Before we learn how to defend our infrastructure against hackers, we need to understand what threats it faces.
Robert M. Lee is the CEO and Founder of Dragos and a SANS Certified Instructor and course author. He gained his start in security as an Air Force Cyber Warfare Operations Officer identifying nation-state cyber attacks on critical infrastructure while serving in the Intelligence Community. He may be found on Twitter @RobertMLee.
The systems we rely on most for some of the nation's most sensitive infrastructure, such as the power grid, manufacturing, oil and gas facilities, and water utilities, face cybersecurity threats we do not fully understand. This leads to a gap in reporting that can be filled by "experts" with questionable experience and hyped-up metrics.
All this raises the question: How do we not have at least an understanding of the threats we face—such as the groups and their capabilities that wish us harm—even if we cannot fully counter them? This question can be answered through two key points: We have a lack of visibility into industrial networks, and there is a significant desire for organizations to report on cyber threats, which leads to hype.
An Issue of Visibility
The government and private sector communities have traditionally gained deep insight into the IT threat landscape. With endpoint sensors, antivirus, intrusion detection systems, and other data sources internal to IT environments recording activity and reporting it, there has been a lot of information to go through. For decades now, governments as well as organizations with access to large data sets, such as vendors like Kaspersky, Symantec, Trend Micro, Microsoft, Verizon, and others, have compiled great insight into the malicious actors in our environments.
As the community has pushed to analyze adversary activity in networks, the field of threat intelligence has emerged as a hot topic. At its core, threat intelligence seeks to analyze malicious actions and extract knowledge on how to detect these threats and counter them more efficiently. A great benefit of this threat intelligence has been an understanding of the threat landscape, or knowledge of what threats have the potential to impact different organizations and how they might accomplish their malicious goals.
There are unseen hacks in the ICS community. We are going to begin seeing more of them come to light.
Industrial control system (ICS) environments such as the supervisory control and data acquisition (SCADA) networks that run our electric grid, water distribution systems, and gas pipelines have not traditionally had these security sensors. Visibility into the ICS networks has been difficult to obtain, and sometimes with good reasons. As an example, running antivirus software on systems in an ICS can potentially do more damage than good by flagging good files as malicious and deleting them. Other reasons have not been as good, such as culture challenges that exist from the lack of understanding the value of security to the reliability and safety of industrial operations.
Regardless, adversary activity has not been as easy to observe due to a lack of information we can acquire from these environments. Take for example the US government's ICS Computer Emergency Response Team (ICS-CERT). The ICS-CERT publishes one of the recognized authorities on information about incidents across different industries in the ICS community. In the 2015 edition of the team's annual report on security incidents, 110 of 295 incidents were identified as having an "unknown" attack vector. In other words, there was no understanding of how the incident happened.
The second most common attack vector found was phishing emails, at 109 cases. The problem with this metric is that most ICS networks do not have email systems or access internal to the ICS network. This means that for the majority of the security incidents reported, the cause was either unknown or was only seen outside of the control systems themselves.
A little reported fact is that a significant majority of the ICS-CERT incidents are not reported by infrastructure owners but by other government entities. There is little visibility into the most critical networks of our nation's most critical infrastructure such as nuclear power stations. This opens the door for organizations and individuals to make wild claims such as Dell's claim that 2014 saw a 100 percent increase in cyber attacks on SCADA environments. The company claimed over 600,000 cyber attacks took place, which can only be accurate using a very loose definition of the word attack. Without real data, these claims are without appropriate counters. It gives way to hype.
Gaps in Knowledge Will be Filled with Hype
News organizations grab attention from their audience when headlines speak of cyber attacks against critical infrastructure. Security companies gain access to media to promote their members and latest cyber security products when they report on these attacks. Individuals gain notoriety at security conferences when they can speak on matters that few can challenge them on despite having no experience in the field of ICS security. And some misguided security practitioners believe that the hype can serve as a wake up to the ICS community to take security seriously.
But hype can dissuade the many organizations who are working hard to take security seriously from further investments. More importantly, the hype gets resources allocated eventually, but they are resources for the hyped-up threats and not the real threats the industry faces.
How do we not have at least an understanding of the threats we face [...] even if we cannot fully counter them?
Take for example the Norse and AEI report on Iranian cyber attacks against ICS/SCADA networks. The report made bold claims of attribution of Iranian cyber attacks against SCADA systems. I critiqued the report, and its predecessor which claimed 500,000 cyber attacks, because almost all of the claims fell short of reality. The individuals did not have subject matter expertise, or any experience for that matter, with ICS environments and the attribution to Iran was based on determining the source IP address of scans, which they called attacks, against honeypots, not actual infrastructure. Yet it gained national media attention and was briefed to senior government officials.
This is far from the only example. Other notable examples include: claims of cyber attacks against an oil pipeline despite strong evidence against the claims, beliefs that Russia hacked a water utility when it was just an employee logging into the network while on vacation, and fear over Israel's power grid being hacked based on government member statements when it was just ransomware on an unrelated network.
What this ultimately means is that we need more practitioners in the field of ICS cyber security. We need to focus on training personnel instead of being overly focused on products. The right people will choose the right tools, but untrained people will use tools incorrectly even when they are the right ones. Those people need to look into their environments with knowledge of the ICS instead of over-relying on knowledge on the threats, which we do not have as much of right now.
We need the ICS industry to feel comfortable sharing information related to breaches, espionage, and attacks when they find something. Security vendors in this space need to prioritize quality of information instead of the quantity. The government needs to incentivize the good work of ICS companies leading the way in the community instead of relying solely on punitive measures that lead to a culture of just complying with regulations.
And to top it all off, the entire security community needs to take a critical look at reports of ICS cyber attacks, incidents, and malware so that the ICS community can stay focused on discovering the real threats. This will help them avoid falling prey to agendas by some government agencies and security companies despite their best intentions.
There are unseen hacks in the ICS community. We are going to begin seeing more of them come to light. These case-studies need leveraged properly to advocate for more visibility community wide while avoiding the hype that can take us all down the wrong path.
The Hacks We Can't See is Motherboard's theme week dedicated to the future of security and the hacks no one's talking about. Follow along here.