29 Jul 2018 Russian Hackers Breach U.S. Utility Control Rooms
OT remote access is efficient and convenient – for attackers
Remote access might look like a good idea. Every computer on an enterprise network certainly has some sort of Remote Desktop capability: tech support takes control of my laptop routinely to install new software or to fix issues. Sometime our vendors have remote access into our servers and other systems, to provide remote support. When we are talking about the enterprise network, this is a great capability, reducing costs, reducing headcount per campus, sometimes even reducing travel time.
When migrating to the OT world of industrial networks, this type of solution does not work.
Recent disclosures show just how good remote access is – for the bad guys. Having all the best best-practice security in place, Russian hackers were able to get into their targets through firewalls, encrypted VPNs and “secure” remote desktop solutions, and just walk around inside the nation’s most critical and dangerous places, as if walking in the park. During this months-long campaign, they managed to steal information, learn how electric utilities’ systems operate, and understand their security posture, most likely planning for a future attack to shut down our power.
Solving this involves both mindset and technology. Asset owners need to understand that when there is a way in, bad things will get in. as they just did. Technology-wise, safe remote monitoring with real-time access to industrial data, is possible. Unidirectional Security Gateways, Waterfall Security’s flagship technology, provide the ability to have data sent, in real-time, from plants to vendors, engineering departments and even to the cloud without risk that anyone or anything, Russian or other, can come back in into the plant.
Waterfall customers were never at risk from this type of attack.
Russian state-sponsored Energetic Bear and Dragonfly attack groups are accused of breaking into hundreds of US electric utilities using remote access
They initially broke into small technology and services vendors that served the electric utilities who were the attackers’ real targets. These break-ins used spear-phishing to steal VPN, Remote Desktop and other remote access account names and passwords.
Once inside the vendor networks they stole additional credentials – sometimes by using vendor email systems to phish electric utilities, sometimes by finding utility remote access credentials stored on vendor networks.
When we give remote access credentials to one of our people, or to a vendor, we imagine that we are giving that individual permission to log into our systems. What we really do is configure our systems so that anybody with the credentials can log in. The attackers first logged into the vendor networks, and then used the electric utility credentials to connect from the vendors to the utility networks. This way the utility’s sophisticated intrusion detection systems were silenced – to the utility, these connections seemed completely normal – legitimate vendors log in all the time from vendor networks using legitimate accounts and passwords.
The press reports that these attacks breached even air-gapped networks. But if we look at the attacks, it was not the Russians who breached the air gaps, it was the utilities themselves. The air gaps were breached by the utilities who installed the firewalls to enable remote access for their vendors.
The remote access problem is widespread. Large vendors routinely set up Remote Desktop VPN access into their customers, so the vendors can monitor and adjust equipment at electric utilities remotely. GE and Siemens for example, routinely set up such connections to monitor and adjust power turbines remotely.
Smaller vendors, such as local systems integrators, who are tasked with front-line support for utility subsystems or even entire utility control systems also set up such access. Remote access lets these vendors reach into utility systems any time they want to – any time of the day or night, from anywhere in the world.
The problem with remote access is that when the good guys can reach into our control systems from anywhere in the world, any time of the day or night, to do whatever they want to us, well, so can the bad guys.
Remote access technologies are intrinsically insecure. Vendors of “secure” remote access will point to gazillion-bit encryption in their VPN connections as evidence of security. But if we look at the Russian attacks, all the connections between the attack groups and the vendor networks were encrypted, as were all the connections between the compromised vendors and the utility networks. VPNs encrypt attacks just as happily as they encrypt legitimate communications.
“Secure” remote access vendors may point out that the targeted vendors and utilities failed to deploy “secure” two-factor authentication mechanisms. Theory holds that with two-factor authentication, a stolen password is not enough to gain access to a target – the attacker needs to steal a physical authentication device as well, such as a key fob, USB device, or sometimes a cell phone. The problem here is that only in theory is there no difference between theory and practice.
The DHS reports that they are watching the intrusions closely so that they can issue additional warnings when they see the Russians using any of the many kinds of attacks that defeat two-factor remote access.
Secure Industrial Networks
While there is no such thing as “secure” remote access, electric utilities routinely deploy secure remote monitoring and secure remote support technologies. Waterfall Unidirectional Gateways include hardware that is physically able to send information in only one direction. When the gateways are the only connection between a control system network and all external networks, it is not physically possible to transmit remote control commands and attacks into the protected network. The Russians could steal every password to every account on every computer on the planet and still not break into unidirectionally-protected control system networks.
With unidirectional hardware providing physical protection for utility networks, Unidirectional Gateway software replicates industrial historian, OPC and other servers to external networks where vendors can access the replicas for safe, continuous remote monitoring. Unidirectional Gateways also provide secure remote support, without using intrinsically insecure remote access mechanisms. Unidirectional Remote Screen View software replicates real-time screen views through the Unidirectional Gateway hardware out to external networks where systems integrators and other support providers can see the screens and provide real-time advice. Utility insiders with physical access to control system networks are the only ones who can make changes following this advice – neither legitimate remote personnel nor attackers have any way to send any mouse movements or commands into the protected network that could be used to compromise the utility.
Owners and operators of unidirectionally-protected networks are not waiting on the edge of their seats for DHS reports of these attackers defeating 2-factor authentication and other “secure” remote access mechanisms. Unidirectionally-protected networks are immune to remote-control attacks, no matter how clever the attack techniques or how sophisticated the threat actor.
The time has come to stop using “secure” remote access altogether for utility control system networks.
Click here for additional information on Waterfall’s Unidirectional Security Gateways.