November 2016 has been proclaimed Critical Infrastructure Security and Resilience Month. This is an annual effort, beginning this year, to educate and engage citizens about the vital role critical infrastructure plays in our nation’s well-being and why it is important to strengthen critical infrastructure security and resilience.
Critical infrastructure are assets considered so vital to the daily function of our way of life, that their incapacitation would have a debilitating effect on the security and safety of our citizens. They are essentially the things that most of us take for granted. There are 16 critical infrastructures that span every sector ranging from chemicals, to dams, to healthcare, agriculture, power, water systems, and transportation, among others.
Perhaps the most pertinent to the services we provide as a company is the information technology sector. The Department of Homeland Security acknowledges that “America’s national security and economic prosperity are increasingly dependent upon critical infrastructure that is at risk from a variety of hazards and threats, both natural and man-made, such as…cyberattacks, or evolving terrorism threats, that impact our economy and communities.” Additionally, nearly all critical infrastructures rely heavily on cyber and network support to operate these essential systems. According to Shodan Research, the U.S. alone has over 57,000 industrial control systems on the Internet, and weaknesses in older systems are easy to identify and exploit online.
Critical Infrastructure Security and Resilience Month gives us an opportunity to recognize the importance of critical infrastructure protection to our nation. I also view this as a call to action and a challenge for CrowdStrike, and other organizations, to work towards solutions for safeguarding our national assets. Our CrowdStrike Services team proactively and predictively works to ensure that our clients’ organizations do not fall prey to cyberattacks, by anticipating threats, protecting their networks, and improving their ability to thwart breaches. When speaking of necessities that are fundamental to keeping our country operational, however, it is imperative that we understand and face these threats head-on.
I want to share with you a few examples of how nefarious actors can affect our – or any country’s – critical infrastructure sectors.
Example #1: Ukrainian Power Grid Attack
- In Spring 2015, hackers used spear phishing campaigns to target IT staff and sys admins at power grids across Ukraine.
- When workers opened the email attachment, their machines were infected with BlackEnergy3, opening a backdoor to the hackers.
- Since the networks were segregated with firewalls, the attackers spent months conducting reconnaissance, exploring and mapping networks, and reconfiguring the Uninterruptible Power Supply (UPS) which provides backup power to the control centers.
- Just before Christmas Eve 2015, they entered the network through the hijacked VPNs and sent commands to disable the reconfigured UPS – thereby plunging 225,000 customers AND operators at the power centers into the dark, and taking substations off the grid.
- They simultaneously launched a DoS attack against customer call centers to prevent customers from reporting the outage.
- Once the attack was complete, they used the malware KillDisk to wipe files from operator stations.
- From the operator at the power stations’ perspective, attackers took control of the cursor as he watched it navigate across the screen towards buttons controlling circuit breakers and taking them offline; attackers had changed his password, preventing him from gaining re-entry.
- One investigator on the case was quoted as saying: “Operation-specific malicious firmware updates in an industrial control setting has NEVER been done before. From an attack perspective, it was just so awesome. I mean really well done by them.”
- For a full analysis of this attack, go to http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf.
Example #2: Iranian Hack of N.Y. Dam
- In 2013, Iranian hackers infiltrated the control system of a small dam outside NYC via Google hacking. (Google hacking/dorking is a technique utilizing Google searches and applications to find security holes in the configuration and computer code of websites and other systems.)
- The hackers identified an unprotected computer, accessible via cell modem, that controlled the dam.
- Officials uncovered the dam breach while investigating the same hackers, who were conducting attacks on the U.S. financial infrastructure.
- Fortunately, the dam was out of commission for repairs during the attack, so the gate which prevents flooding of low-lying areas was not affected.
- However, it’s cause for concern that this may have been used as a testbed for larger-scale attacks on U.S. infrastructure
- For N.Y. Gov. Cuomo’s statement on charges against the hackers, go to http://www.governor.ny.gov/news/statement-governor-andrew-m-cuomo-cyber-attack-charges-announced-us-attorney-general-loretta.
Example #3: Lansing, MI, Board of Water and Light (BWL) Ransomware Attack
- In April 2016, ~250 employees of the Lansing, MI, BWL were victims of a ransomware attack.
- An employee opened a malicious attachment, infecting with malware, encrypting files, and paralyzing a string of internal computers.
- BWL was forced to shut down its accounting system, limit email service, disable customer assistance phone lines, and suspend power and water utilities in the area.
- BWL executives were quoted as saying they “thought” they had up-to-date antivirus software, but later determined their product was not from a company that could manage ransomware.
As members of the critical infrastructure community, I’m extremely proud of the work CrowdStrike does to protect our way of life. Whether we’re remediating the DNC hack by foreign nationals, protecting a financial institution’s firm from an organized crime group, or thwarting the theft of research and development from a major healthcare company, we are leading the charge in next-generation endpoint protection. If your organization is not ready for this new wave of attacks, go to our proactive services page to learn more about our proactive and incident response services and how we can protect you from the next major breach.