In lieu of the recent ransomware cyber attacks on critical supply chain assets, Enigma Forensics analyzes two recent cyber attacks and what lessons we have learned.
Cyber attacks on our supply chain. Will it stop? Enigma Forensics is a cyber forensic company and our love for data security keeps us focused on the 4W’s and 1H of a Cyber Attack. Here’s the latest of two very important cyber attacks on our crucial supply chain.
Who was involved? What happened? When? Where? How did it happen?
On May 7, 2021,Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, experienced a ransomware cyberattack. Colonial Pipeline carries gasoline and jet fuel mainly to the Southeastern United States. The cyber attackers impacted computerized equipment managing the pipeline. They took the company offline and wanted a sizable ransom to reverse the cyber attack.
This pipeline disruption caused an immediate reaction. Americans felt a rise in gasoline prices, people were panic buying and there were crazy long lines at the pump. Some areas reported no gasoline at all. What was the company’s response? Colonial Pipeline’s CEO Joseph Blount reported, they learned the criminal cyber attackers infiltrated Colonial’s computers through a legacy or old virtual private network, commonly known as a V.P.N.
Joseph Blount, CEO of Colonial Pipeline paid approximately $5 million in Bitcoin ransom to the attackers. Blount told the Senate Homeland Security Committee at a hearing, paying the ransomware was the hardest decision of his career. Blount said he knew how critical Colonial’s pipeline is to the country and he put the interests of the country first. When asked about the security on the particular VPN that was hacked, Blount said it was not a two-factor security password that texts to a phone but single factor authentication using only a plain text password. He said it was more complicated than the typical Colonial123 password. Lesson learned?
Following the attack on Colonial Pipeline, another ransomware cyber-attack occurred on our supply chain.
JBS Meat Packing Hack (it rhymes!)
JBS is considered to be one of the largest meatpacking companies in the world. At the end of May, they reported cyber criminals used ransomware to take over the company’s network systems and stopped meat production. JBS revealed they made a payment of $11 million to a Russian-speaking ransomware gang called “REvil” to protect JBS meat plants from any further impact on farmers, grocery stores, and restaurants.
Why are we seeing a surge in targeting a crucial supply chain?
There are many contributing factors in the recent wave of hacking attacks. It’s a fact more folks are working from home and lack the cybersecurity necessary to guard against intrusions. Another large contributing factor is that software used to allow bad actors to break into a network system is more sophisticated and readily available. The largest factor is that the United States companies are more globally connected than ever before therefore increasing their exposure to cybercriminals.
Who’s in Charge?
You might be asking who is in charge. It’s the United States Department of Homeland Security (DHS). Its stated missions involve anti-terrorism, border security, immigration and customs, cybersecurity, and disaster prevention and management.
Cyber Security Prevention
June 10, 2021 – The Department of Homeland Security Cybersecurity and Infrastructure Security Agency unveiled guidance for defending against ransomware attacks targeting operational technology assets and control systems, in light of the rise in critical infrastructure attacks.
After the most recent Iranian attacks most people don’t think about the danger to our Energy Sector that lurks in the global underworld. Cyber Security Experts Lee Neubecker and Geary Sikich are on the job! They say we can tighten our security and detect cyber attacks before they happen.
Energy Sector Intrusion Detection is complicated and delicate and necessary to maintain our power grid. The Energy Sector provides energy for the world and must be secured and protected. Many detection tools and resources of expert precision are used to ensure the security of these precious resources. Think about it? What do you do on a daily basis that doesn’t involve energy or some type of energy? Enigma Forensics CEO & President, Lee Neubecker and Geary Sikich, Principal at Logical Management Systems, Corp. put your mind at ease and dissect cyber security and intrusion detection systems that are utilized by the Energy Sector.
This is Part 2 in the four-part series on Energy Sector Cyber Insecurity.
Lee Neubecker (LN): Hi, I’m back on the show again with Geary Sikich, thanks for coming back on the show.
Geary Sikich (GS): Thanks for having me back Lee.
LN: So we’re continuing our series discussing about global cyber insecurity as it relates to energy sector. In the second part of the series we’re talking more about detection of compromise. Um Geary, what’re your thoughts in this area?
GS: I believe that there’s a lot to be looked at in terms of the detection aspect, and this is one of the areas where you from a forensic standpoint, provide sort of a critical juncture, what’re you seeing that the general person, and even the general employee of the utility, might not be seeing? And might not be aware of?
LN: Well we know from reports by Dragos Cyber Security firm, that there’s a number of groups, I think around 11 groups are specifically targeting the energy sector. This report just came out this month, so there is a heightened attack readiness requirement to defend against these attacks. And the key thing that organizations need to be doing is they need to know that they have their firewall actively logging, and they need to be looking at those logs.
GS: Those are all state sponsored groups, right?
LN: Well, we don’t know exactly who they are, there could be terrorist cells, the Dragos report doesn’t give attribution as to the entities behind them. They describe the types of attacks, and the character of the attack methods, but there is a number of them that you can check out, there’s a link that will take you to their report if you’re interested in reading it. But you know, often times organizations fall compromised, and they don’t know it, and these things go on for a long time. There was a credit reporting agency attacked recently, for instance.
GS: So from a detection standpoint, the challenge that industries are faced with, cause our focus is going to be on the energy industry, so we’ll get energy industry. In general, the challenge that they face then, is that it’s not just what we perceive could be state sponsored hacking of their systems, it could be individuals, it could be terrorist cells, it could be pretty much anyone with a desire to infiltrate a system whether it’s to do harm, or whether it’s just to see if they can do it
LN: Exactly. The barrier to entry to launching one of these attacks is much lower. It requires knowledge, but the knowledge could be in the head of a teenager, that got rejected at school and wants to take the power out in his town. So that’s a legitimate problem. Now related to detection, I mentioned the firewall logs, there’s a great product out there called, Canary. Have you heard of it?
GS: No, it’s new to me.
LN: Essentially, it’s a company they tell these little devices, you deploy in your network, and they can pretend to be a payroll mass, health care information system storage database, or you can make it be whatever you want. But it’s essentially trying to lure an attacker. So if someone’s in your network, there going to scan your network to look for resources and it will detect people trying to brute force that item. So these items are a great way to have another way of knowing are you compromised. If organizations that had recently been publicly compromised, that didn’t know it for many years had some of these devices in place, they would probably know pretty quickly, like within a day or so, of someone getting through their firewall.
GS: So the challenge then I guess, from a detection standpoint, and the way we’ve seen it, and in discussions with organizations that I’ve worked with. Is that it’s not a single point of penetration that we have to worry about, it’s become multiple points of penetration, and multiple points that are not necessarily hard wired into the operating system. So utilities in a lot of respects have gone out to do with their status systems, monitoring your water usage, or electric usage, all remotely, and you periodically might see a utility vehicle drive by, and they may have a cellular type phone system, that goes by and scans your homes to see what your energy usage is. So those all become a factor. We get into detection in terms of things, we’ve mentioned today shipping is a big issue, and we mentioned with the current situation with Iran, the concern over the Strait of Hormuz, but shipping in general, navigation systems, have been targeted, not only by state actors, but by other groups. So you have navigation systems which is not just water born shipping. Think of where navigation systems are today. Look into your pocket and see your cell phone.
LN: Well we had the recent issue with the Boeing Max airplane, it turned out the sensors were damaged. Well these sensors they’re called MEMS sensors, they’re a combination of electro-mechanical sensors, and if the chip is hit at the frequency that matches the natural frequency of the component board, it can actually cause the chip to malfunction and report erroneous readings temporarily. Or if the frequency matches and it’s of a great enough amplitude it can actually damage the chip. And there hasn’t been much discussions about whether these chips were cyber-attacked but it’s very possible, if you look up University of Michigan, they have research on MEMS chip sensors and interestingly enough, the patent for these sensors was a Boeing patent. So there’s not a lot of talk about that and I think more likely if the chips were damaged, it’s more likely they were damaged while they were on the ground interestingly enough, the two crashes that occurred were in countries that had a lot of terrorist activity.
GS: I think the other aspect with detection is that when you begin to bring out a point like that, people have a tendency to assume durability of systems when systems can be very sensitive to, if you will, shocks, minor shocks to the system. So it’s not necessarily the physical attack, you could take the example recently Puerto Rico has had an earthquake. What damages were incurred by the, on their systems as a result? That are undetected yet. The sensitivity of systems I think has become really critical in a lot of these aspects.
LN: But like with these chips we’re blending mechanical with computer embedded processors. So like these chips think of an opera singer, that sings the natural frequency of a wine glass. If he sings it loud enough, that glass will shatter. It’s the same concept with this chip. You can fire sound at it, if you’re close enough, or if you have a strong enough amplifier, you could fry it. Now that could happen, a drone could potentially launch a sonic attack, someone onboard, a passenger could do it, cleaning crew coming through could do it. So these are some questions that it’s kind of a new paradigm but we even had issues with military aircraft having this uptick in crashes, and these same types of systems are in the newer military helicopters and planes and whatnot. So I think it was good that the military grounded some of these devices that were having these problems, And you know the investigation, I’m sure, continues and the public may not fully be briefed on this, but it is a threat that needs to be detected before people die.
GS: So the real issue with the situation that we’re in, with this kind of global insecurity if you will, is our ability to detect has been I’ll put it in these terms, if our ability to detect has been compromised by virtue of the disruptive technologies that exist that are making detections more and more of a challenge, because they’re becoming more and more subtle in how they entered in the system. So I can have a system that looks like it’s working perfectly, and yet at a point be compromised like the mechanical system that’s supposed to open a valve, and it’s been doing it for a long time, and then suddenly it either leaves it open, or completely shuts it.
LN: This is where it’s important that these entities have an accurate inventory of what their equipment is, and they also have an accurate inventory of the embedded systems and what that software code should look like. And they should have procedures in place to periodically verify that the embedded firmware chips that do these functions haven’t been altered. Otherwise they won’t even know, and something could happen at a very critical time. So that wraps up our section on detection. In our next segment will be talking about helping to protect against these types of attacks.
Watch the other segments on Cyber Insecurity in the Energy Sector
Learn more about cyber security and data breach from Enigma Forensics.
Check out the government’s directives on cybersecurity as it relates to energy infrastructure.
Global Energy Sector Cyber Insecurity can lead to complete chaos that will be felt throughout the world. Neubecker and Geary Sikich who are experts in cyber security and incident response share their solutions.
Energy Sector: Global Cyber Insecurity can lead to global calamity. If a major attack happens there would be a cascading effect with catastrophic results. In lieu of the most recent Iranian conflicts, the Energy Sector, as well as Corporate America, has been warned by our government to be aware of imminent security threats. Enigma Forensics CEO & President, Lee Neubecker and Geary Sikich, Principal at Logical Management Systems, Corp. take apart the many threats that will affect the Global Energy Sector. Starting with SCADA, which is a computer system for gathering and analyzing real-time data. Cyber Insecurity means if hacked the SCADA systems would have a rippling effect.
In this four-part series, Lee and Geary will discuss cyber threat detection, protection and global incident response in the Global Energy Sector.
The video transcript for Energy Sector: Global Cyber Insecurity follows.
Lee Neubecker (LN): Hi, I’m here again with Geary Sikich on my show. Geary is the president of Logical Management Systems, a business consulting and risk advisory firm. Geary, thanks for being on the show again.
Geary Sikich (GS): Thanks for having me back, Lee.
LN: So today we’re going to talk about the current state of global cyber insecurity. News events have been published detailing Iran’s potential cyber response. The energy sector has been put on notice to be looking out for attacks, as well as corporate America. So Geary, what is the current state of cyber risk as you see it?
GS: I think it’s kind of appropriate to begin to look at it as you introduce it, global insecurity. One has to begin to look at how secure are you? And in the context of how secure are you, how secure is our infrastructure. All the things we depend on for our day to day lives. And how we live, literally. So everything from your food on the table to the heat, to clean water, to your heat in your home, et cetera, all become potentially
LN: Transportation, travel, and fulfillment.
GS: Road systems, everything that’s out there.
LN: So we’re going to be talking about the highest areas of concern where a rogue terrorist organization might want to strike or a nation state that we’re at odds with. And unfortunately, we have quite a few. Later on in the second, third, and fourth segment we’ll be talking about detecting threats. In the third segment, we’ll be talking about protection against that, things that can be done proactively. And then finally, in the fourth and last segment we’ll be talking about responding to compromises, incident response, and how to recover and get back up online. So Geary, can you give everyone an understanding of what encompasses SCADA devices and what SCADA means?
GS: SCADA systems were developed for the use to control operations and utilities and other areas. It’s called the Supervisory Control and Data Acquisition.
LN: So what kind of devices make up SCADA devices?
GS: Everything from the control of pipelines, utility, electricity functions, all the way onto healthcare, pacemakers and other types of systems.
LN: CPAPs. So these are critical systems. These are systems that if someone wanted to cyber attack and really hurt us, they’re natural targets. And they’re classified as such because they have to be regulated and handled in a way to help keep them safe.
GS: Yeah. And the problem we face is not that these are systems that are so vulnerable, the problem we face is that because of the technology that we’ve embraced over the years since 1999, so that’s what, almost 20 years now. Or it is 20 years now. That those systems have become so embedded that we have gotten rid of the manual systems that they replaced. So things like switching for railroads. You would be hard pressed to find manual switches available to the industry. Because they got rid of ’em, and they were scrapped, and they’re gone. No once produces them, or should I say, they’re produced in limited quantities. And they’re hard to get. The things we depend on in a lot of respects for the smooth running of our infrastructure become very critical to us because there are no alternatives for those systems. And as a result, we become more and more vulnerable to a infiltration of the systems for disruption.
LN: And then we also have what’s known as FPGA’s, Field Programmable Gateway Arrays. They’re microprocessor controllers that can be programmed that can actually be altered by an attacker to change how these systems function, the logic that works. We can only think of, what would happen, Geary, if a nation state that we’re in a conflict with, what would happen if the water filtration system sensors were altered to put water out that appears safe but isn’t?
GS: I think you see a lot of that today simply because the threat levels are such that we have to make sure these systems are so well protected. And unfortunately, the ability to protect the systems is not necessarily as good as it should be, let me put it that way. It’s not that they’re bad, it’s not that they’re behind the times, it’s just that they’re trying to keep up with things that are changing so rapidly. Technology disruptions, and disruptive technologies today have made a lot of systems sort of antiquated before their time. And the problem is that, to keep up with replacement, to keep up with the viability systems becomes another burden to the system. Another critical issue in this global insecurity aspect is look at the talent pool that’s out there in the workforces, and you start to begin to realize that there are very few people that are talented in the areas where we need them. I think in our last segment that we did I mentioned that in the energy industry, nuclear engineers, petrochemical engineers, desperately needed areas because their workforce is transitioning and the skill levels are not there. So that becomes a real challenge.
LN: Just the past, in this month alone, cybersecurity firm Dragos issued a report showing that there is a number, I think around 11 groups that are actively targeting the energy sector and trying to take out various providers of energy. Oil, gas, you know, nuclear. There’s other threats there. You know, locally here in Chicago, you’re in Indiana, we’re in Illinois, what part of the energy sector to you think is at greatest risk?
GS: Well, I think the interesting point with that is that the bigger players, Commonwealth Edison, NIPSCO, Northern Indiana Public Service, are doing their part to ensure that their infrastructure is well maintained and protected. The problem we run into is that they’re not the only utility providers. If you look at across the United States, there are so many smaller utility providers, co ops, small utility companies, that don’t necessarily have the resources
LN: They don’t have the scale.
GS: Yeah, the skills. And the problem that they encounter and we encounter as a result is that they are critical links in the grid system. So everything from water, gas, electric, telecommunications, et cetera, all dependent on a lot of these small players. And getting one to go could potentially offer cascade effects to all the others. And as it cascades, things can get even more disruptive.
LN: So you could actually take down the big electrical utility by getting enough of the small, vulnerable electrical co ops and launching a cyber attack on the electrical co ops to then take out the big giant. Because when these happens, you have power imbalance. And Kirchhoff’s Law dictates the flow of electricity, and it will flow where it’s weak, and the current flows, well that can cause line tripping and power outages.
GS: Yeah. And I think the thing that people have to realize is that the apparently most vulnerable things are not necessarily the ones that are the most visible. And I say that in this respect, we look at power plants, we look at nuclear plants, and there’s a fear of someone attacking the plant. In reality, it’s the part of the system that are not related, or that are related, linked to the power plant, but not directly.
LN: It’s an interconnected system.
GS: It’s the transformers
LN: Everything from endpoint demand to supply. And in our prior video we talked about manipulation of endpoint demand that could cause a cyber attack.
GS: And it’s the step up and step down systems. When you generate it, electricity’s stepped up, it goes over transmission lines, it goes to a point, it’s stepped down and then it goes in the user groups, the residential, your cities, your smaller industries. So you start seeing these as being potentially vulnerable in a respect. In terms of vulnerability is that we have to begin to look at the users and begin to differentiate which ones are what we call interruptible and which ones aren’t.
LN: So in our next segment, we’ll be talking about detection of these threats, and then finally after that, the third segment we’ll talk about protecting and what organizations should do such as electrical co ops, things they can do to get ahead of this. And then when things invariably do go wrong, finally we’ll talk about incident response. So tune in next time, and please, we appreciate your shares, likes. Sign up for my YouTube channel if you liked this and you’ll get alerted when we publish the next one. Thank you.
Learn more about Global Cyber Security from Enigma Forensics
More on Global Security …
Here is the bulletin issued by the Department of Homeland Security on Global Security
Are you ready for a power outage? Check out this video for Cyber Readiness and Power Outages tips.
Enigma Forensics CEO & President, Lee Neubecker and Geary Sikich, President of Logical Management Systems, tackle the strategies you need to know to prepare for a cyber attack. Each describes in detail the importance of cyber readiness starting with power outages.
The transcript of the video follows:
Lee Neubecker: Hi, I’m here today with Geary Sikich. Geary is the President of Logical Management Systems. Thank you, Geary, for being on the show.
Geary Sikich: Thank you, Lee.
Lee Neubecker: So we’re here to talk a little bit about cyber attacks on the power grid, and what impacts that could have on businesses and individuals alike. All right, Gary, is the future of war likely to be cyber, in your opinion?
Geary Sikich: Well Lee, I think there’s three aspects of that that we need to look at. There’s what I’ll call a strategic aspect, which in effect, we’re already in a cyber war in many respects. Nation states are using cyber in a lot of different ways. Not necessarily as disruptive as it could be, but it’s got the potential to expand. There’s then another level down from there which I’ll call operational, which is targeting specific locales and areas. And then, what I’ll call a tactical level where you’re targeting individual facilities to include even neighborhoods at this stage. And one of the things I think you’re going to see in the future is that there’s going to be more of a reliance on these disruptions because of the great impact they have on businesses as well as the general population.
Lee Neubecker: Yeah so, one of the things that I had lectured on before was some research that came out of Princeton University on a topic called MadIoT, which relates to manipulation of end user demand by attacking insecure Internet of Things, IoT, devices in homes and whatnot. And essentially, what the researchers found was that by taking over enough routers in homes, you could compromise Wi-Fi devices attached to high-wattage appliances like Internet-enabled microwaves, toasters, heaters, things like that that would draw a lot of current, air conditioning systems and that by attacking adjacent neighborhoods, you could manipulate power demand in one neighborhood such that the power’s going off or down low, and then the adjacent neighborhood causing all these appliances to come on, which by only creating a small disturbance in balance of power, Kirchhoff’s law that dictates the flow of electricity could cause faults in lines as electricity moved from one neighborhood to another in spikes, and that that type of attack could effectively knock out parts of the grid. There are a lot of factors, obviously, that could knock out the grid, but what have you been advising your clients to do in advance of such an outage, to help them mitigate the risk and protect themselves?
Geary Sikich: One of the things we look at with that issue, and it’s a very big issue, and it ties into the areas I previously mentioned, the strategic, operational, and tactical, is to begin to look at how you can be resilient as an organization. So, I’ll give you an example. A colleague who was at a firm in Southern Illinois, they were about to move to a larger building. And one of the things he was charged with was developing the plans and then getting the move set up. They didn’t have a generator, and I highly recommended to him that they get a generator. They decided to do it, and to their benefit, once installed and once they got it in the building, they had a localized power outage which, for them, was a non-event so to speak because the generator immediately kicked on. They didn’t lose any power. As a commodities trading firm, they’re very dependent on the ability to communicate electronically for trade. So when we got to analyzing things, I asked, “What did you think?” and he said, “Well, it cost “probably a quarter of a million.” And then I asked the second question, which I think was more relevant and important as he understood it, “What was the cost in lost trades, if you’d have not “had the generator?” He said, “About $2 billion.” So the immediate impact on these things is that organizations really need to think about how can they secure a power supply for themselves so that they can effectively operate independently of the grid in times of a crisis?
Lee Neubecker: So an adversary of a financial services company could actually cause massive harm by targeting and causing a power disruption, knocking out the trading facilities–
GSL Yes. LN:Costing them billions of dollars.
Geary Sikich: Yes. And the interesting part about that is, that when you begin to look at it, it’s not just that immediate impact, it’s the cascading impact that goes throughout the entire system. So you knock out the trading aspect, you suddenly knock out the logistics of movement of products and services, and it cascades throughout the entire system if you will.
Lee Neubecker: So what do you see are the other downstream potential impacts to a prolonged outage?
Geary Sikich: Oh, prolonged outages are one of the concerns that a lot of organizations have. What do I do to keep my business in business if we’re faced with a long-term outage? Natural disasters have shown us that it can take up to and beyond a couple of years to recover. A lot of organizations literally could go out of business as a result of not being able to have the financial resources to weather a storm like that.
Lee Neubecker: Well, this has been great stuff. I really appreciate you coming on the show, Geary. Thanks a bunch.