If anyone knows more than he can tell about the cybersecurity threats to the country’s power grid, it’s Seán McGurk. As head of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) from 2008 to 2012, he led the day-to-day fight against intrusions and attacks against utilities and energy companies during a period when such threats grew from a trickle to a flood.
Since 2012, McGurk has led Verizon’s Investigative Response team for industrial control and automated and embedded systems security, where he’s taken on the industry-spanning cybersecurity threats faced by a global telecommunications provider. Verizon’s annual Data Breach Investigations Report (DBIR) tracks these threats, and the latest version released Tuesday shows that the number of threats is growing.
All told, Verizon's report found 63,437 security incidents in 2013, compared to about 47,000 in the previous year, as well as 1,367 confirmed data breaches, up from 621 in the previous year. And while the majority of these reports come from the public sector, finance, IT and retail sectors, this latest DBIR includes expanded details on how utilities, manufacturers and other non-financial partners are being affected, he said.
“If nothing else, the DBIR itself demonstrates how people are becoming [more] cyber-aware,” McGurk said in a recent interview. Verizon’s report lays out a step-by-step set of actions to take against specific threats (check out the chart at the end of the story for more details). McGurk also laid out some key findings from his work on utility cybersecurity, as well as a few core concepts that utilities need to embrace to manage these threats.
1.) Utilities are a target. Utilities reported 166 cybersecurity incidents in 2013, which was low compared to the 47,500 incidents reported in the public sector or the finance sector’s 856 incidents, though not insignificant. Of the utility incidents, 80 resulted in some confirmed data loss, according to the DBIR.
Most incidents were from web app attacks or “crimeware,” a category that includes “anything that doesn’t look like espionage, or like a point-of-sale attack,” McGurk said. The more typical utility incidents range from email phishing and and the aforementioned web app intrusions, but some include hijacking remote devices in ways that could support spamming operations or otherwise infiltrate the network of devices out on the grid.
ICS-CERT responded to more than 200 security incidents between Oct. 2012 and May 2013, twice the number that they responded to in 2012. Of those, 53 percent were in the energy sector, up from 40 percent in the previous year. That’s a high and rising number, though it applies specifically to threats to critical infrastructure, and thus excludes a vast number of cyber-related issues, particularly the huge theft and fraud parts of the cybercrime world.
2) Don’t assume that your IT and your OT aren’t connected. Utilities have been under increasing pressure to secure their chosen mix of smart grid technologies, whether to meet national NERC-CIP regulations, gain access to Department of Energy stimulus grants, or meet the requirements of state utility commissions. But too often, they overlook the fundamental change in how front-line operations technology is linked to back-office IT systems -- and thus to the internet at large.
“Most companies believe their industrial control systems are segmented from their enterprise IT systems,” McGurk said, but in the 400-plus inspections he’s done in his years in the business, “Honestly, in no cases [has that been] that true.” Every SCADA and distribution management system is running on a Windows PC, and at least some of them are connected to the internet. That makes them a target for attacks carried through a thumb drive, as the infamous Stuxnet and Shamoon worms that targeted Iranian uranium enrichment and Saudi oil facilities, respectively.
A lot of legacy software like Windows XP is still installed on utility PCs, he added, and as Microsoft stopped supporting it this month, it’s going to be harder to maintain its defenses. “Our adversaries are ramping up their XP attacks,” he said.
3) It’s not all about utilities -- smart distributed devices can serve as disease vectors. Grid devices are getting smarter and more networked all the time, which makes them, just like every other computer out there, a vector for spreading cyberdiseases. One example just outside the DBIR’s scope was January’s report of the botnet plot to turn set-top boxes and “smart” refrigerators into spamming platforms. But there are plenty of historical examples to demonstrate the danger, including the Mariposa botnet, which infected nearly 13 million computers via instant messages, peer-to-peer file-sharing systems and removable storage devices, he said.
McGurk noted that natural gas companies have reported that their remote terminal units in the field have been infiltrated and used for unclear purposes. “They hijack systems, and they can be used to do a denial-of-service attack against a bank or another utility,” he said. “They’re being exploited for their computing power. Also, it’s a great way to obfuscate your location.”
4) Use evidence-based risk management to mitigate what’s actually happening. “The takeaway for the CIO is [the importance of] knowing the known and preparing for the unknown,” he said. This may seem like a no-brainer, but given the constantly evolving nature of cyberthreats, it’s actually a full-time job. A change management approach, which includes the process of keeping complex IT systems up to date on hardware, software and security upgrades and switches, is an important part of that approach.
So is keeping up with the day-by-day barrage of old and new cyberscams, while preparing for sophisticated intrusions, including those that may go undetected for some time. Meanwhile, cybersecurity companies have been busy proving they can hack into grid SCADA systems from the world’s major vendors, or penetrate Google’s office HVAC system controllers, reminding utilities and regulators that grid edge sabotage remains a potential threat. Reports of a disabling sniper attack on a California substation got a lot of attention from Congress and the Federal Energy Regulatory Commission earlier this year, putting the issue of physical security on the table as well.
5) Don’t forget the people in the process. Every cyberincident involves human beings -- and the potential for human mistakes that attackers can exploit. McGurk noted several common mistakes he’s seen in his years on the job that can only be fixed by people doing things differently.
Take the common practice of issuing a shared username and password for a group of people working on an IT integration project, he said. That general administrative login may be convenient, but it’s a glaring hole in security, not only because it’s easier to obtain, but because it doesn’t identify which individual is accessing the system.
It’s also important to know that you don’t always know who’s attacking you. While cyberespionage wasn’t on the utility list of reported threats, McGurk noted that it’s not always clear who’s behind a cybersecurity breach until months or years after it has happened, as was the case with both Stuxnet and Shamoon.