As nation-state actors increasingly target physical critical infrastructure such as electric grids and energy sources, two federal agencies recently outlined their goals and efforts to strengthen their defenses against these national threats.
A cyber attack against three different Ukrainian electric utilities resulted in hours-long power loss for 200,000 customers back in 2015. The attackers sent spear phishing emails to gain initial access to the utilities' IT networks, installed keystroke loggers to steal user credentials, and set up virtual private networks (VPNs) to access and disable machines on the industrial control system network. They also took control of the distribution management system to open breakers, causing a power outage.
Homeland Security's Pillars
The Department of Homeland Security (DHS) recently detailed its five pillars of cybersecurity goals and released a fact sheet with examples on how they plan to put the goals into action over the next five years.
- Pillar I: Risk Identification - This is all about better understanding the nation's risk posture, helping to allocate resources and prioritize efforts. This will be achieved by working with "stakeholders, including sector-specific agencies, nonfederal cybersecurity firms, and other federal and nonfederal entities, to gain an adequate understanding of the national cybersecurity risk posture, analyze evolving interdependencies and systemic risk, and assess changing techniques of malicious actors."
- Pillar II: Vulnerability Reduction - The DHS will work to reduce vulnerabilities on their own networks and across the federal enterprise by partnering with key stakeholders in the public and private sector to ensure risks that may affect critical infrastructure and economic security are managed at an acceptable level. For example, the National Protection and Programs Directorate (NPPD) teamed up with other agencies and industry organizations to ensure U.S. hospitals were not vulnerable during the 2017 WannaCry attack.
- Pillar III: Threat Reduction - By partnering with other law enforcement agencies, the DHS law enforcement will investigate and reduce threats from cyber criminals. The U.S. Secret Service recently arrested the Russian national behind BTC-e; the laundering service of over $4 billion bitcoin transactions tied to hacking, identity theft, ransomware and other crimes.
- Pillar IV: Consequence Mitigation - With coordinated community-wide response efforts, they hope to minimize the consequences of potentially significant cyber incidents. For example, the U.S. Coast Guard (USCG) also established an Office of Cyberspace Forces to establish and enforce operational policies to secure USCG and protect the Maritime Transportation System from threats.
- Pillar V: Enable Cybersecurity Outcomes - By supporting cybersecurity policy and operational efforts to manage risk, the DHS will ensure that the entire cyber ecosystem is more secure and reliable. Late last year, the DHS mandated that federal agencies take steps toward deploying DMARC (Domain-based Message Authentication, Reporting and Conformance).
"The cyber threat landscape is shifting in real-time, and we have reached a historic turning point," said DHS Secretary Kirstjen Nielsen.
Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself. That is why DHS is rethinking its approach by adopting a more comprehensive cybersecurity strategy. In an age of brand-name breaches, we must think beyond the defense of specific assets -- and confront systemic risks that affect everyone from tech giants to homeowners. Our strategy outlines how DHS will leverage its unique capabilities on the digital battlefield to defend American networks and get ahead of emerging cyber threats.
Energy Steps Up Defenses
Meanwhile, in response to increasing attacks against energy companies, the U.S. Department of Energy (DOE) also released its own five-year cybersecurity plan. Their goals include strengthening energy sector cybersecurity preparedness, coordinating cyber incident response and recovery, and accelerating game-changing research, development and demonstration (RD&D) of resilient energy delivery systems.
The DOE cites cybersecurity as a top national priority for the energy sector and federal government to work together to mitigate cyber risks that could "trigger a large-scale or prolonged energy disruption."
But what are they actually doing? A few examples of DOE projects include creating a risk information sharing program with near real-time data to help companies analyze and identify malicious traffic. At this time, 75 percent of all U.S. electricity customers currently participate in this program.
To share cyber and physical threat information, DOE works closely with representatives from the Electricity ISAC (E-ISAC), Oil and Natural Gas ISAC (ONG-ISAC), and Downstream Natural Gas ISAC (DNG-ISAC). DOE also partners with more than 20 universities to help coordinate RD&D for cybersecurity technology and help students enter the cybersecurity workforce.
To help with incident response and recovery, the DOE and DOE National Laboratories are developing specialized resources and capabilities that can be deployed during an attack to help them respond and restore or maintain critical functions.
Additionally, they're working with industry research leaders to enable systems that can detect and reject commands that could destabilize the electrical grid if implemented. One project highlighting partnerships within the energy sector, DHS and the Canadian government is the Roadmap to Secure Control Systems in the Energy Sector. More than 80 stakeholders have contributed to the strategy to provide a framework to ensure energy delivery control systems can survive a cyber incident.
Despite Warnings, Cybersecurity Prioritization Delays
More recently, the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a technical alert earlier this year to warn the energy and critical infrastructure sectors about multi-staged attacks launched with the intent to collect information about industrial control systems.
Many tactics used to successfully steal ICS and supervisory control and data acquisition (SCADA) files included compromised credentials, disabling firewalls, opening up ports for remote access, VPNs to connect to targeted networks, etc. The DHS strategy seeks to help defenders detect these types of attacks in order to keep critical infrastructure safe.
This alert comes in light of recent findings of agency security risks. In the latest report on the results of federal cybersecurity risk assessments, the Office of Management and Budget (OMB) and Department of Homeland Security (DHS) found that 74 percent of federal agencies are either at risk or high risk. This shows a clear need to prioritize cybersecurity among agencies, particularly those that can help defend our nation’s critical infrastructure.
However, it appears that prioritizing cybersecurity has been met with challenges in the government. The release of the DHS cybersecurity strategy reports had been delayed multiple times, and there were concerns the government was reducing its focus on cybersecurity. The White House had decided to not fill the cybersecurity coordinator position after previous coordinator Rob Joyce left and returned to the National Security Agency. Meanwhile, members of the House of Representatives introduced a bill to establish a new National Office for Cyberspace led by a director-level position.