Somebody wants to punch our lights out – literally turn off the electric power grid. Who would want to do this? Who has the capability? Is it the Russians, who have already demonstrated this attack two years ago in the Ukraine? Or the North Koreans, who have both motive and the cyber army to carry it off? Cybersecurity firm Symantec has attributed this attack to a group they have identified as the Dragonfly Group.
On October 20, I read an alert (TA17-293A) from US-CERT, the Department of Homeland Security, and the FBI that detailed an ongoing advanced persistent threat targeting the US electric grid and other infrastructure in the energy, nuclear, aviation, water, and critical manufacturing sectors. This alert is chilling.
The biggest problem we face as cybersecurity professionals often is believing we are a target, or believing that our highly secured network could still be vulnerable. The reason for this is that cybersecurity professionals are usually not trained to think like an attacker. In industry parlance, a typical security professional is a member of the “blue team.” Blue team plays defense. These people usually come up through network engineering, audit, compliance, or governance. They are bound by a set of rules, and usually play by the rules. Generally, they like the rules. They tend to think and act in accordance with the rules, and therefore are predictable. On the other hand, cyber-criminals, hacktivists, and nation-state attackers do not play by the rules. They are unpredictable. Attackers play offense.
The cybersecurity professionals who play offense are members of the “red team.” I am on a red team. As a red team member, I spend most of my time learning about the tactics, techniques, and procedures that the attacker use to gain access to networks and servers that they have targeted. Then I use that knowledge to test the defenses of a client company.
A couple weeks ago I attended the ISSA International Conference in San Diego. I had the honor of being one of the presenters this year. This is a bigger cybersecurity conference, a gathering of cybersecurity professionals from all over the United States and the world. I met a woman from the security team at Excel Energy, and happened to ask if she had read Ted Koppel’s book “Lights Out.” She was put off by the question, and told me that there are security systems in place to defend the electric grid from attack.
After reading this alert, I think her confidence is misplaced. This particular threat is targeting critical infrastructure industries, but it would not take much editing to use this exploit against other important sectors such as government, health care, or financial targets. It is time to check what you believe about your company’s security posture. Do you think your defenses are good enough? You might be wrong.
On Friday we will explore this exploit in more detail.