Navigant Research Blog

New Cyberweapons Heighten Grid Concerns

— July 6, 2017

The threat level against grid assets and Internet of Things (IoT) devices keeps rising—or at least we are witnessing a heightened sense of potential disasters. The latest eye opening news was the revelation, or perhaps better put, the confirmation that Russia has developed a cyberweapon that can disrupt power grids—which is not all that surprising considering the suspicious blackout reported last year against the grid in Ukraine.

CrashOveride

Researchers say the Russian malware—known as CrashOveride—is a cyberweapon that could be modified and then deployed against the US electrical grid or the grids of other Russian adversaries. One cybersecurity expert called the latest news a game-changer, while another expert says the latest information connects to an ongoing Russian effort that at one point targeted US industrial control systems in 2014.

The potential threat to the US grid has reached the highest levels of the government. President Trump met recently with leaders from the energy sector and experts in the field of cybersecurity to address the issue and to reiterate his plea for improving the cooperative work between the public and private sectors to protect critical infrastructure like the grid. The meeting followed the president’s May executive order, which in part called for an assessment of how prepared the country is should a significant cyber attack cause prolonged power outages.

Little Known Nuclear Site Intrusion

While the Russian cyberweapon story captured headlines, a lesser known threat against US nuclear power generation sites has surfaced. Officials are investigating a cyber intrusion affecting several nuclear power sites, according to E&E News. Details are few, but officials have confirmed they are unpacking a secretive cyber event code-named Nuclear 17. There is no evidence nuclear energy assets were compromised, but such a cybersecurity breach at closely guarded nuclear reactors would appear to indicate an escalation of hackers’ abilities to probe such sensitive infrastructure.

In the IoT world, no new major attacks have been reported, but the threat against connected devices remains relatively high. One noted expert believes the situation is worse than most people think. We are “one disaster away from government doing something,” says Bruce Schneier, CTO of IBM Resilient, a fellow at Harvard’s Berkman Center and a board member of Electronic Frontier Foundation. He argues that IoT industry stakeholders need to help shape smart regulations or run the risk of operating under stupid government rules. His point is well taken, and aligns with what I’ve said in a previous blog about stakeholders focusing on strong security measures. It’s a way to keep systems and people safe and to shape best practices that regulators could view as a framework for reasonable or smart IoT regulations.

Pay Attention, Don’t Panic

Given where we are with cyber attacks, whether against grid assets or IoT devices, we should be concerned, but I see no need for panic. As bad actors with increasingly powerful tools come to light, there is a clear need for stepped up action by grid operators, technology vendors, and regulators. Presumably, important action is taking place behind the scenes. But it would be comforting to know with more certainty that government and industry stakeholders are cooperating and pushing real measures to minimize the risks to the grid and to people.

 

Cybersecurity Pros Are Hiding the Breaches: This Must Stop

— May 31, 2017

Even the security good guys are failing us. That’s the upshot from the new survey of cybersecurity experts conducted by Bromium, a cybersecurity firm based in Cupertino, California.

The company surveyed attendees at the RSA Conference 2017 and others as part of a combined extended study and found startling results:

  • On average, 10% of security professionals said they had paid a ransom or hid a breach without telling their team members (5% at RSA, 15% in the extended study). Note: some 638 million ransomware attacks took place in 2016, which implies that tens of millions of such attacks are likely going unreported.
  • On average, 35% of security professionals said they went around, turned off, or bypassed their own corporate security settings (38% at RSA, 32% in extended study of United States and United Kingdom security professionals).

The folks at Bromium said the results “kind of blew their minds.” No kidding. This level of failure to act is shocking. But on further analysis, perhaps understandable. The bad guys have both the incentives and easy access to the tools needed to break into servers and cause havoc.

For grid operators, this is not good news. An updated U.S. News & World Report article last year noted it took hackers just 22 minutes to get employees at an electric facility north of Seattle to bite on phishing emails. It was only an exercise, but proved the point that the grid is vulnerable and that humans are often the weakest link.

Security Fatigue

One of the root causes among cybersecurity professionals for this lack of diligence is security fatigue, as pointed out in a TechRepublic story. The National Institute of Standards and Technology (NIST) defines this fatigue as “weariness or reluctance to deal with computer security.” The author recommends that companies reduce such fatigue by boosting the relevance and importance of security alerts to an IT team and emphasizing the need for constant security vigilance.

It is hard to argue with that recommendation. However, I would take things a step further: institute regular focused training on how to combat threats combined with controlled drills or testing, like the one at the plant near Seattle. It is unacceptable that people we need to trust have such careless attitudes and avoid actions in the face of threats. It is hard to admit, but we are in far deeper trouble on this front than imagined. We must do better.

 

Patch or Perish: NERC-CIP and the Lesson of the WannaCry Worm

— May 16, 2017

Last Friday and over the weekend, thousands of computers were infected with the Wana Decrypt0r 2.0 or WannaCry worm. The rapid spread of this malware was due to its ability to seek out other computers on the same network, be that at work or a cafe, and then infect those systems as well. Once a computer is infected, the user’s system files are encrypted and they are given the choice to lose their files or pay a bitcoin ransom of $300. The worm interface motivates the user by not only threatening the imminent loss of data, but also upping the ransom. Racketeering and extortion are now fully a part of life in cyberspace.

(Source: Securelist)

NERC-CIP Guidelines Work

Unfortunately, there is no equivalent of RICO on the Internet. However, for the electric utility industry, there are enforceable guidelines that are designed specifically to prevent this kind of event from affecting the stability of the grid. North American Electric Reliability Corporation (NERC) guidelines for Critical Infrastructure Protection (CIP)-007-6 R2 state the following:

“A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists.”

The policy further states:

“At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation.”

Cybersecurity Housekeeping

Over a month ago, Microsoft released a critical security bulletin update, MS17-010, which specifically stated, “This security update is rated Critical for all supported releases of Microsoft Windows.” The means to use this exploit effectively were freely available to hackers (and others) via information leaked from the National Security Agency (NSA).

The alert was issued by Microsoft on March 14 and the outbreak became widespread on May 12, indicating that all utilities could have reviewed and updated their patch management systems during the intervening period. Electric utilities were also protected by other systems that provide them with a defense-in-depth strategy.

NERC-CIP 007-R1 states that:

“Where technically feasible, enable only logical network accessible ports that have been determined to be needed … disabling or restricting (others).”

Researchers know that the initial component of the worm was designed to scan the local network for systems that have TCP port 445 open and are able to act as a gateway to the Internet using the DoublePulsar backdoor. This backdoor was used to retrieve the ransomware and install it on the local computer.

The CIP guidelines require that ports that are not necessary, as well as those that are known to be vulnerable, be blocked. It is common knowledge among cybersecurity practitioners that port 445 should be blocked at the firewall level as well as on the computer. Any entity that performed this basic level of cybersecurity housekeeping would have prevented infection of their systems.

Standards Frameworks Work, Too

Good cybersecurity is not just a product of having the latest firewalls and security systems in place; it is also the product of having a program in place, like adherence to CIP standards, that sets a policy and specific procedures that must be followed. Companies and organizations that do not adopt a standards framework, such as CIP, will increasingly be at the mercy of Internet racketeers and extortionists.

 

IoT Cybersecurity Clouds

— May 4, 2017

The dark Internet of Things (IoT) cybersecurity clouds keep hanging around with the latest news about malware that can wipe data from infected devices. Researchers from Palo Alto Networks discovered malicious software called Amnesia that can infect digital video recorders. If Amnesia senses it is running in a virtual environment, it can wipe critical directories from the file system. The researchers say this is a new capability in malware aimed at Linux-based embedded devices—which include smart TVs, wireless routers, switches, set-top boxes, in-vehicle entertainment systems, navigation hardware, industrial automation equipment, and medical instruments. This potential threat goes beyond consumer devices and could affect the electrical grid. Several other threats against IoT devices have surfaced as well:

  • University of Michigan researchers demonstrated they could hack into sensors on smartphones, automobiles, and IoT devices using a $5 speaker. They targeted microelectromechanical systems, or MEMS accelerometers, which measure speed changes in three dimensions. Using acoustic tones, they deceived 15 different accelerometer models into registering movements that never happened.
  • Engineers at Israeli firm Argus Cyber Security remotely shut down a car engine using a smartphone app, a Bluetooth connection, and a $75 dongle, which insurance companies install frequently to monitor driving. The engineers triggered a signal that disabled a car’s fuel pump, something that would only happen after a collision, according to a Wall Street Journal report.
  • A doll named Cayla was investigated by regulators in Germany for being a security threat. The doll does not link directly to the Internet, but can be accessed via Bluetooth to any mobile device that has the doll’s dedicated app. Researchers found the dolls recorded voices and sent data to a third party specializing in voice recognition.

Security Is Top Concern for Developers

Among developers who write software for IoT devices, security concerns remain high. Nearly 47% of developers who responded say security is their top concern and has remained number one for 3 years, according to an annual survey (see slide 16) by the Eclipse Foundation. The situation does not seem to be getting much better in terms of the potential threats posed by IoT devices. However, beyond the negative headlines, there is some positive work taking place:

  • The prpl Foundation is making progress on efforts to reduce threats to IoT devices. Members of this open source and community-driven foundation are focused on enhancing the security and interoperability of embedded devices.
  • Two industry groups joined forces to improve Internet security. The Online Trust Alliance (OTA) has partnered with the Internet Society to improve security and data privacy. For several months, the OTA has promoted a new framework for securing the IoT, supporting multiple built-in security measures for devices from the beginning, and advocating strong security through the entire IoT product lifecycle.
  • The National Institute of Standards and Technology (NIST) continues to push a broad set of initiatives to create a safer marketplace through its Cybersecurity for IoT program.

Will the Clouds Part?

So where do we stand in this process to create a more secure IoT world? In short, there is progress taking place. One thing to keep in mind: the IoT security threat is not going away anytime soon. That said, key stakeholders need to stay focused on providing stronger security measures for IoT devices and services. Otherwise, IoT market opportunities (see Navigant Research’s Emerging IoT Business Models report) will be lost or needlessly delayed. We are in for cloudy skies for the next several years, so get used to a blend of bad news about breaches coupled with positive steps to thwart them.

 

Blog Articles

Most Recent

By Date

Tags

Clean Transportation, Digital Utility Strategies, Electric Vehicles, Energy Technologies, Finance & Investing, Policy & Regulation, Renewable Energy, Smart Energy Program, Transportation Efficiencies, Utility Transformations

By Author


{"userID":"","pageName":"Cybersecurity","path":"\/tag\/cybersecurity?page=3","date":"5\/22\/2018"}