltration and data exfiltration in large control networks.  Utilities are targets, as are oil & gas facilities.  The attackers appear to be stealing data but not otherwise harming the networks.  Why the attackers are doing this, only they know.  They could be gathering data for competitive business advantage or for a future attack.  Most of my contacts (and I) believe that it is the former.

Old and Vulnerable

While that scenario unfolds, large security problems remain unsolved.  We still have no good solution for protecting older grid control devices that have little or no ability to protect themselves.  There are approaches such as network segmenting, but nothing that could be called a solution.  Cyber security practitioners are consuming a fair amount of energy just debating an approach to this problem.

Meanwhile the Sistrunk/Crain vulnerabilities discovered last year have exposed weaknesses in the Distributed Network Protocol (DNP3) used in many SCADA networks.  A non-routable protocol, DNP3 is immune from attacks that target routable protocols such at the Internet Protocol (IP).  NERC CIP reliability standards have, therefore, ignored non-routable protocols, assuming that they were safe.  However, the Sistrunk/Crain vulnerabilities show that that assumption is no longer reliable.

Meanwhile, many utilities are looking at how to use their smart metering networks to enable distribution automation (DA).  That approach can get a utility into DA much faster than building out a new control network.  But it can also transform the advanced metering infrastructure (AMI) from a network of cash registers to a network of grid controllers.  The accompanying change in security requirements is substantial, and some utility operations teams understandably refuse to allow this integration.  Perhaps for good reason:  one AMI vendor assessed 20 large deployments of its system and found that data encryption had not been activated in any of them.

Yet, there have been no blackouts yet.  Even the Metcalf Substation attack – little known for 10 months until recently reported by The Wall Street Journal – did not result in a loss of power for anyone.  That’s because PG&E had already engineered resiliency into its grid.  But will utilities always be that lucky?

So much conflicting input demands a reliable read of the situation, and if you want to get to the bottom-line reality, find out what the bookies think.  Or next best, the actuaries.  This is where things become worrying.  Lloyds of London’s Kiln Syndicate will not insure utilities’ control systems – transmission and distribution – against cyber-attack.  In other words, we can all talk all we want, but the people who assess risk – not for a living, but for a return on investment – don’t think that utility cyber security is a very good bet to make right now.

 

Blog Articles

Most Recent

By Date

Tags

Clean Transportation, Electric Vehicles, Energy Management, Energy Storage, Policy & Regulation, Renewable Energy, Smart Energy Practice, Smart Grid Practice, Smart Transportation Practice, Utility Innovations

By Author


{"userID":"","pageName":"Conferences & Events","path":"\/tag\/conferences-events","date":"4\/16\/2014"}