Never has been a better time to practice one’s critical infrastructure attack skills

Last year was an interesting year for critical infrastructure protection. It began with the German Government’s Federal IT Department (BSI) issuing its yearly cyber incident report covering cyber incidents from the previous year. Noteworthy was the mention of a cyber-attack on the control systems of a steel mill that resulted in physical damage to the plant (1). The year ended with the cyber-attack on part of the power grid in Ukraine. This last event was significant as an indicator of the further evolution of threats emanating from cyberspace in terms of the level of skills achieved by the attackers in remotely disconnecting breakers at substations and in its effect on civilians who were left without power in the winter (2).

However there was an interesting event that took place a few months before in April of that year – the cyber-attack on national TV network TV5Monde in France. When I first heard about this it was reported as linked to Islamic motivated hacker activity and so I lost some interest in following the story. Yesterday this BBC article came out and it has me wondering about that attack (3). Two points presented in the BBC article about the TV5 attack in April stuck out for me: one, reconnaissance and penetration of the targeted systems started in January (well that makes sense) and two, the attack targeted communication systems used to run the TV/satellite network comprising 12 channels (sounds like a complex system). These two elements were also present in the cyber-attacks in Ukraine. Particularly the loading of corrupted firmware on the Serial-Ethernet devices used to communicate with and control the substations.

If the Ukraine crew was the same group that did the cyber hit on TV5Monde (article points fingers at “Russians”) in April they got some good practice last year. If separate groups were involved than two groups got some practice. If the attack on TV5 originated from a third group of Islamic hackers, that would be a very bad sign. I have been telling myself for a long time that there is no such thing as “cyber terrorism” or “cyber terrorist” in the Al-Q mold. The terrorists for now don’t have the smarts to know the advantages of safely and stealthily executing a cyber-attack and living to do so even better next time using new lessons learned. They also up to now do not have the skills and knowledge to develop and execute a cyber-physical attack on a control system. Unfortunately, if they have the desire but don’t have the know-how they can register for courses at Black Hat (4). The existence of this last group I hope is still hypothetical but in terms of attacking critical infrastructure offense has made a lot of progress in the past 2 years. Those of us who work on defense certainly have the chance (by applying technical solutions such as analog blocking devices for example) to succeed in defending critical systems from these increasingly sophisticated attacks but one can’t exactly be joyful at the prospect before us.

1. The State of IT Security in Germany 2014, Federal Office for Information Security
(Bundesamt für Sicherheit in der Informationstechnik – BSI) November 2014 page 31. https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf;jsessionid=8690A838B2E07AD18C27248762A36F2E.2_cid368?__blob=publicationFile&v=3

2. Cyber-Attack Against Ukrainian Critical Infrastructure, US DHS ICS-CERT Alert (IR-ALERT-H-16-056-01), https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01 February 25, 2016.

3. Corera, G., How France‘s TV5 was almost destroyed by Russian hackers
http://www.bbc.com/news/technology-37590375 October 10, 2016 BBC News.

4. https://www.blackhat.com/eu-16/training/index.html

https://enseccoe.org/en

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) and is member of ISA 99 Workgroup 13 that is developing Micro Learning Modules on the ISA 62443 Industrial Automation and Control System Security Standard and Workgroup 14 on security profiles for substations.