US-CERT Finds Russian Hackers Spent Months Inside Targeted Systems

The Implications of US-CERT’s Concerns of Russia Targeting Critical Infrastructure

eWeek and Security Boulevard, March 16 & 21, 2018, with comments by Ray DeMeo

It’s been stated for a few years now that industrial control systems (ICS) are vulnerable to cyber attacks and that nation state attackers are high on the list of likely attackers. The recent US Computer Emergency Readiness Team (US-CERT) report confirms these suspicions with details of actual cyberattacks into US power grids by Russian attackers.

Access Started Through Insecure Third-Party Networks

According to the report, the Russian government conducted a long-term and multi-staged intrusion into US energy stations. The Department of Homeland Security (DHS) and the FBI describe the process as first targeting third-party, less secure commercial facility networks with malware, then using spear phishing campaigns to gain remote access into energy sector networks. The report also notes once the attackers gained access, “the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”

Ray DeMeo, co-founder and chief operating officer at Virsec, told Security Boulevard, “The types of attacks described in the DHS/FBI alert themselves are hardly new or surprising to security experts. Organizations in critical sectors in fact should expect nation state actors to probe for and exploit weaknesses on their network. [US-CERT] posts alerts based on specific evidence of breaches and the US-CERT advisory gives organizations information that they can use to defend themselves with. While it is not going to deter more attacks, the advisory does call out specific groups and locations that companies can set specific rules around.”

ICS Networks Vulnerable by Design & Attackers Could Already Be Inside

The frightening reality is that ICS networks are inherently vulnerable by design, and this particular attack didn’t even require a special level of sophistication. Industrial control system networks have been around since before the Internet era and prior to that, were considered relatively save because they were “air-gapped” from the world. But that’s not true anymore – now, they do rely on connections to the Internet that aren’t secure. And their equipment and software is also outdated.

“Much of the problem is also due to obsolete equipment and unsupported operating systems,” Ray DeMeo told eWeek. “The majority of infrastructure was designed a generation ago without modern security in mind, often built with the concept of isolation,” DeMeo said. “Isolation is an outdated idea that is rarely effective anymore. You’re only a USB stick away from an attack.”

He continued, “Organizations are reticent to change existing systems because they perform their original functions reliably. But the conditions around them have changed, and they’re remaining unprotected. The result is that the systems can’t be patched and run applications that may not be able to work properly if the operating system is updated.”

DeMeo suggested that the industrial systems be patterned after the security in the financial industry. “Wall street wouldn’t survive if they didn’t have the security they do,” he said.

DeMeo also suggested that a long term fix would be to include security readiness in an organization as part of the annual audit and that it be disclosed to stockholders. He also suggested that insurance premiums be tied to security readiness. Those actions would encourage companies to make themselves more secure because it would affect their bottom line.

“You should assume that you’re being targeted if you have something of value,” DeMeo said. “You have to assume that they’re already in your system. The question is how do you get them out?”

Read full eWeek US-CERT’s Russian Hackers article

Read full Security Boulevard US-CERT on Russia targeting critical infrastructures article