Western Interconnection Power Grid APT Attack and Defense In-Depth 1
Western Interconnection Power Grid APT Attack and Defense In-Depth
Introduction
The Western Interconnection Power Grid is a prime target for malicious nation states for several reasons, which is most likely why an APT cyberattack is currently aimed at the power grid. Since APT is a very calculated and stealthy attack that typically results in at will remote access for the attackers, a successful APT attack on a major power grid interconnection organization would facilitate first strike capabilities for a nation-state or terrorist organization that is planning an attack on the United States and/or the entire eastern seaboard of North America. Another reason why an APT attack would be aimed at the Western Interconnection Power Grid is that control over the power grid would offer a terrorist group the ability to shutdown power in specific locations, such as airports, with the potential for causing a disaster not unlike the events that took place on September 11, 2001. For this reason it is essential that the Western Interconnection Power Grid management and IT staff understand how APT works and how the organization can improve cybersecurity readiness through a defense in-depth strategy to protect the grid from APT attacks.
Cyber Kill Chain ICS Vulnerabilities
The Cyber Kill Chain model was first introduced by Lockheed Martin as a template that conveys an understanding of exactly how attacks like APT are conducted in order to properly defend against the same. Knowing how an attack is conducted will enable the Western Interconnection Power Grid IT management and administration team to proactively configure networks within the grid to both detect and thwart APT attacks.
Reconnaissance
The first step in the Cyber Kill Chain sequence, which is also the first step in an APT attack, is to assess the target and find potential weaknesses that can be exploited as part of an overall plan. Typically reconnaissance efforts involve the use of several tools including port scanners such as Nmap (Nmap, 2017) that can identify services running on all accessible systems within the target network, read service type and version information, read operating system type and version information, and even scan and map networks through firewalls if the firewall is not configured to block incomplete or fragmented TCP conversations. Other reconnaissance techniques include the use of Google to search for system information, IP addresses, and even company information that may reveal configurations that can be used in the next phase of the attack. The Shodan search engine (Shodan, 2017) is another that in some ways is even more effective because it is designed specifically to catalog systems connected to the Internet and display each system's configuration in the search results. ICS systems in particular, until recently were developed without cybersecurity in mind, so services such as SNMPv1, telnet, HTTP, and protocols such as Bacnet that all send information in clear text, unencrypted, are prime targets for APT attacks that will be a focus of the reconnaissance phase against the Western Interconnection Power Grid networks.
Weaponization
The Weaponization phase processes the information gleaned from the Reconnaissance phase by identifying the items in which vulnerabilities exist. For example, the service information and operating system information gathered through Nmap (Nmap, 2017) and vulnerability scanners such as Tenable Nessus (Tenable, 2017) can be searched in a vulnerability database such as the databases such as the Mitre CVE database, (Mitre, 2017) and the U.S. Federal Government NVD database (NVD, 2017) for any vulnerabilities that may exist with each service type and version. Once the vulnerabilities are identified they can be used in the next phase of the Cyber Kill Chain for exploitation.
Other information gained during the Reconnaissance phase that may be useful during Weaponization includes identification of vulnerabilities vendors are not aware of and for which no security patches currently exist. This type of vulnerability is called a “zero day” vulnerability, and networks such as the Western Interconnection Power Grid can only defend against such unknown weaknesses with a well structured information security program that includes a framework built around a layered, defense in-depth strategy.
Exploitation
Once the Weaponization phase is completed, the Exploitation phase starts by designing and developing tools intended to install and exploit the vulnerabilities identified during the Weaponization phase. For example, if an analysis of information gleaned during the Reconnaissance phase identifies a firewall vulnerability in which ICMP Type 13 or Timestamp packets to traverse the firewall from the public network, the APT attack group may develop a remote access service program payload that is delivered to a group of Western Interconnection Power Grid administrators via a phishing attack and installs to a workstation once one of the recipients clicks on a link within the phishing email. Once installed a service such as this could use ICMP Type 13 packets as a covert channel for both communication and remote access through the company's firewall.
Command & Control
The Command and Control phase of an APT attack is focused on using the tools developed or identified and installed in the target network during the Exploitation phase to expand control over the target network. Once the APT attack group has remote access to the Western Interconnection Power Grid, they will use remote access through covert channels to also access systems within the network that are their main focus. In this case the APT attack group may install keystroke loggers on the remote access system to capture the authentication credentials of administrators as they access ICS systems. Once the credentials are captured, the APT group can access and compromise targeted ICS systems.
The APT attackers may also use the remote access systems to scan the network for a more thorough understanding and map of the network, or install a network sniffer such as Wireshark (Wireshark, 2017) that can be used to capture more authentication credentials and vulnerability information, and identify additional vulnerabilities that could not be discovered from outside the target network. This is an example of a situation in which certain phases in the Cyber Kill Chain may be used again during the course of an attack as the attackers gain even greater control over the victim network.
The following is an example diagram of a possible APT attack path and remote access covert channel that may take place once each phase of the Cyber Kill Chain is exercised:
Actions
During the Action phase of the Cyber Kill Chain process, the APT attack group will continue to expand control over the Western Interconnection Power Grid network while maintaining an undetected posture. They will continue to repeat the Cyber Kill Chain process in order to identify additional vulnerabilities in power grid systems from inside the power grid network, develop additional tools for exploitation of vulnerabilities found, expand remote access and control, and repeat the process. The APT will maintain their remote access and control for as long as necessary to achieve their goals, which most likely include gathering as much information about the grid as possible and ability to shut down part or all of the grid for either terror attack or political power play purposes when required.
Countermeasures – Defense In-depth
The defense in-depth approach that originated from NIST recommendations is based upon the perspective that no single form of cybersecurity defense will thwart cyberattacks 100% of the time, (OWASP, 2015). Hence, by planning and implementing multiple cybersecurity countermeasures in a layered approach, in combination these countermeasure layers will serve to slow down, stop and/or facilitate detection of an attack before attackers can complete their objectives, be it to damage, steal or otherwise alter information systems for malicious intent. Three areas that should be addressed in a defense in-depth strategy include the people, technologies, and operations that serve as the foundation for the organization.
People
The people that work within an organization are often the organization's number one cybersecurity weakness due to a focus on the information technology itself rather than the people that use the technology. APT attackers are aware of this fact and often employ the use of social engineering tactics such as phishing to bypass system technological defenses by “tricking” someone internal to the company to install malware that provides the APT attackers with remote access to systems within the organization. A combination of training and countermeasures can greatly decrease the possibility that cyberattacks focused on the organization's employees will be successful.
Cybersecurity training arms the organization's employees with the knowledge they need to be able to identify the difference between legitimate communications and activities on the company network and an actual cyberattack. A cybersecurity training program for the Western Interconnection Power Grid must require that each employee attend a cybersecurity training course on at least an annual basis, with mandatory cybersecurity training update attendance on an annual basis as well. In addition, new employees must be required to attend cybersecurity training as part of the on-boarding process. The cybersecurity training should include education in how to recognize cyberattacks, common signs of an attack, how every employee should respond to an attack, and the internal contact personnel and protocol for alerting the organization to a possible attack should one be discovered. Training on how to recognize social engineering attacks, phishing and spear phishing attacks, recognizing and responding to cross-site scripting attacks, and ways malware infections occur and prevention must all be included in the employee training, which will greatly reduce the potential for personnel as a viable APT attack vector.
Countermeasures the organization can employ to protect against insider collusion with APT attackers include job rotation and separation of duties, both of which must be implemented within the Western Interconnection Power Grid organization. Job rotation is an essential and effective countermeasure that prevents cybersecurity attacks by employees through the identification of roles within the organization that handle highly sensitive information and/or interact with critical systems or systems that process and store highly sensitive information and then as a matter of policy require personnel that serve in those roles to periodically switch duties and/or roles with other employees in the company that are qualified to perform the same tasks. Job rotation decreasing the opportunity for insider attacks by requiring collusion by multiple employees in order to perform an attack against the organization without detection. Separation of duties is a technique applied to the same critical roles as those to which job rotation applies and involves dividing up and assigning tasks to multiple employees such that responsibilities cannot be completed without the cooperation of multiple individuals (similar to job rotation). By implementing both job rotation and separation of duties the Western Interconnection Power Grid organization will ensure that insider compromise of information systems by critical roles within the company cannot occur unless multiple individuals are involved.
Technology
Layers of countermeasures for each attack vector used for APT attacks will help ensure that performing an attack is extremely difficult while also increasing the chances that attacks will be detected by administrators and blocked before systems are compromised and an information security incident occurs.
Firewalls and the routers in front of them most often serve as the first defense against malicious traffic entering the organization through a public network ingress/egress interface. All Internet facing routers should be equipped with firewall services that include access control lists or ACLs that allow forwarding of only traffic that is absolutely necessary for company operations. Firewalls should be equipped with deep packet inspection features that detect malicious payloads as well as suspect packet types and block them from entering the company's private network. Firewalls must also be configured to block all traffic except that which is necessary for business operations, such as blocking ICMP and other protocols that should never traverse the firewall, greatly decreasing the opportunity for a successful attack and/or establishment of covert channels for unauthorized remote access.
IPS/IDS systems must be deployed at every ingress/egress interface to public, wireless, and critical network section interface, with both anomaly and signature based detection enabled so that known attacks are immediately detected and new attacks are recognized as anomalies that are either blocked through pre-programmed IPS actions, such as stopping the malicous traffic traversing the internal network through ACLs and alerting system administrators when an attack is detected.
Every workstation and server must be equipped with anti-malware software that is centrally managed and updated to ensure that the most current anti-malware definitions are installed on all systems at all times. Similarly, all system security updates and patches (including ICS and SCADA systems) must be centrally managed and update installation verified automatically so that security patches for all known vulnerabilities are immediately remediated and patch installation verified for all systems connected to the power grid network.
All non-essential services on all systems must be disabled, including on ICS and SCADA systems, which will substantially decrease the attack surface inside the company to only network services that are essential for operations. In addition, all systems must be scanned for vulnerabilities using a highly capable enterprise level scanner such as the Tenable Nessus scanner to ensure that both known and potential vulnerabilities are detected and remediated before they can be exploited by attackers, (Tenable, 2017).
Operations
Along with the vulnerability scanning and update management mentioned above (which overlaps into operations as well) the company must pay close attention to how access control is implemented within the organization. Typical system and network authentication involves the use of username/account and password prior to granting authorization. However, passwords and account names can be stolen through the enumeration process, network sniffing attacks and even by “dumpster diving” (a type of social engineering attack in which the attackers sift through company refuse in order to find valuable information such as authentication credentials and financial information which is often inadvertently thrown away). To prevent attacks against username/password authentication, the company must implement and enforce authentication policies that include mandatory password complexity, mandatory password change every 60 to 90 days, and strong multi-factor authentication.
Password complexity ensures that passwords cannot be easily guessed or broken using brute force password techniques. Password lists that include common dictionary words and passwords used to increase the speed of brute force password cracking software such as John the Ripper can be easily downloaded from Internet hacking sites. Increasing the complexity of passwords by requiring passwords to meet complexity rules such as being 14 characters in length, and having at least one special character, upper case letter, lower case letter, and a number, will greatly decrease the chances that a brute force password cracking attack will be successful.
Similarly, mandatory password change every 60 to 90 days decreases the chances that a brute force password cracking attack will be successful because in the time it takes to gather the information necessary to mount the attack, the password will change rendering all work performed to mount the attack useless.
Strong multi-factor authentication requires that authentication include something a person knows (usually a username and password), something a person has (such as a smart card or magnetic strip card), and/or something a person is (this would be a biometric token such as a fingerprint, palm print or retina scan). Strong multi-factor authentication is effective because it requires an attacker to have two pieces of information in different forms before they can gain unauthorized access. Using strong multi-factor authentication ensures that stolen passwords or smart cards does not enable an attacker to immediate system access.
Conclusion
An APT attack such as the one mounted against the Western Interconnection Power Grid must be addressed before the attackers gains a solid remote access foothold inside the power grid network. Planning a cybersecurity program strategy around the Cyber Kill Chain model ensures that the organization addresses vulnerabilities at each stage of an APT attack and deploys the countermeasures necessary to ensure APT attacks are detected and blocked from penetrating power grid systems. Then through best practice defense in-depth countermeasure planning and deployment the organization can proactively as well as defensively protect against both current and future attacks which are only increasing in this age of cyberwarfare.