MY TAKE: How Russia’s election meddling relates to industrial control hacks

By Byron  V. Acohido

While America’s attention has been  riveted on stunning disclosures of how Russia meddled in the U.S. presidential elections, the significance of a parallel, equally important development, may have gotten lost. Don’t look now folks, but the world’s superpowers are steadily marshaling forces to engage in an all-out cyber war.

History may yet prove that Russia’s manipulation of elections in America and elsewhere is, in fact, connected to the steady escalation of attacks on industrial control systems. And it’s not just Russia. Evidence has surfaced that China, USA, Israel and North Korea have also been maneuvering to take full advantage of the profoundly vulnerable state of so-called “OT” systems.

Quick context here: Gartner a few years ago coined the buzzphrase “operational technology,” or OT, to refer to narrowly-focused networks — such as ICS (Industrial Control Systems,)  SCADA (Supervisory Control and Data Acquisition) and PLC (Programmable Logic Controller,)  used to run physical systems and processes, as compared to “informational technology,” or IT systems that comprise modern-day business networks.

Acohido and Myer

Both IT systems and OT systems have come under steady, relentless cyber attack. But OT systems have a distinctive exposure; they were architected to perform specific, narrowly-focused tasks prior to the Internet emerging as the engine of global commerce. That means ICS, SCADA and PLC systems are uniquely vulnerable — and comparatively unprotected.

Global cyber war scenario

Nation-state backed military and intelligence operatives have long known this, of course, and have been moving since at least the start of this century to take full advantage. A global cyber war most likely will be centered around warring nations attacking and defending their respective critical infrastructure; power grids, transportation systems, financial institutions, manufacturing plants, and, yes, election systems.

Related podcast: This is how a global cyber war will unfold

Highly vulnerable ICS, SCADA and PLC systems continue to present wide open targets. So cyber operatives have been on the move for the past 20 years, give or take, to gain deep access wherever they can.

This is no secret in the military and intelligence communities. Every now and again, glimpses of this unfolding cyber Armageddon scenario surfaces publicly. Time Magazine chronicled China’s orchestration of the Titan Rain attacks on U.S. industrial targets from 2000 to 2003; and Wired reporter Kim Zetter dissects the involvement of American and Israeli operatives in infiltrating Iranian power plants in her 2005 book Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.

The most recent disclosure of this type came two weeks ago from federal authorities — but got scant coverage in mainstream media. The Department of Homeland Security and the FBI issued a joint technical alert essentially summarizing disclosures from FireEye and Symantec that have been trickling out all year regarding the role of a Russian hacking ring, known as Dragonfly, in hacks that shut down the power grid in Kiev, Ukraine for several hours in two separate attacks.

The warning ties Dragonfly’s power grid hacks in Kiev to a wide array of similar hacks, including the infamous WannaCry and NotPetya ransomware attacks that impacted hundreds of organizations, causing hundreds of millions of dollars of damage, earlier this year.  Here’s an excerpt from the DHS-FBI alert:

“Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks. Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict. Historically, threat actors have also targeted other critical infrastructure sectors with similar campaigns . . .

. . . This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third party suppliers with less secure networks. The initial victims are referred to as “staging targets” throughout this alert. The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. The ultimate objective of the cyber threat actors is to compromise organizational networks, which are referred throughout this alert as ‘intended target.’ ”

One way to look at Russia’s election meddling and the WannaCry/NotPetya ransomware campaigns is the we are already in the early stages of a global cyber war.  If there is any good news associated with these disclosures it is that public visibility is coming at a time when technology innovations from startups like Tempered Networks, CyberX and Veracity Industrial Networks are arriving to help modernize legacy OT systems, with an eye on security. I had a chance to discuss the bigger picture with Paul Meyer, Veracity’s CEO, at Black Hat Las Vegas. For a deeper dive, please listen to the accompanying podcast.

(Editor’s note: Last Watchdog has supplied consulting services to Veracity.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone