Energy Sector: Intrusion Detection

After the most recent Iranian attacks most people don’t think about the danger to our Energy Sector that lurks in the global underworld. Cyber Security Experts Lee Neubecker and Geary Sikich are on the job! They say we can tighten our security and detect cyber attacks before they happen.

Energy Sector Intrusion Detection is complicated and delicate and necessary to maintain our power grid. The Energy Sector provides energy for the world and must be secured and protected. Many detection tools and resources of expert precision are used to ensure the security of these precious resources. Think about it? What do you do on a daily basis that doesn’t involve energy or some type of energy? Enigma Forensics CEO & President, Lee Neubecker and Geary Sikich, Principal at Logical Management Systems, Corp. put your mind at ease and dissect cyber security and intrusion detection systems that are utilized by the Energy Sector.

This is Part 2 in the four-part series on Energy Sector Cyber Insecurity.

Lee Neubecker (LN): Hi, I’m back on the show again with Geary Sikich, thanks for coming back on the show.

Geary Sikich (GS): Thanks for having me back Lee.

LN: So we’re continuing our series discussing about global cyber insecurity as it relates to energy sector. In the second part of the series we’re talking more about detection of compromise. Um Geary, what’re your thoughts in this area?

GS: I believe that there’s a lot to be looked at in terms of the detection aspect, and this is one of the areas where you from a forensic standpoint, provide sort of a critical juncture, what’re you seeing that the general person, and even the general employee of the utility, might not be seeing? And might not be aware of?

LN: Well we know from reports by Dragos Cyber Security firm, that there’s a number of groups, I think around 11 groups are specifically targeting the energy sector. This report just came out this month, so there is a heightened attack readiness requirement to defend against these attacks. And the key thing that organizations need to be doing is they need to know that they have their firewall actively logging, and they need to be looking at those logs.

GS: Those are all state sponsored groups, right?

LN: Well, we don’t know exactly who they are, there could be terrorist cells, the Dragos report doesn’t give attribution as to the entities behind them. They describe the types of attacks, and the character of the attack methods, but there is a number of them that you can check out, there’s a link that will take you to their report if you’re interested in reading it. But you know, often times organizations fall compromised, and they don’t know it, and these things go on for a long time. There was a credit reporting agency attacked recently, for instance.

GS: So from a detection standpoint, the challenge that industries are faced with, cause our focus is going to be on the energy industry, so we’ll get energy industry. In general, the challenge that they face then, is that it’s not just what we perceive could be state sponsored hacking of their systems, it could be individuals, it could be terrorist cells, it could be pretty much anyone with a desire to infiltrate a system whether it’s to do harm, or whether it’s just to see if they can do it

LN: Exactly. The barrier to entry to launching one of these attacks is much lower. It requires knowledge, but the knowledge could be in the head of a teenager, that got rejected at school and wants to take the power out in his town. So that’s a legitimate problem. Now related to detection, I mentioned the firewall logs, there’s a great product out there called, Canary. Have you heard of it?

GS: No, it’s new to me.

LN: Essentially, it’s a company they tell these little devices, you deploy in your network, and they can pretend to be a payroll mass, health care information system storage database, or you can make it be whatever you want. But it’s essentially trying to lure an attacker. So if someone’s in your network, there going to scan your network to look for resources and it will detect people trying to brute force that item. So these items are a great way to have another way of knowing are you compromised. If organizations that had recently been publicly compromised, that didn’t know it for many years had some of these devices in place, they would probably know pretty quickly, like within a day or so, of someone getting through their firewall.

GS: So the challenge then I guess, from a detection standpoint, and the way we’ve seen it, and in discussions with organizations that I’ve worked with. Is that it’s not a single point of penetration that we have to worry about, it’s become multiple points of penetration, and multiple points that are not necessarily hard wired into the operating system. So utilities in a lot of respects have gone out to do with their status systems, monitoring your water usage, or electric usage, all remotely, and you periodically might see a utility vehicle drive by, and they may have a cellular type phone system, that goes by and scans your homes to see what your energy usage is. So those all become a factor. We get into detection in terms of things, we’ve mentioned today shipping is a big issue, and we mentioned with the current situation with Iran, the concern over the Strait of Hormuz, but shipping in general, navigation systems, have been targeted, not only by state actors, but by other groups. So you have navigation systems which is not just water born shipping. Think of where navigation systems are today. Look into your pocket and see your cell phone.

LN: Well we had the recent issue with the Boeing Max airplane, it turned out the sensors were damaged. Well these sensors they’re called MEMS sensors, they’re a combination of electro-mechanical sensors, and if the chip is hit at the frequency that matches the natural frequency of the component board, it can actually cause the chip to malfunction and report erroneous readings temporarily. Or if the frequency matches and it’s of a great enough amplitude it can actually damage the chip. And there hasn’t been much discussions about whether these chips were cyber-attacked but it’s very possible, if you look up University of Michigan, they have research on MEMS chip sensors and interestingly enough, the patent for these sensors was a Boeing patent. So there’s not a lot of talk about that and I think more likely if the chips were damaged, it’s more likely they were damaged while they were on the ground interestingly enough, the two crashes that occurred were in countries that had a lot of terrorist activity.

GS: I think the other aspect with detection is that when you begin to bring out a point like that, people have a tendency to assume durability of systems when systems can be very sensitive to, if you will, shocks, minor shocks to the system. So it’s not necessarily the physical attack, you could take the example recently Puerto Rico has had an earthquake. What damages were incurred by the, on their systems as a result? That are undetected yet. The sensitivity of systems I think has become really critical in a lot of these aspects.

LN: But like with these chips we’re blending mechanical with computer embedded processors. So like these chips think of an opera singer, that sings the natural frequency of a wine glass. If he sings it loud enough, that glass will shatter. It’s the same concept with this chip. You can fire sound at it, if you’re close enough, or if you have a strong enough amplifier, you could fry it. Now that could happen, a drone could potentially launch a sonic attack, someone onboard, a passenger could do it, cleaning crew coming through could do it. So these are some questions that it’s kind of a new paradigm but we even had issues with military aircraft having this uptick in crashes, and these same types of systems are in the newer military helicopters and planes and whatnot. So I think it was good that the military grounded some of these devices that were having these problems, And you know the investigation, I’m sure, continues and the public may not fully be briefed on this, but it is a threat that needs to be detected before people die.

GS: So the real issue with the situation that we’re in, with this kind of global insecurity if you will, is our ability to detect has been I’ll put it in these terms, if our ability to detect has been compromised by virtue of the disruptive technologies that exist that are making detections more and more of a challenge, because they’re becoming more and more subtle in how they entered in the system. So I can have a system that looks like it’s working perfectly, and yet at a point be compromised like the mechanical system that’s supposed to open a valve, and it’s been doing it for a long time, and then suddenly it either leaves it open, or completely shuts it.

LN: This is where it’s important that these entities have an accurate inventory of what their equipment is, and they also have an accurate inventory of the embedded systems and what that software code should look like. And they should have procedures in place to periodically verify that the embedded firmware chips that do these functions haven’t been altered. Otherwise they won’t even know, and something could happen at a very critical time. So that wraps up our section on detection. In our next segment will be talking about helping to protect against these types of attacks.

GS: Great.

Watch the other segments on Cyber Insecurity in the Energy Sector

Part one of our four-part series on Energy Sector Cyber Insecurity

Learn more about cyber security and data breach from Enigma Forensics.

Check out the government’s directives on cybersecurity as it relates to energy infrastructure.

https://www.energy.gov/ceser/activities/cybersecurity-critical-energy-infrastructure

Check out what ComEd is doing.

https://www.comed.com/SiteCollectionDocuments/SmartEnergy/SmartGridAndDataSecurity.pdf

Energy Sector: Global Cyber Insecurity

Global Energy Sector Cyber Insecurity can lead to complete chaos that will be felt throughout the world. Neubecker and Geary Sikich who are experts in cyber security and incident response share their solutions.

Energy Sector: Global Cyber Insecurity can lead to global calamity. If a major attack happens there would be a cascading effect with catastrophic results. In lieu of the most recent Iranian conflicts, the Energy Sector, as well as Corporate America, has been warned by our government to be aware of imminent security threats. Enigma Forensics CEO & President, Lee Neubecker and Geary Sikich, Principal at Logical Management Systems, Corp. take apart the many threats that will affect the Global Energy Sector. Starting with SCADA, which is a computer system for gathering and analyzing real-time data. Cyber Insecurity means if hacked the SCADA systems would have a rippling effect.

In this four-part series, Lee and Geary will discuss cyber threat detection, protection and global incident response in the Global Energy Sector.

The video transcript for Energy Sector: Global Cyber Insecurity follows.

Lee Neubecker (LN): Hi, I’m here again with Geary Sikich on my show. Geary is the president of Logical Management Systems, a business consulting and risk advisory firm. Geary, thanks for being on the show again.

Geary Sikich (GS): Thanks for having me back, Lee.

LN: So today we’re going to talk about the current state of global cyber insecurity. News events have been published detailing Iran’s potential cyber response. The energy sector has been put on notice to be looking out for attacks, as well as corporate America. So Geary, what is the current state of cyber risk as you see it?

GS: I think it’s kind of appropriate to begin to look at it as you introduce it, global insecurity. One has to begin to look at how secure are you? And in the context of how secure are you, how secure is our infrastructure. All the things we depend on for our day to day lives. And how we live, literally. So everything from your food on the table to the heat, to clean water, to your heat in your home, et cetera, all become potentially

LN: Transportation, travel, and fulfillment.

GS: Road systems, everything that’s out there.

LN: So we’re going to be talking about the highest areas of concern where a rogue terrorist organization might want to strike or a nation state that we’re at odds with. And unfortunately, we have quite a few. Later on in the second, third, and fourth segment we’ll be talking about detecting threats. In the third segment, we’ll be talking about protection against that, things that can be done proactively. And then finally, in the fourth and last segment we’ll be talking about responding to compromises, incident response, and how to recover and get back up online. So Geary, can you give everyone an understanding of what encompasses SCADA devices and what SCADA means?

GS: SCADA systems were developed for the use to control operations and utilities and other areas. It’s called the Supervisory Control and Data Acquisition.

LN: So what kind of devices make up SCADA devices?

GS: Everything from the control of pipelines, utility, electricity functions, all the way onto healthcare, pacemakers and other types of systems.

LN: CPAPs. So these are critical systems. These are systems that if someone wanted to cyber attack and really hurt us, they’re natural targets. And they’re classified as such because they have to be regulated and handled in a way to help keep them safe.

GS: Yeah. And the problem we face is not that these are systems that are so vulnerable, the problem we face is that because of the technology that we’ve embraced over the years since 1999, so that’s what, almost 20 years now. Or it is 20 years now. That those systems have become so embedded that we have gotten rid of the manual systems that they replaced. So things like switching for railroads. You would be hard pressed to find manual switches available to the industry. Because they got rid of ’em, and they were scrapped, and they’re gone. No once produces them, or should I say, they’re produced in limited quantities. And they’re hard to get. The things we depend on in a lot of respects for the smooth running of our infrastructure become very critical to us because there are no alternatives for those systems. And as a result, we become more and more vulnerable to a infiltration of the systems for disruption.

LN: And then we also have what’s known as FPGA’s, Field Programmable Gateway Arrays. They’re microprocessor controllers that can be programmed that can actually be altered by an attacker to change how these systems function, the logic that works. We can only think of, what would happen, Geary, if a nation state that we’re in a conflict with, what would happen if the water filtration system sensors were altered to put water out that appears safe but isn’t?

GS: I think you see a lot of that today simply because the threat levels are such that we have to make sure these systems are so well protected. And unfortunately, the ability to protect the systems is not necessarily as good as it should be, let me put it that way. It’s not that they’re bad, it’s not that they’re behind the times, it’s just that they’re trying to keep up with things that are changing so rapidly. Technology disruptions, and disruptive technologies today have made a lot of systems sort of antiquated before their time. And the problem is that, to keep up with replacement, to keep up with the viability systems becomes another burden to the system. Another critical issue in this global insecurity aspect is look at the talent pool that’s out there in the workforces, and you start to begin to realize that there are very few people that are talented in the areas where we need them. I think in our last segment that we did I mentioned that in the energy industry, nuclear engineers, petrochemical engineers, desperately needed areas because their workforce is transitioning and the skill levels are not there. So that becomes a real challenge.

LN: Just the past, in this month alone, cybersecurity firm Dragos issued a report showing that there is a number, I think around 11 groups that are actively targeting the energy sector and trying to take out various providers of energy. Oil, gas, you know, nuclear. There’s other threats there. You know, locally here in Chicago, you’re in Indiana, we’re in Illinois, what part of the energy sector to you think is at greatest risk?

GS: Well, I think the interesting point with that is that the bigger players, Commonwealth Edison, NIPSCO, Northern Indiana Public Service, are doing their part to ensure that their infrastructure is well maintained and protected. The problem we run into is that they’re not the only utility providers. If you look at across the United States, there are so many smaller utility providers, co ops, small utility companies, that don’t necessarily have the resources

LN: They don’t have the scale.

GS: Yeah, the skills. And the problem that they encounter and we encounter as a result is that they are critical links in the grid system. So everything from water, gas, electric, telecommunications, et cetera, all dependent on a lot of these small players. And getting one to go could potentially offer cascade effects to all the others. And as it cascades, things can get even more disruptive.

LN: So you could actually take down the big electrical utility by getting enough of the small, vulnerable electrical co ops and launching a cyber attack on the electrical co ops to then take out the big giant. Because when these happens, you have power imbalance. And Kirchhoff’s Law dictates the flow of electricity, and it will flow where it’s weak, and the current flows, well that can cause line tripping and power outages.

GS: Yeah. And I think the thing that people have to realize is that the apparently most vulnerable things are not necessarily the ones that are the most visible. And I say that in this respect, we look at power plants, we look at nuclear plants, and there’s a fear of someone attacking the plant. In reality, it’s the part of the system that are not related, or that are related, linked to the power plant, but not directly.

LN: It’s an interconnected system.

GS: It’s the transformers

LN: Everything from endpoint demand to supply. And in our prior video we talked about manipulation of endpoint demand that could cause a cyber attack.

GS: And it’s the step up and step down systems. When you generate it, electricity’s stepped up, it goes over transmission lines, it goes to a point, it’s stepped down and then it goes in the user groups, the residential, your cities, your smaller industries. So you start seeing these as being potentially vulnerable in a respect. In terms of vulnerability is that we have to begin to look at the users and begin to differentiate which ones are what we call interruptible and which ones aren’t.

LN: So in our next segment, we’ll be talking about detection of these threats, and then finally after that, the third segment we’ll talk about protecting and what organizations should do such as electrical co ops, things they can do to get ahead of this. And then when things invariably do go wrong, finally we’ll talk about incident response. So tune in next time, and please, we appreciate your shares, likes. Sign up for my YouTube channel if you liked this and you’ll get alerted when we publish the next one. Thank you.

Learn more about Global Cyber Security from Enigma Forensics

More on Global Security …

Here is the bulletin issued by the Department of Homeland Security on Global Security

https://www.dhs.gov/national-terrorism-advisory-system

Check out this article warning about Iranian Cyberattacks

https://fortune.com/2020/01/16/iran-cyberattack-false-flag-russia/