Foreign Hackers Accessed U.S. Power Grid ‘Dozens of Times’
That security researcher was Brian Wallace. Those attackers appear to be based in Iran. According to his research, these bad actors have already swiped passwords, engineering drawings from dozens of power plants, and more. If that’s not bad enough, the Associated Press (AP) is reporting that Wallace’s discovery is not altogether unique.
“About a dozen times in the last decade, sophisticated foreign hackers have gained enough remote access to control the operations networks that keep the lights on,” the AP said, noting its sources were top experts who spoke only on condition of anonymity due to the sensitive nature of the subject matter.
However, the public almost never learns the details of these types of attacks, which are rarer as well as more intricate and potentially more dangerous than data theft, the AP noted. “Information about the government’s response to these hacks is often protected and sometimes classified; many are never even reported to the government,” according to the AP.
Dealing with Super Powers
We caught up with Dwayne Melancon, CTO of advanced threat detection firm Tripwire, to get his thoughts on the news.
When it comes to critical systems, and critical infrastructure, it pays to make attackers’ lives more difficult, he told us. As an example, he stressed implementing multi-factor authentication to prevent access rather than using just a password is crucial. On top of that organizations should segment their networks to limit the amount of sensitive information that can be accessed by users, he said.
“In particular, accounts with ‘super powers’ — such as creating new users, changing access permissions, or performing potentially harmful operations — should not only be tightly controlled, they should be aggressively monitored to look for unusual activity,” Melancon said.
“In older systems, the amount of rigor possible might be limited due to the lack of security functionality in old applications,” he continued. “In that case, organizations can often reduce risk by moving systems into a network segment that can only be accessed by a VPN, and multi-factor authentication can be added at the VPN.”
A Difficult Relationship
Tim Erlin, director of IT security and risk strategy at Tripwire, told us the energy industry, including electrical utilities, requires substantial investment to tilt the playing field toward defense.
“At the moment, the attackers have the advantage. When it comes to critical infrastructure, the relationship between government and private industry can be difficult,” Erlin said. “With our current level of investment, we may not be shooting ourselves in the foot, but the hand holding the gun isn’t always pointing at the right target.”
When an attacker has been present for a long time in a system that’s functioning as expected, that attacker’s presence becomes part of normal operations, he said. Tripwire often identifies malicious actors through their behaviors, but if those behaviors aren’t abnormal, they’re very difficult to identify, he said.
While there are some cybersecurity standards in the electric utility industry, Erlin said critical infrastructure in the broader sense suffers from a lack of enforceable best practices.
“It’s not as simple as applying corporate IT security processes and tools to critical infrastructure. There are unique requirements, unique devices, and unique threats to consider,” Erlin said. “We cannot wait for a significant incident to change our behavior with regard to critical infrastructure cybersecurity. We’re not talking about financial loss and recovery here. We’re talking about safety and potential loss of life.”
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.