Navigant Research Blog

Honeypots Teach Us About Attackers

— April 11, 2014

Security researchers will try almost anything to find out who is attacking their clients and how.  One of their best-loved and most effective techniques is a honeypot.  First developed about a decade ago, a honeypot is a decoy system or network – a tempting target for attackers that is not really a target at all, but a trap.  The objective is to lure attackers into the honeypot and then watch how they work.  Attackers’ methods are almost like fingerprints; researchers who are familiar with a number of attackers can often identify the attackers simply by watching their step-by-step process of discovery through the honeypot.  Researchers do have other methods as well, such as tracing IP addresses or even fingerprinting the attackers’ browser – adding source code to the attackers’ browser that reveals more about their identity.

Attackers are, of course, aware that honeypots exist, so preparation of an effective honeypot must be extremely detailed.  To set up a honeypot requires a fair bit of planning to make the target look as realistic as possible.  Eventually, the attackers will realize that they’ve been had, so the objective is to keep them in the honeypot as long as possible to gather as much information as possible about their methods and their identity.

One security researcher described one of his honeypots in a talk at the SANS 9th Annual ICS Security Summit.  Kyle Wilhoit of Trend Micro described a scenario in which he set up juicy but fake targets on five continents and then watched them be attacked.   Each was a model of a control system for a small municipality water pump.  Connected directly to the Internet and with insufficient protection, this water pump looked like easy pickings, and it was attacked nearly 100 times.  Again, the attackers were not attacking an actual water pump but were instead sending commands to a simulation of a water pump – the honeypot.

Disturbing Motives

Perhaps most disturbing to me is that most of the attacks that Wilhoit reported were attempted sabotage, not data exfiltration.  Nearly all of my recent research indicates that large-scale persistent attacks against control networks have been data exfiltration for competitive advantage.  In this case, however, data exfiltration attempts were a minority of all attacks.  Even some well-known attack teams supported by hostile nation-states attempted to disable the water pump, not simply exfiltrate its data.  For me, this requires a rethink:  Is all that data exfiltration really just for competitive advantage or are attack plans being prepared?  As ever, only the attackers know, but this one project suggests that there may be more attack planning than has been assumed.

You might think that attackers seeing a control device connected directly to the Internet would say, “Nah, this is too good to be true.”  And then seeing a control device directly connected to the Internet with little or no security – “It just has to be fake, right?”  Sadly, no.  Attackers are accustomed to discovering real systems like this all day long – directly connected to the world and with no protection.

My conclusion is mixed.  Honeypots are an effective tool for learning about our adversaries.  Yet, honeypots work because the unprotected systems that they mimic are commonplace in our industry.


Cyber Security Community Finally Faces Reality

— April 8, 2014

It’s springtime, so the Navigant Research team is on the road again, speaking at conferences.  This spring’s cyber security conferences have confirmed what I’ve said in this blog for some time now:  the hype is over; the hard work is here to stay.

At SMi’s European Smart Grid Cyber and SCADA Security conference in London, traditionally a showplace for vendors to hawk their wares, there was a decidedly more technical focus this year.  Enel of Italy gave a detailed description on the various projects running in its lab in Pisa, describing how cyber security is integral to each.  It was inspiring to see cyber security integrated at the outset of a project, rather than after a bad audit.  Equally instructive was the description of Enel’s experimental area in Livorno, where many of the company’s new technologies first see public adoption.  Other speakers at this conference continued the technical thread, with topics such as descriptions of self-learning network anomaly detection, and traditional devices such as firewalls and intrusion detection that have been specifically reengineered for control networks.  The unmistakable message that I brought back from London: cyber security vendors have finally accepted that the utility industry is like no other.

Future at Risk

The SANS ICS Cyber Security Summit in Orlando, Florida offered similar but more technical fare.  Adam Crain and Chris Sistrunk described their eponymous vulnerabilities.  They have demonstrated how to disable a utility substation or control console via the serial protocol DNP3.  This is critical because DNP3, which is non-routable, had been previously considered immune to attack.  Another safe assumption bites the dust.  Eric Byres of Tofino Security gave a surprisingly accessible description of deep packet inspection in control networks – a topic normally best saved for researchers and PhDs.  There was also a fascinating Trend Micro report on a control network honeypot deployment, which will be the subject of my next blog.

The unifying theme at both conferences was that protecting control networks is hard work that is never really finished.  Our reports, including Industrial Control Systems Security, have been saying this for 4 years now.  Utility cyber security vendors are finally getting the message.  And to be fair, a few vendors have always understood.


But challenges remain.  At both conferences, my remarks described the existential threat facing many utilities.  One U.S. utility CEO declares that the grid’s days are numberedThe Economist reports that European utilities have lost half a trillion euros of market cap since 2008.  Reactions to that news were often blank stares or utter confusion – as if the financial health of utilities has nothing to do with their deployment of cyber security.

This too must change.  Security vendors are not competing with each other, so much as they are wrestling with the future of the industry.  Just as understanding settles upon the community, the odds become daunting.


Cyber Security: The Struggle Continues

— March 10, 2014

Cyber security is, at the best of times, still barely knowable.  The best deceptions are discovered long after they are done.  The greatest heroes and the most heinous villains are unknown – except to each other.  The spy wars of the 1960s have moved online and are still waged undetected, right under our noses.  Recently, a number of home devices, including one smart refrigerator, were compromised and used to send out 750,000 spam emails.  Junk email from your fridge!

Preparing for a talk at SMi’s European Smart Grid and SCADA Security conference in London, I checked in with some of my frequent research contacts for their views.  The consensus:  there has been a lot of movement in cyber security during the past 12 months – by the attackers.  Cyber defenses haven’t appreciably improved.  There is more talk about security architectures and assessments, but talk is not protection.

My contacts relate tales of hostile infiltration and data exfiltration in large control networks.  Utilities are targets, as are oil & gas facilities.  The attackers appear to be stealing data but not otherwise harming the networks.  Why the attackers are doing this, only they know.  They could be gathering data for competitive business advantage or for a future attack.  Most of my contacts (and I) believe that it is the former.

Old and Vulnerable

While that scenario unfolds, large security problems remain unsolved.  We still have no good solution for protecting older grid control devices that have little or no ability to protect themselves.  There are approaches such as network segmenting, but nothing that could be called a solution.  Cyber security practitioners are consuming a fair amount of energy just debating an approach to this problem.

Meanwhile the Sistrunk/Crain vulnerabilities discovered last year have exposed weaknesses in the Distributed Network Protocol (DNP3) used in many SCADA networks.  A non-routable protocol, DNP3 is immune from attacks that target routable protocols such at the Internet Protocol (IP).  NERC CIP reliability standards have, therefore, ignored non-routable protocols, assuming that they were safe.  However, the Sistrunk/Crain vulnerabilities show that that assumption is no longer reliable.

Meanwhile, many utilities are looking at how to use their smart metering networks to enable distribution automation (DA).  That approach can get a utility into DA much faster than building out a new control network.  But it can also transform the advanced metering infrastructure (AMI) from a network of cash registers to a network of grid controllers.  The accompanying change in security requirements is substantial, and some utility operations teams understandably refuse to allow this integration.  Perhaps for good reason:  one AMI vendor assessed 20 large deployments of its system and found that data encryption had not been activated in any of them.

Yet, there have been no blackouts yet.  Even the Metcalf Substation attack – little known for 10 months until recently reported by The Wall Street Journal – did not result in a loss of power for anyone.  That’s because PG&E had already engineered resiliency into its grid.  But will utilities always be that lucky?

So much conflicting input demands a reliable read of the situation, and if you want to get to the bottom-line reality, find out what the bookies think.  Or next best, the actuaries.  This is where things become worrying.  Lloyds of London’s Kiln Syndicate will not insure utilities’ control systems – transmission and distribution – against cyber-attack.  In other words, we can all talk all we want, but the people who assess risk – not for a living, but for a return on investment – don’t think that utility cyber security is a very good bet to make right now.


NIST Cyber Security Framework a Major Step Forward

— February 21, 2014

NIST released its long-awaited Framework for Improving Critical Infrastructure Cybersecurity on February 12.  First, let us applaud NIST for meeting the deadline as required, no matter that it was mandated by an Executive Order.  Thankfully at least one D.C. agency gets its work done on time.

After one reading I find lots to like in this framework.  It covers aspects often neglected in cyber security.  For example, it’s impossible to overstate the importance of a glossary.  Inconsistent terminology is a sure way to undermine any undertaking.  Although some of the terminology in this framework is not used the way that I would use it, I can change.  We all can.

Another nice feature is the concept of an iterative approach.  The approach is security as an ongoing concern, not an annual ticket punch.  One of the worst business books I have ever read still had one nugget worth recalling:  “Finished Never Is.”  Cyber security is always ongoing:  threats are always changing.

I was also impressed that the framework was developed with use outside the United States in mind.  Of note, there is more focus on data privacy than we usually see in the United States – although it’s fair to note that that was a requirement of the Executive Order.  At nearly every cyber security conference I have attended in Europe, a speaker from NIST has presented.  NIST even sits on some of the ENISA standards committees, and I have more than once heard European policymakers suggest simply adopting NIST cyber security standards for Europe.

Change We Can Afford

Another nice touch is the pragmatism:  “While organizations identified as Tier 1 (Partial) [i.e., organizations that have only partially implemented risk analysis or cyber security] are encouraged to consider moving toward Tier 2 or greater, Tiers do not represent maturity levels. Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective.”  That must be the first time I’ve read a standard that said only do this if you can afford it and it will make your life better.

There are challenges.  Any organization that does not currently have an asset-based risk analysis will have to create that first.  I do not know of any utilities that have an asset-based risk analysis of their control networks.  Merely identifying all the assets in a control network can be challenging.  Quantifying the impact and probability of each risk for each asset can be a long and possibly contentious process.

Implementing this framework will be an enormous amount of work for a utility.  Outside help may be necessary.  IBM has already announced an offering to help implement the framework.

Next, there’s that word voluntary.  That is not a weakness in the framework itself, but utilities have, in general, shown a willingness to invest only in cyber security that is required by laws or regulations.  Will this framework drive more cyber security investment?  It might by giving both vendors and utilities a common target.  The framework’s ability to give all stakeholders a shared vision is a major step forward.


Blog Articles

Most Recent

By Date


Clean Transportation, Electric Vehicles, Energy Management, Energy Storage, Policy & Regulation, Renewable Energy, Smart Energy Practice, Smart Grid Practice, Smart Transportation Practice, Utility Innovations

By Author

{"userID":"","pageName":"Smart Grid Security","path":"\/tag\/smart-grid-security","date":"4\/24\/2014"}