6 February 2018

Pay Attention to Probing, Persistent Attacks Against Critical Infrastructure

FEBRUARY 4, 2018 | SUZANNE KELLY

During times when the country expresses passionate opinions over the politics of the day, I wonder what U.S. adversaries focus on.
One thing always in the back of my mind, as a former intelligence correspondent and now publisher of a national-security focused website, is the U.S. power grid.
U.S. critical infrastructure systems have been under persistent attack for years. They are the components of our infrastructure that are vital to the way we live: the power grid, the financial system, transportation, medical, industrial manufacturing and election systems. A range of adversaries, most often led by nation-states, never takes time to stop for U.S. political debate. And there is a lot of evidence that their capabilities are increasing.

A series of attacks on American banks and energy companies in the Persian Gulf from 2011 to 2013 slowed the websites of companies like Bank of America, JP Morgan, Sun Trust Banks and Capital One.
In 2013, hackers used a cellular modem to gain access to a New York dam. They probed the system, but didn’t do anything, which led some experts to believe it may have been a test run.
And of course, there was the 2016 hack targeting the computer systems of the Democratic National Committee and attacks that probed some voting equipment. A unanimous IC finding attributed the attacks to Russia.

Last fall, on the day that the headlines were filled with President Donald Trump’s order to end the DACA program, security firm Symantec identified a string of attacks against energy companies in the U.S. and Europe. It would have been a story worth focusing on. The attacks were more advanced than previous efforts, with the intruders gaining access to power grid operation centers, giving them the ability to ‘flip the switch’ if they wanted to introduce a series of blackouts, according to experts.

The threat against the grid is a particularly difficult one to address, in part because the U.S. electric system is like a patchwork quilt of pieced-together components, each of which is owned and operated primarily by private sector entities.

So the government, best positioned to see the threats, and a private sector, (not always with the security clearance to be briefed on them), work together via an entity known as the Electricity Subsector Coordinating Council – the public-private sector body charged with protecting the country’s critical infrastructure from both physical and cyber threats.

Thomas Fanning, the Chairman and CEO of Southern Company, is one of the chairs of that committee. I sat down with him a few months ago to talk about just how real the daily threat is against the electric grid.

“This industry gets attacked millions and millions and millions of times, all day,” said Fanning, whose company provides power to more than 9 million customers in 19 states.

Fanning has a unique vantage point from which to view the broader infrastructure vulnerability. He is also the chair of the Federal Reserve Bank of Atlanta and holds a government security clearance, uniquely qualifying him as an experienced voice at the table when it comes to understanding both the private and public sector problem sets.

“I think the reason I kind of grew into that role, [is] I think I am the only CEO in our industry that has been a CIO,” Fanning explained to me from his high-rise office in downtown Atlanta. “Now, many days I thought that stood for ‘Career Is Over.’ That’s a hard job. But at least I had some sense of appreciation as to the issue.”

When Southern Company comes under attack, and it does often according to Fanning, it cannot defend itself by itself. With some 87 percent of the critical infrastructure in this country now owned by the private sector, companies like Southern need the ability to influence in a significant way, not only what goes on in the administration, but also in Congress.

“The grid is more resilient than people give it credit for,” he adds. “For most of outcomes, I would say the grid is very resilient. The likelihood of a widespread blackout – in other words, taking America’s grid down – as an existential threat for a long period of time, is so unlikely. Now, is it impossible? No. But it is way unlikely.”

Not unlikely because of a lack of ability on behalf of attackers, but more because the motivation isn’t necessarily there. Fanning won’t talk specifics about what he sees or what he learns about the adversary, making it hard for the general headline-reading public to truly understand the depth of the threat.

“This is one of those weird circumstances where we know that the threat is all over us all the time, and probably, the less you say about it, the better,” warns Fanning. “Except to say we that we’ve got a plan and we are doing this. But I don’t want to reveal even the oversight that I have of the battlefield. I don’t want to let the bad guys know how I evaluate their actions.”

Fanning, a self-professed movie buff, likens a lot of the behaviors he sees to Hollywood movies. One of his favorites is James Bond.

“The bad guys will work for Russia or Iran or China or North Korea, and by night, they go off in the dark web and collaborate with each other. And, what you see in that regard is a lot of criminal activity. Now, it’s hard to say- this notion of attribution is one of the hardest notions in this whole realm: ‘Is this Russia? Or is this Spectre?’”

Fanning’s government counterpart on the ESCC is Rob Joyce, the White House’s Cyber Security Coordinator and himself, one of the country’s most gifted hackers. Joyce hailed from the National Security Agency’s elite hacking unit known as Tailored Access Operations. Today, he’s in charge of a host of cyber threats facing the U.S. and he told me when we sat down last year that if there was one thing he could solve for during his tenure, it would be critical infrastructure.

“I would like to have confidence that our critical infrastructure can’t be held at risk by foreign adversaries.” Joyce said from the Executive Office Building next to the White House, where he had just left a meeting of the ESCC.

“We have got to have a close partnership where their expertise. They are practiced and ready to be resilient in the face of both cyber threats and natural disasters,” he said.

“And then, we on the government side have to be able to bring our capabilities to addressing the threats they are facing – that we will know things as the government, that we will inform them on the threat. We have got to help them through the process,” Joyce said.

But sharing information has never been an easy thing for the U.S. Government.

“There are a number of efforts that are improving that front,” Joyce told me. “One of the best things is the sector sharing inside companies and between companies, because the chances are that when a threat hits one, it is going to be targeted against multiple.”

So the government has spent months working on ways to inject real-time data sharing.

“Frankly, one of the challenges we have had is the sensitive intel we gather is perishable,” said Joyce. “So you have to strike that balance between operationalizing and finding a way to use it and not ruining your ability to know those threats on a continuing basis.”

And the importance of timeliness can’t be understated, most obviously on nights like November 13, 2015, when terrorists used assault rifles and explosives in a string of six separate attacks across Paris, killing at least 130 people and injure hundreds more.

Fanning, in his ESCC role, invoked the operational protocol known as ‘Playbook’.

“The first level of Playbook is situational awareness. So, when Paris happened, we turned on Playbook,” said Fanning. “That means we notified the members of ESCC. We coordinated with the federal government. If this is part of a comprehensive attack on assets, obviously as critical as electricity is, we need to raise our level of awareness.”

According to Fanning, as that deadly night wore on into the next morning, the Department of Homeland Security turned its attention to all of the 16 segments of commerce in America.

“We all reported in as to what we were doing,” said Fanning. “And I remember at that time, we worried that there was a comprehensive attack going on. Was there going to be something similar in the United States? And what would be the ways they would try to blind us? So, when stuff like this happens, we absolutely go to DEFCON 1,” referring to the military’s definition of Defense Readiness Condition, with DEFCON 1 signaling maximum readiness, all forces ready for war.

Fanning, like a movie director, started imagining what would be possible, particularly with a combined cyber and physical threat, which is what he says he worries about the most.

“What if then there is an opposing force that will shoot people who are trying to restore power? And what if they can create some space in which they can create more mayhem?”

Like a scene from the television series Battlestar Galactica, which saw a complete destruction of futuristic battleships that were ‘connected’ to a cyber grid, the failsafe method that the energy industry turns to is to go completely non-digital – to separate the grid, and run it manually. That’s exactly what Ukraine had to do for months after a cyberattack in December 2015.

“We call this effort ‘MacGyver’, and you would be amazed at how people can talk to each other in non-conventional ways,” says Fanning. “The idea to be able to operate disconnected, being able to operate in a physical mode, we talk about that.”

In the meantime, Fanning wonders what the future threats will look like and what the next movie with regard to cyber threats will look like.

“Is it ‘Terminator” or “The Matrix”? “ he wonders. “The whole notion of “machine to machine”, one computer against another in microseconds, and machine to machine with artificial intelligence,” are the things that worry him the most.

“The way you defend a machine attack is not with a fixed defense, but some functional variable defense that has decision rules,” he said. “The adversary now uses artificial intelligence to figure out how you’re using decision rules to blunt their machine to machine attack, and then what you have to do is have artificial intelligence to stop their artificial intelligence. And so, who’s got the better artificial intelligence?

Another question to consider when I’ve had enough of the politics of the day.

No comments: