There is a growing war among nations and the potential victims may not even know they are targeted as pawns in a larger geopolitical game. This war is not being fought openly with the same territorial expansion objectives of conventional 20th century warfare or with the threat of mutually assured annihilation from the Cold War. Rather, it is being waged just below the threshold of armed conflict to advance geopolitical agendas. Now that I have your attention, let me explain.
Just as the world came to recognize IT cyberattacks as a new form of crime, motivated by profit, we must now recognize industrial cyberattacks as tactics in a new form of “economic warfare” being waged between nation-states to gain economic and political advantage without having to pay the price of open combat.
Malicious actors have shown they are quite adept at gaining access to vulnerable ICS networks, as we have seen a dramatic increase in successful penetration of industrial environments over the last 18 months. Though most of these intrusions have not yet resulted in an attack, we must interpret them as steps toward establishing persistence on vulnerable systems as part of a longer-term agenda.
So, why do industrial networks make such attractive targets? Three reasons:
● The infrastructure they control is highly valuable. The world economy depends on industrial production, and countries depend on their critical infrastructure for the health and well-being of their citizens.
● It is an efficient means to cause tremendous disruption and economic loss to the targeted nation without having to take responsibility for the act. One of the hallmarks of this economic cyberwarfare is the lack of attribution for attacks. There is no satellite imagery to show massing of troops or real-time tracking of missile launches, and certainly no claims of responsibility. These attacks are not discovered until well after they are launched, and while forensic analysis may point to a likely adversary, deniability is easy.
● ICS networks are unmonitored and unprotected. There are several contributors to this. Historically, there has been a lack of a clear mandate as to who is actually responsible for those networks – the Security team or Operations. Poor visibility into what devices are actually on the network is also a significant issue. Our field teams frequently surprise clients by finding previously unknown assets during a network scan. And the widely held belief that industrial networks were sufficiently air-gapped from the outside world has largely proven false.
2018 has already seen several events which confirm the escalation of this war. In March, the U.S. Department of Homeland Security and the FBI issued a joint tactical alert conveying that Russian government threat actors have been targeting multiple critical infrastructure sectors, including energy, nuclear, commercial facilities, water, aviation, and critical manufacturing, since at least March 2016. Also in March, the U.S. Cyber Command announced their new command vision in which they acknowledge some state-sponsored threat actors are now near-peer competitors in this domain.
In addition, last week Cisco’s Talos threat intelligence unit reported that more than 500,000 routers and storage devices worldwide have been infected with the VPNFilter malware. VPNFilter has a high degree of overlap with BlackEnergy, a malicious payload widely attributed to Russia and previously used to attack Ukrainian infrastructure. Talos further observed a spike in infections of Ukrainian hosts, possibly signaling staging for a repeat attack to coincide with Ukraine’s Constitution Day celebration in late June. This followed Talos’ April alert that a vulnerability in Cisco switches had been targeted by advanced actors resulting in several incidents in multiple countries, including some specifically targeting critical infrastructure.
These geopolitical attacks and their impact on industrial infrastructure are beginning to receive more attention in the press, in the halls of government, and in the corporate boardroom. These are all positive steps, but what you as a security professional care most about is what you can do today to reduce the risk of becoming a casualty of war and a headline in tomorrow’s news. In my next column, I’ll discuss some measures you can take immediately.