A lot of attention is paid to cyberattacks on critical infrastructure. Disruptive or destructive events can have significant consequences, from sowing fear within a community to potentially disastrous human impacts like injuries or loss of life. These events are important, but when misreported or misunderstood, it can cause confusion and alarm among asset owners and operators, defenders, and the general public.
During my talk at RSAC, I encouraged the audience to think critically about critical infrastructure and reporting on cyberattacks. Consider entities’ visibility into the incidents they are reporting; try and identify hyperbolic wording versus explanatory phrases backed up with data; consider whether the group or company in the report has a financial or political motivation, or will gain something from its publication. And when contemplating the legitimacy of a piece of research or report, it is useful to identify whether the claims have been validated by a third-party, which adds credence to the report itself. (Hat tip to Motherboard’s Lorenzo Franceschi-Bicchierai for pointing out something similar in a tweet I saw but now cannot find.)
Unfortunately, the Hollywood-esque idea of a country-wide blackout that grinds society to a halt is what many people consider to be the reality of the threat to the electric grid system. But the truth is less of a blockbuster.
- A destructive incident at one site would require highly-tailored tools and operations and would not effectively scale.
- A ransomware infection at the financial services division of an electric utility doesn’t automatically translate into a blackout.
- In most industrial environments the equipment can operate safely and independently for quite a while, so system downtime may have no effect. It could however hurt business operations like shipping, sales, etc.
So why is it important to identify fear, uncertainty, and doubt (FUD) in reporting? It can have a real impact on how people do their jobs: if incidents relating to ICS security are misreported it can be a headache for defenders and owners and operators who may not have the proper context. Additionally, it contributes to an overall misunderstanding among the general public and policy makers who often make decisions based on public information.
It’s worth noting the phrase “hacking the grid” doesn’t make complete sense. At a very basic level, the North American Electric grid is complex and made up of regional and local electricity grids that are connected together to make larger networks for reliability. There are also built-in redundancies for power resiliency. Cyberattacks are not the only threats grid operators and other stakeholders consider when focusing on defending the US electric grid. The long-running joke is that squirrels and other animals should be considered their own APT group due to their ability to cause blackouts; it is, however, true that creatures, natural events, vegetation like fallen limbs, and physical disruptions are all potential threats to grid systems.
From a cyber perspective, threats to electric utilities — and ICS entities in general — include commodity malware that infects the enterprise environment and traverses the OT boundary to affect operations; supply chain compromise leveraging trust between parties to attack an ultimate victim; and adversaries “living off the land” and abusing native tools within IT systems as well as features and functionality within the ICS for initial access and lateral movement. (For more details about these threats, check out our 2018 Year in Review report discussing ICS activity groups and the threat landscape.)
Threats to the electric grid system are real and important. But it’s also important that they are effectively communicated and understood by asset owners and operators, defenders, and the general public to inform decision making, defensive strategies, and more thoughtful conversations about the true threats.
View the full slide presentation below: