Please accept my apologies in advance if you were hoping to read about an actual technical vulnerability in critical infrastructure or the exploitation thereof. Today we discuss a plausible strategic cby3r threat, and how one might go about hacking our critical infrastructure without going after the plant or the IT team(s) supporting the technologies in it (or at least not at first). Before we get started, we’ll define two terms, relevant to the scope of this article:
- Strategic cyb3r threat intelligence would be that which is timely (i.e. received before an attack), researched in depth, and provides context to a potential attack scenario
- Personally identifiable information (PII) as a piece (or combination) of data that can uniquely identify an individual
Now, let’s take a minute to review a key point of a historical event, the OPM breach (you can brush up on it here http://www.nextgov.com/cybersecurity/2015/06/timeline-what-we-know-about-opm-breach/115603/). According to the information that has been released, attackers did not originally steal personally identifiable information (PII) . What the attackers did make off with was even more critical, manuals, basically the “schematics” to the OPM IT infrastructure. [QUESTION: Are any of you logging access attempts (failed and successful) to your asset inventories, network diagrams, application architecture documentation? If you are, is anyone reviewing the logs?] Many have forgotten the first items stolen were manuals, thanks to the media news buzz about “identities stolen” blah blah blah, and chalked it up to just another breach of PII and millions of dollars wasted on identity theft protection. The attackers went after something that was considered by many to be a secondary or tertiary target, something that wasn’t “important”. However, it was a consolidated information resource with phenomenal value.
So, what does this have to do with hacking critical infrastructure? Well, aside of the option to leave malicious USBs laying around, what if I could compromise MULTIPLE infrastructure companies at once? [dear LEOs I have no plans to do this, I’m just creating a hypothetical scenario and hoping it makes someone improve security]. How could I do this? Where could I do this? Who would I try to compromise? If I could get just ONE company, I could have the “blueprints” to components at multiple facilities! * insert evil genius laugh* Muahahahahahah! If I could get these, then I could find a vuln that they’d all share, and then I could launch a coordinated attack on multiple plants at once, or I could launch a targeted attack which would cause a domino effect to hide further malicious acts.
Warning InfoSec professionals, grab your headache medicine now…
Where to begin…
First, I’d see if there was a way I could get a list of companies that created the technology used in the critical infrastructure such as boilers, turbines, and generators. In fact, there is a list, and it is publicly available! YAY for research databases!! Wooo hooo! In fact, I’m even able to break it down into coal, gas, geothermal, hydro, nuclear, oil, & waste. Wait, it gets better. I can even determine the commission date, model, and capacity for each. Next, if I find data missing from the awesome resource, I may be an OCD attacker and want all the details, I’d plan a social engineering attack. I bet that for those plants that have “missing data” I could probably call, pretend to be a college student doing research, and they’d tell me any one of the previously listed data elements, especially if I sent them the link to the public resource that already has “everyone else’s data” in it. Although I did not do that, I did collect the manufacturer names for US infrastructure. Admittedly some appear to have nominal differences in naming based by those who submitted the data, thus potential duplication, but as an attacker I probably wouldn’t care:
- ABB, Asea Brown Boveri
- Allis Chalmers
- American Hydro
- Babcock & Wilcox (B&W)
- Baldwin-Lima-Hamilton (BLH)
- BBC, Brown Boveri & Cie
- Brown Boveri & Cie (BBC)
- Combustion Engineering
- Foster Wheeler
- GE Hydro
- General Electric
- Hitachi Japan
- Hitachi Power Systems America
- Melco Japan
- MHI Japan
- Mitsubishi Japan
- Newport News Ship & Dry Dock
- Riley Stoker
- S Morgan Smith (SMS)
- Voest Alpine
- Vogt Power International Inc.
- Voith Hydro
Next, I’d start searching to find events where multiple companies would attend. As you can guess, there is yet another OSINT source that would list potential gatherings of these individuals http://wikicfp.com/cfp/call?conference=energy. This is just one source, but it is such an amazing source I decided to share it (HINT: if you’re looking for InfoSec conferences, check out the security and technology categories). For a moment, let’s just assume that this source didn’t yield any promising results. Another option would be to find a single company that lists one or more of these manufacturers as their client or the technology as their area of expertise. After a simple search for ABB (yeah had to go pretty far down that list there) we find https://www.turbinepros.com/about/oem-experience. And wouldn’t you know it, they’re hosting some events of their own. A search for ‘turbine generator maintenance’ yields http://www.turbinegenerator.com/ and their events tab takes me to http://www.powerservicesgroup.com/events/ and the process continues. If I wanted a “current” status of critical infrastructure I could pull it from DHS reports/publications at https://www.dhs.gov/publication/daily-open-source-infrastructure-report (granted Jan 2017 they discontinued it). I could also go here https://www.dhs.gov/critical-infrastructure-sectors and pull each sector’s plan which typically identify the number of plants running and the states in which they are located. The amount of information available for a bad actor in open sources is plentiful, and allows them plenty of time to plan their attack. Ironically, I wonder how many companies are doing the same thing to plan FOR the attack?
So, what’s next? As a bad actor, one wants bang for the buck so I want to find a conference listing the sponsors & speakers (who does that? #sarcasm), hopefully this might help me narrow down my target (i.e. the one with the largest collection of key players most likely). I also want to find one that isn’t too large, small-med conferences usually have smaller budgets thus, the only real security they put in place is some volunteer with no “security” experience at an entrance asking, “Do you have a conference badge?” Also, keep in mind, these are energy conferences in this hypothetical scenario, security, especially cyb3r security is probably not on the top of their list. Since these are not Information Security conferences, i.e. they are not BlackHat or DEFCON, nobody is running around yelling “turn off your Bluetooth, NFC, & WiFi” or “please don’t scan random QR codes”. There’s also probably not anyone checking to see how many mobile access points (or stingrays) popped up before/after the conference or whether there’s a sniffer on the free conference (or hotel) WiFi. Another thing an adversary might consider is chatting up the marketing guy, making sure to get his business card. Also, get him to talk about other key leaders (everyone will talk plenty about the guy they dislike the most). Then later that bad actor would be sending him (or someone else) a spear-phishing email as they are sure to have captured plenty of topics of interest. The chances of the targeted victim clicking a link (or not reporting it) are more likely to succeed and avoid detection with a targeted phishing email than a mass blast. The bottom line is, that from an attacker perspective, it is probably much easier for me to compromise a person from one of these conferences than it is for me to hack into infrastructure directly.
If I was a bad guy, I’d consider this casting a wide net, the key is though, that I only need to catch one fish. Once I’ve caught one, then it is game on. While all of them are worried about NERC or ISO compliance, how many of them are worried about if a bad actor is accessing IT asset inventories, network diagrams, purchase orders, IT road maps, or archived vulnerability scan reports? One of the gaps in security that surprises me the most, is the lack of security surrounding previous penetration test reports. The vendor providing the report(s) may give the highest protections to the documents when sending and storing them, and at first the client treats them with great protections when they first arrive. However, once they are considered old (usually 12+ months) complacency sets in. The irony is, the greatest frustration I hear from my Red Team friends is “we told them [1-10] years ago to fix this, and it’s still wide open.” Well, not only is it wide open, the report now sits on all-company-access shared drive or worse a public FTP server because its “old”.
Bottom Line – It’s Game On.
Many of you might have objections to me laying out this attack scenario on a public blog. You would argue that I’m giving bad guys ideas and shame on me. I considered that, however, the more likely truth is that they’ve already thought about this, and we have our heads so far up our 4th point of contact running around screaming about ransomware, malware, hashes, IOCs, and malicious domains that we, the InfoSec community, do not give 1/100th of our time to thinking about strategic cyb3r threats. We do not plan for attack scenarios beyond device compromise. Blue Teams spend all day fighting a tactical battle and Red Teams spend all day attacking systems. We rarely stop to give thought to the person we “let in” through the front door. When do we stop and think about domino effects and strategic cyb3r threat scenarios, so that we can take a harder look at our environments for hints of a strategic attacker and then actually go look for footprints? Most, if not all of you reading this will say, we don’t ever do that. That is why I’ve written this.
We have to change what we’re doing and start thinking outside of immediate [tactical] cyb3r threats or we’ll lose the fight not for lack of technology and effort, but for lack of creative and disruptive thinking.
FOOD FOR THOUGHT
- Look [in your environment] at the sensitive documents listed in this blog (app architecture, network architecture, asset inventory, purchase orders, pentest results, vulnerability reports etc.). Are you logging who/what has accessed them? Do you see any non-human accounts accessing them? Is every copy/download accounted for?
- Are you adequately educating your staff who attends conferences on the elevated security risks? When’s the last time you made a forensic image of an executive’s laptop? If you allow BYOD are you adequately inspecting the devices upon return? What changes in procedure for “conference attendance” can you make to better protect your environment?
- Do you have relationships with local FBI/Police/InfoSec Community so that you can learn about any potential threats, especially cyb3r threats? Are you sending an InfoSec person to these non-InfoSec conferences with your staff to assess the InfoSec risks/threats?
Thank you for taking time to read the blog, please feel free to leave comments and questions. I will respond as time permits.