Ex-spy chief: Ukrainian cyberattack a warning sign for US utilities

Retired Gen. Michael Hayden, the former director of the National Security Agency and the CIA, says the US faces ‘darkening skies’ after malware linked power outages in Ukraine.

MIAMI — Former National Security Agency chief Gen. Michael Hayden warned that a recent malware attack on the Ukrainian power grid is yet another troubling sign that the US electric supply is vulnerable to hackers.

The Dec. 23 attack on utilities serving the Ivano-Frankivsk region of Ukraine appears to be the second confirmed incident of a computer-based attack to damage physical infrastructure. The attack led to blackouts throughout the region for several hours before power was restored. The Stuxnet worm that targeted the Iranian nuclear program is the only other such incident.

What happened in Ukraine is a harbinger for the kinds of cyberthreats the US faces, possibly from rival nations such as Russia and North Korea, the retired Air Force general told a crowd of critical infrastructure experts at the S4x16 security conference in Miami. General Hayden served as director of the NSA from 1999 to 2005 and served as CIA chief from 2006 to 2009.

“There a darkening sky,” he told reporters after his speech Tuesday, referring to the increasing threat of malware infections leading to physical damages. “This is another data point on an arc that we’ve long predicted,” he said, acknowledging that the Ukraine attack reinforces concerns in official circles about security of the American power grid. What’s more, he said, if early analysis of malware discovered at the Ukrainian facility that links it to Russia is accurate, the incident foreshadows a troubling uptick in the conflict between Ukraine and Russia over the disputed Crimea region.

The Department of Homeland Security has acknowledged that a version of the BlackEnergy program linked to the Ukraine attack has been discovered in US facilities. Hayden said that the link was troubling. “If they have a presence on the grid [with BlackEnergy] then they have already achieved what they need to carry out a destructive attack.”
Analysis of the malware recovered from the Ukrainian facility conducted by the security firm iSight Partners and SANS Institute revealed that a variant of BlackEnergy, dubbed “BlackEnergy3,” was present in the compromised utilities. However, security experts caution that it is premature to conclude that BlackEnergy was actually involved in the outages.

“It is possible but far too early in the technical analysis to state that,” wrote Michael Assante, who heads up industrial control system research for SANS. “Simply put, there is still evidence that has yet to be uncovered that may refute the minutia of the specific components of the malware portion of the attack.”

Hayden also remarked during his talk Friday on the general state of overall cybersecurity, calling on US lawmakers to pass legislation that will help bolster the nation’s digital defenses.

He also criticized of efforts by FBI Director James Comey, and others in the Obama administration, to weaken strong encryption on consumer devices to make it easier for law enforcement to conduct surveillance operations. “End-to-end encryption is good for America,” he said. “I know that it represents challenges for the FBI, but on balance it creates more security for Americans than the alternative – backdoors.”

Regarding the recent Office of Personnel Management hack – which US intelligence agencies and cybersecurity expert have blamed on China – Hayden said that as head of the NSA he would have absolutely stolen similar data from the Chinese government if given the opportunity. What’s more, he said, he wouldn’t have had to ask permission to carry out the operation.

“Fundamentally, the limiting factor now is a lack of legal and policy framework to do what we are capable of doing today,” Hayden said. “OPM isn’t a bad on China,” he said. “It’s a bad on us.”

What is vulnerable in the United States?

Project ‘Gridstrike’ Finds Substations To Hit For A US Power Grid Blackout

Turns out free and publicly available information can be used to determine the most critical electric substations in the US, which if attacked, could result in a nationwide blackout.

Remember that million-dollar Federal Energy Regulatory Commission (FERC) study in 2013 that found that attacks on just nine electric substations in the US could cause a blackout across the entire grid? Well, a group of researchers decided to see just what it would take for a small group of domestic terrorists to identify the US’s most critical substations — using only free and public sources of information.

While FERC relied on confidential and private information in its shocking report and spent a whopping $1 million in research, researchers at iSIGHT Partners used only so-called open-source intelligence, at a cost of just $15,000 total for 250 man-hours by their estimates. The Wall Street Journal, which obtained and first reported on the confidential FERC report, never publicly revealed the crucial substations ID’ed by FERC for obvious reasons, nor does iSIGHT plan to disclose publicly the ones it found.

Sean McBride, lead analyst for critical infrastructure at iSIGHT, says the goal of his team’s so-called “Gridstrike” project was to determine how a small local-grown terror group could sniff out the key substations to target if it were looking to cause a power blackout — either via physical means, a cyberattack, or a combination of the two. “How would an adversary go about striking at the grid?” McBride said in an interview with Dark Reading. He will speak publicly for the first time about the Gridstrike research next week at the S4x2016 ICS/SCADA conference in Miami.

The iSIGHT researchers drew from a combination of publicly available transmission substation information, maps, Google Earth, and grid congestion documentation, and drew correlations among the substations that serve the top ten cities in the US. They then were able to come up with 15 substations that serve as the backbone for much of the electric grid: knocking out those substations would result in a nationwide blackout, they say.

FERC’s report had concluded that the US could suffer a nationwide blackout if nine of the nation’s 55,000 electric transmission substations were shut down by attackers.

“We looked at maps and tried to … identify [power] generation facilities, and looked up both centers and what substations are in the middle that would make high-value targets,” for example, McBride says. “We tried to identify which substations have the highest number of transmission lines coming in and out,” as well, and weighed their significance.

The researchers shared the findings from Gridstrike with their customers as well as “organizations most interested from a defense perspective” to such attacks, says McBride, who declined to provide any further details on the specific organizations.

“We were extremely concerned about the amount of publicly available information” on the critical substations, McBride says. There were several documents available publicly that should not have been: in some cases, a sensitive document was sitting on an organization’s public website even though it specified that the report was not for public consumption.

The hope is that the findings will alert critical infrastructure and other organizations with ties to the power grid that understanding how an adversary thinks can help shore up defenses, McBride says. “They need to manage their recon exposure.”

What does all of this mean for the US power grid’s actual vulnerability to a physical or cyber-physical attack? McBride says the openly available intel is “reason for concern.” He says he worries more about the possibility of a regional, localized, grid attack targeting a city or area, than a nationwide attack.

As for the recent power blackout in the Ukraine that appears to have been due in part to a cyberattack, McBride says he’d be surprised if the attackers didn’t gather some of their reconnaissance via open source intelligence.