Last week I participated quite by accident in a NATO „live-fire“ cyber exercise called „Locked Shields“. Part of it was held in my building since we provided work space for the team from Lithuania in this on-line international military exercise. I was interested in getting inside but without an invitation I thought I would just wonder outside the doorway. Someone recognized me and this led to my getting invited in. Coming so late I must admit that I was not prepared to actively engage in any Red Team or Blue Team activities so I mostly observed as a member of one of the strategic groups that focused on legal issues. I did try to answer the legal questions but I was mostly looking at what those military cyber samurai were doing in the center of the room. Was most curious to see what was being targeted and how they were being attacked.
What I saw really impressed me. Here are a few highlights. First of all there were the targeted assets which consisted of what I truly would call critical infrastructure. Namely electric grids, water facilities and even a warship. The attacks were not just targeting the “office IT” with a DDOS but were seriously trying to go after the industrial control systems. The red teams mostly succeeded in reaching their attack goals although the blue teams gave them a hard time of it. One of the reasons for these successes was that the red team attacked the blue team’s assets with custom made malware. This made sense as a way of getting by any known virus signatures. Some blue teams made it too easy for the red team by initially not installing any anti-virus software. In addition the blue teams were late in changing default passwords for domain controllers, workstation and other targeted systems. Credential theft was a major attack vector and was used to amplify efforts to go after SCADA control and even reach PLC’s.
I have recently heard from some asset owners of their confidence in the use of firewalls to insure there are no breaches that allow for attacking their “crown jewels”. This exercise showed that such defenses can be easily breached. Three firewalls went down in the opening minutes of the exercise. I later overheard someone summarizing at the end of the exercise that there are “42 ways” to defeat a firewall. So much for the belief in a solid network defense perimeter of air gaps and firewalls. When the ship was compromised that told me that a “sea gap” could also not guarantee security.
Patching came up in this exercise as well. The malicious binaries were easily installed on unpatched systems. Patches were applied too late by the Blue Teams after realizing how vulnerable they were. I kept thinking of those asset owners who consider patching industrial control systems an “unacceptable industrial risk”. Add that to a policy of no or infrequent anti-virus scanning and you end up with a strategy that will lead to surprise and painful losses.
The participants came from a wide background of military, government and manufacturers. One suggestion that could be made to improve the realism of the exercise is to invite engineers who actually have experience in industrial operations. It would happen that a power grid would go down after a cyber-attack and the progress report notes that “power restored in couple of hours”. Perhaps an engineer who actually had to deal with what it is like to “black start” a downed grid could provide some insights into the complex issues involved. I think of the lessons learned from the Plum Island exercise. There is also a concern about working inside a too narrow understanding and missing what else could happen in a crisis. While a cyber-attack could succeed in manipulating equipment to poison the water supply it could just as well be accomplished using more physical low tech means such as pumping poison (too much chlorine) from a truck directly into an opened fire hydrant (heard about this from an engineer colleauge). This complicates the exercise of course but then again if we want to deal with a cyber caused crisis we also need to be aware of the other ways the bad guys can succeed in their task. The heroic 300 Spartans tragically learned this at Thermopoly when the Persians discovered (from insider information) that there was a goat path around that famously defended pass.
The final take away for me is the realization (or confirmation) that if the good guys in the military are learning to attack and defend industrial control systems the operators in the real world need to consider what the bad guys in unfriendly militaries are up to when they review their cybersecurity policies (if they haven’t started to already).