IP NETs, a technology that fits well with plug-and-play devices and software, are increasingly the go-to for multiple types of communication. But recent events show that IP NETs have opened communications and operations to truly dire cyber-threats.
Details of the threats came out in news reports, but are perhaps best summed up by a Department of Homeland Security updated warning to industry which included a screenshot taken by Russian operatives that showed they could penetrate the targeted companies’ critical controls.
The threat actors, as DHS calls the state-sponsored hackers, gained access through clever and persistent spear-phishing and watering-hole ruses. They then used standard Windows processes to exploit or leverage registry and other file types to manipulate credentials, alter or create scheduled tasks, crack passwords and manipulate remote access services to connect to intended targets. The objective, according to authorities, seemed to be internal reconnaissance and espionage suggesting intent to disrupt or disable critical systems, should such an advantage prove opportune in the future.
It appears the only thing keeping these threat actors from shutting down these vital systems is political motivation. And that means it is past time for industry-wide adoption of comprehensive, defense-in-depth cybersecurity. That includes the type of cybersecurity that’s already in place across U.S. military facilities nationwide, and the kind of security widely and readily available to private and highly regulated businesses within and beyond U.S. borders.
The typical cyber-defense methodology has been based on simple system architectures tying together office PCs, usually managed by IT specialists rather than cybersecurity specialists. This line of defense consistently proves inadequate as intrusions become more sophisticated.
Particularly underserved by deeply-layered cybersecurity are the machine-to-machine systems driving the military and civilian industrial sector. They are powered by countless sensors embedded into industrial control networks for purposes that include thermal imaging, radar tracking and climate control. These sensors, also known as programmable logical controllers, are typically equipped to perform a single function. They lack the design for software upgrades that can protect them natively from malware. As a result, cyberattacks introduced through such a network pose potentially life-threatening risks to the infrastructure that drives power grids, transportation systems, dams, hospitals, airports and more.
In the most recent alert, DHS stated that, in multiple instances, “the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities. The threat actors accessed files pertaining to ICS [industrial control systems] or supervisory control and data acquisition (SCADA) systems...The threat actors targeted and copied profile and configuration information for accessing ICS systems on the network. DHS observed the threat actors copying Virtual Network Connection (VNC) profiles that contained configuration information on accessing ICS systems.”
This means that state-sponsored cyber-enemies essentially used Windows to burrow deep into industrial controls; once in, they could manipulate operations.
U.S. defense organizations have been consistent supporters of deeply layered security that extends protections beyond the standard firewall. The objective is to mitigate intrusions, such as these latest, once they’ve breached the network’s first line of defense.
Solutions in use by U.S. agencies, including DoD and DHS, are readily available to the private sector. Some secure the endpoints of these vital machine-to-machine networks. They essentially wrap firewalls around sensors within an ICS using small pieces of hardware that plug directly into the sensor to act as a fence between the machine and its connection to the rest of the network.
If malware traverses the network, the cybersecurity devices and software will control what the machine can do, and whether it will respond at all. If the wrong person ― one who has not been pre-approved, or “whitelisted” ― tries to engage or direct the sensor, the sensor will not respond. The security software also will send an alarm to authorized personnel.
Had such a system been in place across the utilities and other companies DHS and the FBI left unnamed in the current situation, the infrastructure would not have been so seriously breached.
Once again, industry is shown that cybersecurity must be in place as part of an end-to-end architecture. Security experts and operators of as-yet-uncompromised industrial systems know that every device on a network must be identified, secured and authenticated to ensure that data is consistently transmitted unaltered, and only to intended recipients.
U.S. industries and citizens deserve to be better protected from enemies that may opt to shut down hospitals, airports and factories anywhere, or anytime, they choose.
Deborah Lee James was the 23rd secretary of the US Air Force and is currently a special advisor to Ultra Electronics, 3eTI. She leads a wide range of strategic initiatives for 3eTI with a focus on defense-oriented programs that improve operations while cyber securing automated system endpoints.