The world of infiltrating and attacking the world’s critical cyber-infrastructure has its hacks and its copycats -- as well as its true artists. The former can be guarded against by defenses baked into the world’s critical IT environments, like Wall Street or the Department of Defense. The latter are a lot harder to catch.
That’s the message from Phil Lin, product marketing director for cybersecurity company FireEye, in a Monday webinar addressing an audience of utility and smart grid professionals. Lin laid out a dire prognosis for today’s energy sector when it comes to the advanced, persistent threats -- or APTs, as the industry calls them -- on the cutting-edge of cybercrime.
APT are the new breed of cyber-intrusion, using tools like “weaponized” email attachments and web URL links to quickly deploy malware into laptops, desktop PCs, control terminals and other access points to a network, Lin said. That means they’re often invited in by trusted users, rather than running into firewalls, he noted.
To get around defensive traffic filters and intrusion prevention defenses that check such malicious files and URLs against lists of known malefactors, the attackers switch them up at a dizzying pace, using techniques such as polymorphism, dynamic techniques, and personalization, Lin said. In fact, more than nine-tenths of attacks of this nature his company has tracked change their identities completely once every 24 hours, and 98 percent are unrecognizable within a week.
As we’ve noted before, security is a growing concern in the world of smart grid, where new devices are hooking up power equipment and grid controls to the internet at large. The world of SCADA, the legacy serial technology used to control power grids, factories, chemical plants, wastewater treatment plants and other too-big-to-fail type targets, has been shown to be full of vulnerabilities that could be exploited, prompting a spate of Department of Homeland Security cyber-warnings over the past few years.
At the same time, the IT world writ large has been hit with a blizzard of attacks, Lin noted, from the December attack against Adobe’s (NASDAQ: ABDE) popular Acrobat file-sharing software, reportedly used against U.S. defense contractors and research facilities, to the theft of millions of credit card numbers from Sony’s (NYSE: SNE) PlayStation network in April. Some of these hackers are being caught -- we’ve seen arrests of alleged co-conspirators in the LulzSec attacks against Sony Pictures Europe, for example. But most attacks can’t be linked to a specific malefactor, Lin noted.
Not even the security vendors are immune: EMC (NYSE: EMC) company RSA, maker of SecurID authentication tokens used by millions of people like government and bank employees, warned in a March 2011 letter that an “extremely sophisticated cyberattack” had stolen data related to its two-factor authentication products, which could be used to build ever-more sophisticated attacks against its protections in the future.
Many of these attacks share the moniker of “zero-day” attacks, meaning that they exploit a previously unknown vulnerability, and thus have no defense. How long it takes between finding the exploited hole and patching it is only one part of the puzzle, Lin warned. It’s also possible that zero-day exploits have been getting into networks and propagating unseen for some time before they’re caught, making ongoing intrusion detection an important part of the “defense-in-depth” strategy, he said.
A Virtualized Defense
FireEye tackles the security problem via a “virtualized hardware environment” it sets up, Lin said. Essentially, it’s a virtual shadow network, running everything the real network does, with specialized malware protection systems (MPS) for files, emails and web-based threats.
This allows FireEye to watch its virtual threat environment for all the signs of an APT attack -- spear-phishing campaigns to introduce weaponized links or files to the network, attempts by newly opened files to do “buffer overflow” rewriting of memory to install malware, or unexpected outbound traffic coming from already embedded bugs, for example -- and respond accordingly, he said.
The company counts colleges, Department of Energy national labs, government agencies like Sallie Mae, and internet and IT software and services companies as customers, though given its role in protecting them, it doesn’t like to name too many names. It’s also working with several utilities, including one of the largest on the West Coast, he said. While he wouldn’t name the utility in question, FireEye does have a case study on its utility work, along with others spanning its customer base.
Most of FireEye's work is in traditional IT environments, rather than in the domains of AMI, DA, DR, DMS, OMS, CIS, and all the other acronyms utilities use to define their now-siloed grid operations networks. Utilities aren’t yet attaching their exposed, back-office IT systems to such grid controls in a big way. But utilities also aren’t nearly as sophisticated in how they approach cybersecurity, Lin said, particularly when it comes to adding new smart grid systems that introduce new end-points and networks into the overall IT infrastructure.
We’ve seen our share of cyber-attacks aimed at the power industry as well. Last month, Saudi-U.S. oil giant Aramco reported it had taken its network offline after a computer breach, linked by security firm Symantec to the “Shamoon” malware that seeks to render control systems inoperable by wiping their memories clean. Sophisticated attacks like the Stuxnet virus, reported to be introduced into Iran’s nuclear fuel enrichment program via USB drive to the Microsoft Windows environment and then to Siemens' (NYSE: SI) industrial SCADA network, show that network separation isn’t a reliable defense.
A New Threat Environment
Of course, few attacks are at the level of sophistication of Stuxnet -- though we’ve seen a few cruder copies, such as Flame, emerge since then. Still, there’s an interesting, and worrisome, cross-breeding going on between the APT from sophisticated government programs, cyber-criminals or 'hactivist' groups like Anonymous and LulzSec, Lin said. Put simply, they’re sharing “commercial-quality toolkits” and other such mutual aid, in hopes that more partners in crime will yield more intrusions, and thus more return for their effort, he said.
That’s because most intruders want to propagate throughout a network to find data to steal, he said. That means that, at some point, they will start to communicate with the outside world, whether it’s a simple “heartbeat” signal to let the attacker know it’s installed, or streams of secret data like system administrator passwords and bank account numbers. That requires another level of defense, one facing inward to try to prevent unauthorized breakouts, Lin said.
As for a FireEye MPS to protect control networks like SCADA or smart meters, Lin said the company hasn’t built such a virtualized environment yet, but that it wouldn’t be a particularly difficult task. The core problem for utilities is the cost of doing so, he said. With so many competing priorities, and an unclear cost-benefit analysis for protecting against unknown cyber-threats, utilities probably aren’t spending as much as their colleagues in IT and telecommunications on cybersecurity, he said.
But that’s going to change. GTM Research predicts spending on cybersecurity products and services will grow from $120 million in 2011 to $237.6 million in 2015, making it the second largest segment behind distribution automation in terms of utility enterprise IT spending. Activity on the smart grid security front ranges from software firms like Wurldtech, UtiliSec and N-Dimension, which raised a $3.85 million Series A round this summer, to the kind of system-wide, network-operations-center-style security that grid giant ABB and strategic partner Industrial Defender are working on.
Meanwhile, the continual merger between the internet and the networks of the smart grid will drive an increasing push toward internet-level security for smart meters, substation controls and other grid gear. Cisco (NASDAQ: CSCO) is promising IPv6-grade security for its smart metering and substation networks via partners like Itron and Alstom, and all the big smart grid players -- IBM, HP, Microsoft, Accenture, CapGemini, Logica, Lockheed Martin, SAIC, the big meter makers and SCADA vendors, etc. -- are promising state-of-the-art cybersecurity from their new smart grid offerings.