The supposedly new attacks on the electrical grid and other portions of the country’s critical infrastructure that came to light this week are in fact not new at all and have been ongoing for several years. Attackers have been making serious inroads into U.S. government, utility and military networks for most of this decade and the problem is continuing to worsen, security experts say.
“This is not new at all. It’s just coming to the surface now. It’s been going on for years,” said Tom Kellermann, vice president of security awareness at Core Security Technologies, and a member of a key commission that helped the Obama administration study the country’s vulnerability to Internet attacks. “There are 108 countries around the world that have been probing military, government and finance networks for years. There are not many critical systems that foreign governments don’t have backdoors in right now.”
A published report this week said that foreign spies had penetrated the U.S. electrical grid, mapping the system and leaving behind malware and rootkits that could be used to remotely monitor the compromised systems. However, Kellermann and other experts in critical infrastructure security said government officials and the operators of the power-generating companies have known about these attacks for some time, but little has been done to stop them or clean up the damage.
For a variety of reasons–lack of funding, lack of expertise on information security, poor communication with peer companies–the organizations that run the electrical grid and other utilities have not been able to put the right defenses in place. This wasn’t much of a problem 10 years ago, but now that most of the SCADA (Supervisory Control and Data Acquisition) systems are on Internet-connected IP networks, it’s a serious weakness in the country’s infrastructure, experts say.
“The CSOs at these power-generating companies have been speaking very specifically about the foreign threat and the issues they’ve seen threatning the SCADA systemsthe grid, the control systems and so on,” said Eddie Schwartz, CSO of NetWitness Corp. “These systems were not intended to be on IP networks. These guys have a severe lack of visibility into the designer malware that’s being designed specifically for their systems.
“The power systems live in a very rudimentary world where these sophisticated entities come at them with very sophisticated attacks and they have no way of detecting them,” Schwartz said. “Very few run advanced security teams that can detect these attacks and when they go to collaborate with their peers, they’re met with blank stares and are facing someone who has no idea what they’re talking about.”
Kellermann, a former World Bank security official, pointed out that the practice of red-teaming, or performing penetration tests on critical systems, is essentially non-existent in the utility industry. “Red-teaming exercises are not going on in the SCADA world. They’re doing vulnerability assessments, which are not the same thing,” he said. “Even their technical guys aren’t that savvy with information security. And their mentality is, let’s not undergo tests when we don’t have the resources to fix what we find.”
There has been talk in the utility industry of putting together a comprehensive, industry-wide monitoring system, akin to the government’s Einstein system, that would enable the power companies to see attacks and share data with one another without fear of retribution from compliance authorities over network vulnerabilities.
“There are people who are focused on that and have understood the problem for two years, but there’s a need to break down the regulatory barriers,” Schwartz said. “I talked to someone at a large power company, and they want to do this, but the trick would be to do it with existing staff. For the private sector, we need to have a way to get them information from the government. The government is seeing the same things, so why is their data classified?”
Several experts said that the timing of this information about the grid attacks leaking is very likely tied to the fact that the Obama administration is close to finishing its 60-day review of the country’s information security defenses and various agencies in Washington will be jockeying for funding and authority on security. It’s also an effective way for law enforcement agencies and intelligence organizations to encourage power companies and other private sector entities to get their acts together and share more information with each other and the authorities.
“Law enforcement’s hands are tied when trying to thwart this stuff without the help of the private sector,” Kellermann said. “Until now the private sector has been able to maintain plausible deniability about these attacks. We need to build better castles. This goes to the integrity of the SCADA systems and the capacity for our adversaries to remotely manipulate these systems. The only way to thwart it is to let it bubble up.
“We need to get the word out to lift this mist of plausible deniability. We have to accept the reality that we have cancer, because we do,” Kellermann said.
*Image from srqpix’s Flickr photostream