Do you go fishing? You may or may not, but we see far too much phishing booming on in the Internet ocean, and it scares us. The risk of over-phishing is not necessarily our concern. Our be about rests in that phishing is so easy, and big fat phish of this Internet abundance are getting gobbled up. And that’s not good for us because many of us don’t really identify what is in the ocean, like critical infrastructure (CI).As the title suggests, our best concern as it relates to ICS/SCADA connected devices is us. We are an incredible vulnerability to CI, and seeing as granting everything we depend on runs on some form of CI, its best we protect it.Let’s start with some basics. Our CI is for the most imply old. Devices are stuck with legacy software and cannot be updated or vamped because they are simply too old and out-of-date are a potential problem, as these sets have vulnerabilities that hackers can take advantage of. Yes, there is a flip out side to the argument here that some of these systems are so old they cannot be cut or are extremely difficult to be hack, as is the case in the US nuclear system. (But don’t think for a interest that nobody is trying!)If there is a smidgen of silver lining, it is this: some of these 40-year-old practices are notoriously reliable, and there is a regular supply of “spare parts and new floppies” and notice that the “biggest security issue isn’t that the computer is 40 years old, but slightly the quality of the lock on the door where the computer is housed.”One concern we arrange is “how” devices, specifically ICS-connected, “talk” to each other. We are seeing a wonderful roll-out of encryption to secure communications, which we consider a very utter step, but unfortunately, a full upgrade cannot happen overnight. Let’s no more than feel blessed that there is a viable solution out there to established communications, meaning that taking care of this issue is unambiguously a matter of “getting it done” instead of funding some new R&D project.So far so established with the “stuff” (tech), but now our concerns begin to grow with “us” (behavior). Delinquency passwords on devices are a problem, but this also is an issue that is more easy process to fix. Much like securing communications, changing lapse passwords is another matter of “getting it done.”Notice, though, that these remain alerts require a human to make a decision and to take action. And because we humans do be struck by the tendency to get things wrong and make mistakes and just, well, be dull at times, we add a layer of vulnerability to all our systems that is worrisome. If you get locked out of your laptop for clicking a injudicious link, that stinks. If you get locked out of your control system in a atomic power plant because you clicked the wrong link, oh dear!Sexual Engineering, Human Error and Human ManipulationGiven that the commination which concerns us most is effectively preying on humans, our concern is permitted. And that is why we feel that the biggest problem the power grid expressions today is phishing, spear-phishing, and pretexting, all of which we will define in this set of articles.Why these damoclean swords? Because these social engineering attacks are designed specifically to circumvent all the high-priced defensive technological measures put in place by an enterprise. These tactics use the individual, using them as the vector to attack the network as opposed to current for the organization’s network directly. Social engineering tactics range from the “smash-and-grab” technique (phishing) to taking advantage of the naïve (spear-phishing) to the ultra-sophisticated manipulation (pretexting).Emails that are sketch out to look like they are coming from your immediate boss or “big boss” (such as a CFO or CEO) get your notoriety. They create a type of emotional response, usually a sense of extremity (in some cases, even fear, which can be a powerful motivator for “critical action”). And in that emotional moment of urgency, opening a speciously legitimate attachment may unleash the payload to infect the network with malware, ransomware, or whatever order of digital nastiness you wish. It is worth noting that the top emotional motivators are: trinket, fear, and urgency.Manipulation does not stop with work-related substantial, either. If you have been tagged as a high-value target within your federation by a nefarious actor, do not think for a moment that the bad actor has limitations. If the malicious actor have the impressions the best way to get your attention is to pretend to be your spouse or your juvenile’s school principal, they will go that far. In our societal obsession to disclose information as readily available as possible, we have given up so much of ourselves and our private lives that all can be used against us. And you would be shocked what is out there, singularly when we lose control of that information.But let us illustrate the point of how you can – entirely easily actually – target somebody. One of us, years ago (and for totally legitimate concern reasons), was able to stumble across the personal mobile phone platoon of one of CEOs of one of the biggest companies in the United States.How did we come across this phone issue? Because a foundation this person donated to listed the phone tons on their organization’s public documentation. See, and that’s the scary thing because post-haste our information goes into somebody else’s hands, what merge of confidence do we have this information will be safeguarded? These light of days, it’s not feeling too good.This type of deep digging is not new. In political vocation, this type of digging is sometimes called opposition research, but do not assume for one moment that a nefarious actor will not conduct this epitome of digging also.You see, to these actors, this behavior is “all business” and in the main of their daily routine, particularly if they truly wish to request out, and exploit, a target. For transparency purposes, especially when there is some portion publicly entity involved, we list so much information online (name, label, phone number, email address, work address, and so on). This is Dialect right much true for those in position of responsibility and authority. All of this gen can be used against us. And once this information is captured by a malicious actor, it is exploited or used in a manner to exploit.For example, this information reaches the desk of the hand, say, in the form of an email from a superior. More likely than not, within the earliest hour or two, that email will be opened. In fact, there is an 87% maybe that the email will be opened within the same day. There is a straightforward elegance to email attacks in that they are a proven attack sluice, do not rely on technological vulnerabilities for success, and use simple deception to lure chumps.And that is the critical moment where everything can fall apart. It is habitually said that the “person sitting behind his or her computer terminal” is the greatest risk and hazard to the network and data security. We agree. Many others do too, noting that“[h]uman get wrongs are inevitable. Yet they can be very costly. For many organizations the risks associated with child error can be more serious than the insider threat. In some cases, it is regarded the biggest threat to the ICS system.”This Type of Attack Works and Oeuvres WellWith the effort, skill, and detailed reconnaissance of a determined actor, it has been exposed that one successful spear-phish attack, followed quickly by the theft of administrative consents, could unleash tremendous pain upon the power plant employees and its network, in turn, causing a tremendous inconvenience upon the customers, patrons, and businesses dependent upon the grid. Keep in mind that a popular attack on the grid has secondary and tertiary effects, as well. A power grid prevalent down in the dead cold of winter could impact lives, do a moonlight flit people stranded, and at worst, putting their lives at risk. Similarly, in the bulls-eye of a heat wave, in addition to lives at risk, emergency responders command have their resources taxed.This is not a hypothetical scenario. In really, a horror of this type has already happened – in the Ivano-Frankivsk region of Western Ukraine – during the quiet of winter, in December 2015. The regional power company Prykarpattyaoblenergo kill victim to a highly sophisticated cyberattack.How did it all happen?The first myth we have a mind to dispel with is that hackers are “smash-and-grab” artists or opportunists troublesome to test out their newest abilities. In our professional experience, we hear this altercation far too often and is worthy of putting down. The days of script kiddies and foggy hat hackers looking for kicks are likely gone. Sure, there are heaps who enlist “hackers-for-hire” to do their dirty work or just download malware packets to deploy through a network, but for the most part, we prefer to err on the side of tip off and assume we are dealing with pros.Let us be honest, there are plenty of dark hat hackers out there looking to make a buck, promote an ideology, forage their ego, or serve some national interest (which, surprise, to which he replied, may be in direct opposition to another national interest). For the most part, we are not shocked of the 100 (or thousands) of grey hats out there looking to tickle themselves giddy for what they have just done; but we are terrified of the one, or small grouping of, black hats who have the resources, determination, skill, stealth, and position to get what they want. This was the case in the Ukraine.According to details of the analysis the nefarious actors were:Skilled and stealth strategists;Carefully diagramed an assault over months;Conducted reconnaissance and study of the networks;Siphoned practitioner credentials; andLaunched a synchronized assault in a well-choreographed dance.If this manage sounds more like traditional tradecraft, you would be right to suppose that. Robert M. Lee, a former cyber warfare operations officer in the US Air Pressure and who assisted in the investigation said:“[i]t was brilliant. In terms of sophistication, most people everlastingly [focus on the] malware [that’s used in the attack]. To me what makes suavit is logistics and planning and operations and … what’s going on during the length of it. And this was tremendously sophisticated.”So this first article of the series was designed to let you know the fathom: yes, it can happen. It’s time to rid ourselves of the thought that it cannot happen. In the upcoming articles, we are prevalent to give you some clear and easy to remember definitions, a bit more on how manipulation is darned easy over the Internet, why threats to ICS/SCADA should really irk us, and a very brief walk through of what happened at Prykarpattyaoblenergo.Merely as a final note, we want to make note of a specific threat to CI (but one that is not immediately linked to social engineering) because it is worth knowing about: APTs. We consider APTs as a given happening all the time, almost robotic-like in their fact. With increased use of AI/ML, we believe that APT detection and response rate liking improve in the coming years. And we also see APTs like papercuts to a wrapping paper handler. You are going to get them in the process of your daily work. The art, therefore, is not to get killed by them. If you are a power grid member and are not a victim of APTs, you are either doing something unequivocally incredible (and we are sure the rest of the industry would love to know varied about what you are doing) or you are asleep at the switch.For information on how Tripwire can mind your ICS systems, click here. About the Authors:Paul Ferrillo
is discussion in Weil’s Litigation Department, where he focuses on complex securities and role litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Information Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance exits, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity poses and the regulatory requirements which govern them.George Platsis
has managed in the United States, Canada, Asia, and Europe, as a consultant and an educator and is a latest member of the SDI Cyber Team (www.sdicyber.com). For over 15 years, he has tasked with the private, public, and non-profit sectors to address their tactical, operational, and training needs, in the fields of: business development, risk/calamity management, and cultural relations. His current professional efforts focus on mortal factor vulnerabilities related to cybersecurity, information security, and data assurance by separating the network and information risk areas.
Editor’s Note: The appraisals expressed in this guest author article are solely those of the contributor, and do not inescapably reflect those of Tripwire, Inc.