The Department of Homeland Security has offered more details on electrical grid attacks by Russian agents, and experts said the details show how air-gapping isn’t as secure as some may think.
In a briefing on Monday, DHS officials expanded on details of electrical grid attacks by Russian groups like Dragonfly 2.0. The briefing was the first time DHS released this amount of information in an unclassified setting, according to a report by The Wall Street Journal.
DHS said Russian hackers first targeted key industrial control vendors in order to steal credentials and access air-gapped and isolated utility networks. DHS also expanded the scope of the electrical grid attacks, saying there were “hundreds of victims,” although it is unclear if “victims” in this case refers to systems, substations, or utilities and vendors combined. Attackers reportedly stole confidential information about the utilities to learn how the industrial control systems (ICS) work and DHS said they had enough access to “throw switches.”
Ray DeMeo, COO and co-founder of Virsec, noted that “relying on air-gapping for security is a dangerous anachronism.”
“Air gaps are easily being bridged by social engineering, password theft, or, in the case of Stuxnet, a few rogue USBs left in Tehran coffee houses. With the increasing convergence of IT and OT systems, the control systems that manage critical infrastructure are increasingly networked and connected,” DeMeo wrote via email. “Plus, conventional security tools that rely on signatures must be connected in order to get the latest updates. Almost all of the recent attacks, successful attacks on power plants and other critical infrastructure have bypassed air gaps.”
Rohyt Belani, CEO and co-founder of Cofense, said even with isolation electrical grid attacks are still possible.
“Even though SCADA networks and other critical infrastructure may be segmented, there are always legitimate remote access systems in place from where administrators of those systems can log in and control them,” Belani wrote via email. “Attackers often gain their initial foothold in a corporate network via spear phishing and then move laterally to identify such key systems, which they then attempt to compromise to further their sphere of influence into critical systems.”
Michael Magrath, director of global regulations and standards at OneSpan Inc., said these electrical grid attacks, like other hacks “exploit the weakest link in the security chain — the people.” Magrath was also concerned about part of The Wall Street Journal report that claimed DHS was investigating if Russian hackers had ways to defeat multifactor authentication.
“To be clear, multifactor authentication is not ‘one size fits all.’ There are numerous approaches and technologies available with varying degrees of security and usability. For example, one-time passwords transmitted via SMS are very convenient and widely deployed. However, this multifactor authentication approach has been proven to be unsecure with [one-time passwords] being intercepted,” Magrath wrote via email. “Other solutions such as fingerprint biometrics, adaptive authentication, and utilizing public key cryptography techniques are far more secure and have gained widespread adoption. It remains to be seen what DHS learns.”
DHS claimed it has been warning utilities about potential attacks since 2014. Joseph Kucic, CSO at Cavirin, said via email the utilities “have failed to implement the necessary changes so DHS went public to embarrass the utilities into taking the needed actions (timing was on the DHS side with all the Russia media attention).”
David Vergara, head of security product marketing at OneSpan Inc., said “this is big game hunting for cybercriminals.”
“The motivation may pivot between political and monetization, but the impact to the target is the same, terror through vulnerability and exposure,” Vergara wrote via email. “It’s not difficult to extrapolate the outcome when an entire power grid goes offline during peak hours and the attack follows the weakest link, unsophisticated utility vendors or third parties.”
Potential damage of electrical grid attacks
It was unclear from the DHS report what the extent of damage these electrical grid attacks could be.
Katherine Gronberg, vice president of government affairs at ForeScout Technologies, said in the past, electrical grid attacks were “ostensibly motivated by money, business disruption, hacktivism or espionage.”
“Now, we are facing a very real and targeted threat to U.S. national security. A successful attack on systems such as power plants, dams or the electric grid could have severe repercussions and could possibly lead to the loss of human life and disruption of society,” Gronberg wrote via email. “With so much on the line, securing critical infrastructure must be top of mind. Recent efforts by the DHS, DOE and key congressional committees suggest that it is. But we have to tackle this problem as the shared responsibility it is. It likely will entail some difficult decisions at all levels, from policymakers to power producers to consumers.”
Andrea Carcano, co-founder and CPO of Nozomi Networks, noted that since the electrical grid attacks reported by DHS didn’t result in blackouts, it raises the “question if the attackers intentionally only went so far.”
“Attacks on the grid will be difficult to control and will undoubtedly lead to lots of collateral damage. This, combined with the risk of retaliation, may be keeping attackers at bay,” Carcano wrote via email. “It is reminiscent of the mutually assured destruction model of the Cold War when restraint was used on all sides. We are likely in the midst of a Cyber Cold War with all sides holding back from enacting the destruction they are truly capable of.”