The United States is under attack.
Having served as Secretary of the United States Air Force, I know this for a fact. Our sovereign border – and our critical infrastructure – has been breached in a number of serious ways. Without immediate action, America’s lights could quite literally go out.
Last month, Sen. Angus King (I-Maine) illustrated the gravity of threats facing the U.S. energy sector while interviewing Karen Evans, President Trump’s pick to lead a new energy cybersecurity office.
“Right now, there is no deterrence. We are entirely defensive and ultimately that is a losing strategy. We know that a cyberattack is coming at some point. It’s the longest windup for a punch in the history of the world, and shame on us if we’re not prepared for it,” said King, as reported in The Hill.
Foreign covert operatives have successfully breached the critical infrastructure on which every aspect of our society relies: the vital industrial control systems (ICS) that serve as the backbone of our economy, electrical grid, security, financial services, health and transportation systems. Should any or all of these assets fail, the results would be catastrophic.
For two years, we’ve been inundated with evidence that Russian threat actors stole and leaked private communiques to influence the 2016 presidential election. Unfortunately, the volatility and antagonistic rhetoric consuming American politics has half of the country doubting the validity of warnings from the Central Intelligence Agency (CIA), Federal Bureau of Investigation (FBI) and National Security Agency (NSA).
Independent of your political leanings, just-released findings in the Department of Justice’s Cyber-Digital Task Force report should make believers of even the most skeptical audience.
According to the DOJ task force’s report, “This is not a hypothetical threat: one of the Iranian hackers indicted for the DDoS attacks against the U.S. financial sector is also alleged repeatedly to have gained access to the Supervisory Control and Data Acquisition (‘SCADA’) system of a dam in New York, allowing him to obtain information regarding the dam’s status and operation. Had the system not been under maintenance at the time, the hacker would have been able to control the dam’s sluice gate.” The sluice controls water flow, allowing dam operators to avert potentially catastrophic failure by draining off excess water.
Still not convinced?
Seventy-seven percent of executives surveyed in the “State of Industrial Cybersecurity” report admitted that they believe their Industrial Control System (ICS) network will suffer an attack, yet nearly half have no measures in place to even detect such an attack. Considering National Intelligence Director Dan Coats’ warning that nation-state threat actors have targeted our energy, nuclear, water, aviation and critical manufacturing sectors, this documented complacency and lack of preparedness is both alarming and irresponsible.
Another incident you may have missed is when computer communications with customers of four natural-gas (ONG) pipeline operators were suddenly shut down, according to a Bloomberg report. In addition to making headlines for election-meddling, Russian cyber-attackers once successfully commandeered machines that drive critical infrastructure including nuclear power plants and chemical plants.
ONG, energy and utility providers face a daunting challenge of protecting large industrial control systems. As shown by the Stuxnet attack and BlackEnergy malware, nation-state-driven cyberattacks can cripple another’s critical infrastructure.
According to the GAO, our government is falling short in helping industry implement cybersecurity that extends beyond firewall-like protections.
Production lines of industrial companies are run by programmable logic controllers (PLCs) and sensors that are now being connected to the Internet as a part of the Industrial Internet of Things (IIoT). Unfortunately, protocols used in ICS environments generally lack adequate network service authentication.
These industrial control systems that run our electric utilities and oil and gas refineries take this security threat to a whole new level. The IIoT promises great productivity advances and cost savings, but only if protected from malware and other things that threaten all Internet-connected devices.
While we are used to protecting the front office applications of our plant facilities with enterprise IT solutions, these solutions are not adequate to protect our plant facilities and production lines from these pervasive threats. There are complex and often conflicting demands of cyber-physical security and IT that must be reconciled.
The current protocols used in ICS environments generally lack adequate network service authentication. Validated cryptographic technology and flexible monitoring modes are needed to fulfill these difficult requirements. In order to shield critical infrastructure against cyber-attacks without operational interruption, security should surpass the basic firewall, perimeter and signature-based IT defense, extending protection to SCADA and other networked system endpoints using protocol-specific parsing and whitelisting to ensure data integrity.
A whitelist of allowed commands needs to be created for controllers. By doing this, it is possible to control costs while maintaining peak operational performance. No single device or software solution can solve all of the problems described above. Only a last line of defense approach can protect our critical infrastructure, but it must be deployed as part of a robust and layered cyber-physical defense.
The incursions, whether by state actors or nation-states, have become too numerous to track. They make the Equifax breach, and its compromise of some 148 million Americans’ data, pale in comparison.
A May 2018 alert from the U.S. Computer Emergency Readiness Team, a joint effort between the Department of Homeland Security and FBI, warned with high confidence of malicious cyber activity by the North Korean government, referred to as HIDDEN COBRA. HIDDEN COBRA actors, detailed in the report, have used two forms of malware – Joanap and Brambul – for nearly 10 years to target media, aerospace, financial, and critical infrastructure sectors.
The warning noted that “like many of the families of malware used by HIDDEN COBRA actors, Joanap, Brambul, and other previously reported custom malware tools, may be found on compromised network nodes.”
Blind faith that enterprise IT-based solutions like firewalls and antivirus software will protect our internet-connected devices is a dangerous strategy. That false sense of security clouds our ability to see that entirely different precautions are needed to defend our critical energy infrastructure, industrial and defense facilities.
Intrusions that target the endpoints in industrial operations environments are completely immune to the familiar protections that work so well for laptops and smart phones. Many of these endpoints, including the aforementioned sensors and PLCs, can be accessed remotely or hijacked via corrupt USB drives. Sadly, these important but unsophisticated devices are often defenseless against malware.
The good news is that we have the technology to comprehensively combat the systemic cyber-weaknesses in our critical systems. Cyber-physical solutions provide the robust, end-to-end defense required, incorporating traditional enterprise IT conventions but also adding a last line of defense – the only way to protect those vulnerable devices that operate ICS production lines.
Covert cyberattacks by enemies of the state present a clear and present danger. The DOJ Cyber-Digital Task Force report notes that cyberattacks have “wiped out billions of dollars in investments, and helped hostile foreign governments launch influence operations designed to undermine fundamental American institutions.”
Despite such dreadful and devastating consequences, the reality is that we have been lucky to date, despite the escalating rate of infrastructure-specific breaches. Several hundred million lives could be in jeopardy if we do not address the current, dangerous level of complacency.
For the sake of everything we hold dear, government and industry must join together and take the necessary steps to defend us, before the lights go out in America.