Cyber 9/11 Likely to Target Industrial Control Systems, Originate from U.S. IP Address

If a cyber 9/11 were to occur, the most likely targets will be industrial control systems that operate the nation's electric grid and other critical infrastructure. And chances are it won't be initially noticed, partly because the IP address of the attacker will originate in the U.S., two top experts told a Senate Judiciary subpanel today.  "There are no networks in the U.,S. that haven’t been broken into and in many cases you can break into the equipment and break that," former NSA and DHS official Stewart Baker told the Senate Judiciary subpanel on crime and terrorism.

From that perspective, the most likely scenario for a cyber 9/11 to take place is an attack on critical infrastructure where true equipment damage occurs.  "The real risk is that the attacker can hack into industrial control systems and hack into power systems, pipelines" and other essential systems, Baker said.

"I don’t think the first attack, if it’s truly remote will be noticed…it will come from an IP address in the U.S.," Kevin Mandia, CEO of security firm Mandiant said, noting the propensity of attackers to route through vulnerable U.S. systems.   "Almost every single attack we currently respond to there are hop points in the U.S."  But, even the best devised cyber attack is not a sure thing.  "Even from the attacker's perspective, the results will be unpredictable," Mandia said.

Mandatory cybersecurity requirements for critical infrastructure helps boost security, Mandia said. "It has been my experience if there is a standard imposed on your industry, the cybersecurity is better."  Even then, though, threats get through.  "When it comes to critical infrastructure, the majority of cybersecurity programs [Mandiant has been called in to examine] were mature…but they were still breached."

The hearing, aimed at examining law enforcement and private sector response to cyber threats, follows the  introduction yesterday of a bi-partisan Senate bill, the Deter Cyber Theft Act, which requires the Director of National Intelligence to produce an annual report listing foreign countries who conduct cyber-espionage in the U.S.  Both Mandia and Baker clearly identified China as the top foreign country engaging in cyber spying and other activities, with Russia a very distant second.  "China is the reason my company doubles in size every year," Mandia said.

Read More

Verizon's Wade Baker: Look for Repeating Patterns in Cyberthreats

Cybersecurity threats follow certain patterns and are not chaotic, Verizon's Managing Principal for RISK Intelligence Wade Baker said today during a webinar to discuss the company's widely reported most recent Annual Data Breach Investigations Report (DBIR).  With acknowledgement to science and spiritual philosopher Gregg Braden, who popularized the concept of repeating patterns in nature called fractals, Baker said that the key to understanding how to manage data breaches is to look for patterns of simplicity.  "If we do, it's really important to how we defend our systems," he said.

If cyber threats are complex, then the methods of managing them become complex too.  But if you look for similar and repeating patterns, then effective systems of combating threats emerge.  "If it’s chaotic, then we have to implement complicated controls," Baker said.  But, "if there are patterns, we can set up logical defenses instead of worrying about the seemingly more complex" and ultimately difficult to implement solutions.

In analyzing the data shared with Verizon by 19 global organizations, "we see these patterns emerge and those patterns are pretty clear and distinct from each other...they're not chaotic."  Citing one analysis of 315 incidents that could be categorized according to associations among actors, actions, assets and attributes (the  4 "As" set of metrics developed as part of the Vocabulary for Event Recording and Incident Sharing (VERIS)), Baker noted that there are ten or twelve patterns that seem to be repeated constantly.

"This is really good news for defenders," he said.  For example, if a firm has intellectual property or trade secrets, then understanding the patterns of groups that target these kinds of assets makes for a much better defense.

During the webinar, Baker added additional insight into the DBIR's findings.  One conclusion from the report is that the number of  breaches for small firms (less than 100 employees) rose substantially between 2011 and 2012, with 193 of the 621 relevant breaches attributable to small companies.  Baker suggested that these are mostly small engineering firms that manufacture parts that will go upstream into the defense industrial base.

Another finding from the report suggests that state-affiliated breach incidents jumped dramatically between 2011 and 2012.  However, Baker suggested that the huge jump in those breaches reflect better methods for identifying state-affiliated attacks and do not necessarily reflect a rise in those kinds of breaches.  "This is an increased ability to recognize that activity," he said, due to better information sharing and the rise of more groups tracking those actors.

Read More

Executives Open a Whole Lot of Spearphishing Emails, Verizon Data Breach Report Says

Verizon released today its Annual Data Breach Investigations Report and among the treasure trove of findings across an impressive list of participating global organizations is that executives are the prime identified internal recipients who open threat-laden social communications, predominately spearphishing emails, according to an analysis of 2012 data breaches.  Although the vast majority of targets (69%) within organizations can't be identified for a variety of reasons, of those who can be identified, executives and managers top the list of those responsible for data breaches resulting from the communications.

Overall, executives accounted for 16% of the breaches that come from "social" sources, mostly spearphishing emails, while managers accounted for 11% of the breaches, followed by former employees, who rounded out the top three internal targets at 10% of the breaches.  At large organizations, the picture is even worse:  executives accounted for 30% of the social source breaches, while managers accounted for 27% of the breaches.  (Percentages exceed 100% because the items presented were not mutually exclusive).

The report, written by Verizon Managing Principal for RISK Intelligence Wade Baker, notes that "executives and managers make sweet targets for criminals looking to gain access to sensitive information via spear phishing campaigns. Not only do they have a higher public profile than the average end user, they’re also likely to have greater access to proprietary information."  The often jaunty report (which mentions Led Zeppelin, bemoans high school math classes and features many zingy sentences) further adds that when it comes to executives "we all know how much they love .ppt and .pdf attachments," the frequent vehicles through which spearphishing malware enter network systems.

This finding is important given that the proportion of breaches incorporating social tactics like phishing was four times higher in 2012 than it was in 2011 and that more than 95% of all attacks tied to state-affiliated espionage employed phishing as a means of establishing a foothold in their intended victims' systems.  Not surprisingly, state-affiliated actors tied to China account for one-fifth of all breaches and 96% of espionage cases were attributed to threat actors in China.

The ranks of organizations who share data with Verizon grew to 19 during 2012 and included police organizations from around the globe, major cybersecurity consulting organizations and the top U.S. entities responsible for collecting cyber threat and incident data.  The report covers 47,000 reported security incidences and 621 confirmed data breaches.

Read More

International Experts: Cyber Threats Are Not As Scary As You Think

(Washington, DC)  Cybersecurity is the hottest topic in international relations, diplomacy and warfare, but the topic has arisen so quickly that the world community has yet to develop a common language for even describing the nature of cyber threats, much less arrive at solutions.  And cyber warfare, although currently fostering scary headlines, may not pose the catastrophic outcome many fear. Those messages came through clearly today at a major conference hosted by Georgetown University's Institute for Law, Science and Global Security and the Atlantic Council.

"What do we call a national emergency for cybersecurity?" asked Andrea Rigoni, Director General, Global Cyber Security Center in Poste Italiane.  "Most of the time it's difficult to tag an event as cybercrime or espionage or cyberwar.  It can take weeks or years to determine what's behind an activity."

Israel has developed a two category definition for dealing with cyberthreats, Gen. (Ret.) Doron Tamir, Head of the International Cooperation Division for Israel, said.    The first category consists of cyberthreats that are criminal, such as the recent attack by Anonymous on the Israeli government's websites.  These threats, while annoying, cause little damage.  "As of yet, they have had limited effect.  In Israel, we have been attacked quite heavily by Anonymous.  They have had very limited achievement."

The second category is government-sponsored attacks, where cyberspace is used as the new domain for waging conflict.  Even there, though, "launching a cyberattack with extreme damage on a state scale is extremely difficult," Tamir said.

The biggest priority, though, should be confronting the non-state aggressors, Tamir said.  These are the groups that are more likely to attack and "they are progressing and improving their capabilities and can ruin the main sites that can affect the way of life in countries."

"The big missing component addressing any of those issues is not just a lack of situational awareness in cyberspace but a lack of situational understanding," Rafal Rohozinski, Principal, The SecDev Group said. Without a common framework for understanding the nature of the threats, where they're coming from and what they mean, cyber incidents can easily escalate, Roger Hurwitz, Senior Fellow, The Canada Centre for Global Security Studies at the University of Toronto said.  "When they [governments] don't do the math, escalatory spirals occur."

Although press reports portray cyberattacks in frightening terms, cyber weapons are just another tool in the warfare kit and should not evoke, but often do, the kind of fears that nuclear war does.  "Cyber-based attacks do not equate to nuclear-type attacks in that they do not affect society at its very basic level," Rohozinski said. "It is yet another element of force that can be used across the spectrum."

"Even in Estonia [where a high-profile series of cyber attacks occurred in 2007], nobody dies, nobody gets hurt," Tamir said.  "It's a meaningful tool...but proportion is very important."

Read More

Cybersecurity Experts: It's Child's Play to Attack Energy Industrial Control Systems

Two top cybersecurity experts today painted a unsettling scenario regarding the state of cybersecurity in energy and other industrial control systems, with both in agreement that little to no effective measures of securing critical infrastructure are in place.  "On the SCADA (supervisory control and data acquisition) side, these systems do not have the basic security systems built into them," Jonathan Pollet, Founder and Principal Consultant of Red Tiger Security said during a webinar.

Most of the time, key security controls, such as encrypted passwords, that apply to corporate IT networks do not apply to industrial networks that operate critical infrastructure.  Even basic testing of software for bugs, a routine procedure for corporate IT networks, is not applied to industrial systems, with system vendors implementing only about 5% of the kind of testing that Microsoft, for example, puts its software through, according to Pollet.

As a consequence, it's no surprise that over the past year there has been a 753% increase in vulnerability disclosures to ICS-CERT (Industrial Control Cybersecurity Emergency Response Team).  Ironically, this known volume of vulnerability exploits has been parlayed into businesses by vendors who are selling exploits for the purposes of hacking industrial systems.

And nation-states are clearly in the energy sector hacking business.  Pollet visited clients in the Fortune 50 energy, oil and gas business who experienced attacks originating from China.  The rootkit malware infiltrated the industrial systems through corporate IT networks and resided on the companies' systems for 18 months, extracting emails, financial information, blueprints of plants and factories and more.

The failure of corporate IT departments to consider how malware and other exploits flow from corporate systems into the relatively unprotected industrial systems is a major source of vulnerability for the energy sector.  "You almost have to treat the corporate network as the Internet…and then view the SCADA and industrial control systems as a sub-network," Pollet said.

One of the biggest problems is that industrial systems "have embedded items inside embedded items inside embedded items where we have forgotten what we embedded," Patrick Miller, Founder, Director and President Emeritus of energy security consortium EnergySec said.  "But the bad guys know they are there."

"The vulnerability is quite high. Most industrial control systems weren't designed for what we have today.
Frankly it’s almost child’s play to get into these systems," Miller said.

For the time being, however, there is no need to fear a widespread electricity outage because utility systems have evolved over time with a diversity of technology that varies from utility to utility.  "If you look at things like power, gas and even water systems, there is such a diversity of technology.  It’s not easy to cause a widespread, long-term outage," Miller said.

Read More

NIST Cybersecurity Workshop: Aiming for the Impossible?

(Washington, DC) The National Institute of Standards and Technology (NIST) kicked off yesterday the first of series of workshops aimed at creating an overarching cybersecurity framework for all critical infrastructure industries as directed under President Obama's cybersecurity executive order issued in February.  Although the impressive line-up of speakers generated little in the way of new information or insight into what the ultimate framework might look like, the gathering of a wide range of cybersecurity technology, policy and legal experts across a number of industries did serve to reiterate important messages about how to think about cybersecurity.

First, it's obvious that cybersecurity is crucial to virtually every activity underpinning society.  "We ought to take security in cyberspace as much for granted as we do in using cyberspace in our everyday lives," Jane Holl Lute, Deputy Secretary at DHS said.

Secondly, we will never find a single solution that solves all cybersecurity problems.  The best approach is an ongoing strategy to prevent, protect and respond when threats arise.  "There is no silver bullet," Russell Schrader, Chief Privacy Officer, Visa said.

Third, because no single solution exists, any framework must be flexible and adaptable.  "There is no way you can prepare in advance a template that can protect against the unknowns," Robert Mayer, VP of Industry and State Affairs at US Telecom said.  "Whatever framework we ultimately settle on, it's going to have to be a living framework," Paul Nicholas, Senior Director, Global Security Strategy and Diplomacy at Microsoft said.

Finally, information-sharing is crucial.  "The vast majority of what you need to know about threat is already out there.  It's just badly distributed," Tony Sager, Director of the SANS Institute said.

The elephant in the room was whether NIST can achieve anything approaching a useful framework that covers 16 diverse critical infrastructure industries within 240 days as stipulated under the EO.  The consensus among the attendees I spoke with is that given the timeframe, the complexity of the issues and the diversity of the industries covered, the best that NIST can hope for is a generic outline of principles or concepts, which may or may not push the cybersecurity ball forward very much.

One participant in the NIST working group that produced cybersecurity guidelines for cloud computing said that NIST is aiming for the impossible with this effort.  That may not matter another cybersecurity specialist said because the administration is really banking on Congress to step in soon enough with comprehensive cybersecurity legislation that produces more effective requirements and information-sharing capabilities.

Whether the ultimate framework proves useful, the workshop seemed to serve as an effective gathering for cross-pollinating ideas and for networking among cybersecurity professionals who otherwise might never meet.  In that sense, the information sharing has already begun.

Other reports from the workshop are worth a read.  Check out Andy Bochman's write-up here. Grant Gross takes a policy perspective in this piece.  And Brian Fung has this post from the event about how Northrup Grumman spearfishes its own employees to teach them important lessons.

Read More

Telecom Execs: Industry-to-Industry Cybersecurity Information Sharing is Needed

Telecommunications companies believe that better information sharing among private sector companies is a necessary next step to ensure better critical infrastructure cybersecurity, a goal that can best be accomplished by Congressional action in the wake of  President Obama's February cybersecurity executive order and policy directive.   Or at least that view seemed to be the consensus held by a group of executives speaking today during a policy briefing hosted by USTelecom.

"When it comes to cybersecurity, one of the things we want to get to as an end-state is real-time information sharing.  The best way to do that is with automated threat-sharing," Chris Boyer, Assistant Vice President of AT&T said. "One of the obstacles to that is whether or not that is permitted under the existing legal framework. Every time something comes up with security, we have to consult with our legal department to determine if it can be shared. We really want to expedite that process so that we can make it real-time and respond to the threats."

"We certainly don’t have any automated real-time information sharing links between AT&T and CenturyLink," Kathryn Condello, Director of Cybersecurity and Emergency Preparedness at CenturyLink, said.  "The information sharing does exist but it’s more informal and ad hoc. The time, the speed, the acceleration, the nature of the cyber threat is much, much faster" than what ad hoc information sharing can handle.

"The information-sharing piece is the most immediately important thing for us," Kate Dean, Executive Director, United States Internet Service Provider Association, said.  "To improve and enhance private-to-private and government-to-private will really require an action by Congress."

The NIST-derived cybersecurity framework specified in the Executive Order may not be as important to major telecommunications providers as it will be to smaller companies or other companies in other critical infrastructure sectors because telecom providers are forced by the marketplace to implement best-of-breed security measures.  "There are going to be some sectors where [legislatively extended] incentives [to abide by the framework] are more important than others.  I think the fact that we have to deliver our services on a nanosecond by nanosecond basis has driven the adoption of standards" in telecom, Condello said. "I think that we may find that even if they offered us the incentives, the vast majority of us have already been doing that."

This issue of how cybersecurity practices vary from big to small companies, from competitive to regulated industries, is a theme that has emerged over the past few months, one echoed during the briefing by administration point person Ari Schwartz, Senior Policy Advisor, Department of Commerce. "I've heard a lot from some of the leaders in this space 'What are you going to tell us that we’re not already doing?'  If you’re a leading company you’re already doing what you need to do to protect this space.”  But, "there are a number of companies that are not even putting the basic protections in place," he said.

The telecom providers also agreed that for now the Federal Communications Commission (FCC) should bow out of the process, despite the fact that the presidential policy directive accompanying the order (PPD-21) directs the FCC to partner with the Department of Homeland Security (DHS) and others in developing guidance and recommendations. "When you look at what’s happening now...there are eight streams within the sector coordinating council [at DHS], there will be a lot of activity around the framework.  As a practical matter it will be a challenge for the industry to staff additional work over at the CSRIC [Communications Security, Reliability, and Interoperability Council at the FCC]," AT&T's Boyer said.

Image of Ari Schwartz captured from screenshot.

Read More