The gift that keeps on giving – more US grid hacking, Russia fingered

If one were to subscribe to the idea that there is no smoke without fire, then the amount of reports surrounding attempts by hackers to compromise the US electrical grid is a veritable inferno of subterfuge. The latest development sees the US Department of Homeland Security (DHS) allege hundreds of intrusions, by hackers supported by the Russian state – with new malicious capabilities achieved.

The DHS now claims that the Russian agents have infiltrated systems to such an extent that they could have triggered blackouts. The two identified groups, Dragonfly and Energetic Bear, have been working since 2016, and managed to breach air-gapped networks by compromising the suppliers for the utilities and distribution network operators (DNOs). The DHS, speaking to the Wall Street Journal, believes they could have triggered blackouts if ordered to, affecting hundreds of control rooms.

That’s a big step forward, as reports in 2017 merely said that they’d noticed a lot of attempts to get into these sensitive networks, with little success. Ukraine has suffered blackouts from such attacks, where BlackEnergy and Industroyer (CrashOverride) were used to bring down parts of the grid.

Back in March, the US FBI and DHS published a technical advisory (TA18-074A, available here), but at that time, the idea that blackouts could be triggered were still in the hypothetical stage. Now the threat is real, according to the WSJ  interview, where Jonathan Horner, Chief of Industrial Control System Analysis for the DHS, said “they got to the point where they could have thrown the switches.”

However, there’s been a notable amount of push-back from the private sector, arguing that the DHS is taking an alarmist note – and that the WSJ might have hyped things up a bit. There’s no data on the amount of “switches” that could have been thrown, or the modeled outcomes of those switches, and compounding this is the fact that the industry opinion of air-gapping is shifting – slowly accepting that this is not a safe enough way to operate anymore.

In a discussion of Symantec’s report on the Dragonfly intrusions in the US, Dragos CEO Robert Lee pointed out that there are very big differences between the Ukrainian grid and the US, and that the 6-hour outages in Ukraine isn’t exactly a ‘full-blown crisis.’ That conversation also noted that the attackers there appeared very familiar with the Ukrainian grid, which could well explain their success – something that could not be replicated in the US.

In addition, the electric grid does not have a single switch that would cause a blackout. It is made up of dozens to hundreds of larger systems, and in order to cause the Hollywood vision of cyber-warfare, you would need to compromise rather a lot of users. In tandem, smart grid systems are getting much better at outage recovery, intended to address equipment failure and extreme weather. With enough intelligence, a sufficiently smart grid would be able to bring itself back online if attacked in such a manner – unless the hackers managed an extremely long con.

But there are measures that need to be taken quickly. While the grids are more resilient than may be thought, they are just as vulnerable to the attacks conventionally used to target enterprises. An attacker doesn’t need to take a grid offline to damage it, and theft of data could enable a later attack, based on those secrets.

Similarly, the days of the air-gap could be over, given the amount of IoT devices out there in the world. If a compromised appliance is installed in a supposedly air-gapped network, it only needs to find a way to hack the nearest IoT device to phone home, and given the number of reports on shoddy thermostats and cameras, this could be unnervingly easy. An air-gap is only as strong as the weakest link, and it would only take a company to skimp on its new set of internet-connected security cameras to compromise its entire operation.

Unsurprisingly, traditional IT has a big role to play here, especially in network security and provisioning, so that no insecure devices can live on a company network – although there’s no good answer on how to deal with out-of-band connections. In addition, the conventional attacks are mostly perpetrated by spear phishing, which tries to trick staff with legit-looking web pages or files – to give the attacker a way into the systems. Now, that should only provide a way into the external-facing networks, and not the mission-critical air-gapped networks.

However, by targeting the supply chain, the attackers are hoping to mimic the Trojan Horse, and smuggle their code into a supposedly safe enclave, hidden inside a piece of equipment. This is especially dangerous, as the utility or DNO is acting on the assumption that the air-gapped network is safe, but this is apparently clearly no longer the case.

As such, companies will have to think long and hard about how much they trust their suppliers. Auditing their suppliers and the delivered products would be quite the onerous task, although a potentially lucrative industry for third-parties perhaps, but it is plainly apparent that we no longer live in a world where you can trust the supplier’s word – regardless of reputation.

Exacerbating this problem is the newer trend of the suppliers being given access to DNO and utility control rooms, so that they can provide support services. This then acts as another channel for attackers to use to gain entry, and if done well enough, a real attack using this vector could be incredibly hard to spot.