All eyes are on Russia's elections meddling and rightfully so. Yet a related Russian affairs controversy has been unfolding on a parallel track that hasn't gotten anywhere near the public scrutiny it deserves. These are the early days of an all-out cyberwar.
Specifically, Russia is doing this by intensifying cyberattacks against something most people don't know about (at least by name), the specialized industrial control systems--often referred to as OT (operational technology) networks. OT are used to run power grids, utilities and manufacturing plants. And Russia isn't only doing it to us.
Russia's focus on OT networks jibes fine with its program of election tampering, since a global cyberwar would almost certainly involve critical infrastructure: power grids, transportation systems, financial institutions, as well as key manufacturing plants. Seen through this lens, the manipulation of elections to undermine political leadership would make sense as a softening barrage.
Distinctive OT risks
This is nothing new or surprising in military and intelligence circles where such "cyber Armageddon" scenarios have been discussed for decades. However, a series of recent disclosures pulls back the curtain on the extent to which Russia, Iran and North Korea, in particular, have begun to proactively probe and infiltrate OT networks.
Keep in mind that both IT (information technology) systems--the technology that runs email, browsers and web servers--and OT systems have long been, and continue to be, under steady, relentless attack.
That said, OT systems have a distinctive exposure; they were designed to perform narrow, esoteric tasks prior to the Internet emerging as the engine of global commerce. For decades, the argument has been made that because OT networks were disconnected, or "air-gapped," from IT networks, OT systems, therefore, were immune to hacking.
However, no one anticipated the degree to which OT and IT networks would rapidly converge. For instance, an increasing number of companies rely on IT-driven cloud services and mobile devices to remotely access OT networks. IT systems today are being used to extract operational data, perform maintenance and do other tasks on the OT side of the house. This convergence has served to expose OT networks to the full spectrum of IT network hacks.
Russian attack scenario
Threat actors, as one might expect, recognized the significance of this convergence a long time ago. And they have moved swiftly to seize the opportunity. On Oct. 20th, the Department of Homeland Security and the FBI issued a joint technical alert essentially summarizing disclosures from FireEye and Symantec that have been trickling out all year. The upshot: A notable increase in attacks on OT networks by a Russian hacking ring known as Sandworm.
From news reports in Wired, the New York Times and the Washington Post, we know a lot about how the Sandworm operatives hacked into the city of Kiev's power grid, blacking out the Ukraine capital on two separate occasions. The DHS/FBI joint alert appears to link the Kiev blackouts to a wide array of similar hacks, unfolding since at least May 2017. These include the infamous WannaCry, Petya and NotPetya ransomware attacks that disrupted hundreds of companies, causing hundreds of millions of dollars of damage globally.
While the feds stopped short of explicitly fingering the Sandworm gang, it doesn't take too many marbles rolling in the same direction to figure out which way the floor tilts. What better way for Russia to push back against U.S. trade sanctions than to get into position to disrupt our power grid and key industries?
Time to lock down OT
Of course, it would be naïve to believe the U.S. has been taking all of this sitting down. We invented the Internet after all. And the NSA is generally acknowledged to possess state-of-the-art cyber weapons, not to mention a thick playbook. One could say the same about China.
Time Magazine wrote about China's orchestration of the Titan Rain attacks on U.S. industrial targets from 2000 to 2003; and Wired reporter Kim Zetter dissected the involvement of American and Israeli operatives in infiltrating Iranian power plants in her 2005 book Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon.
More recently, just ten days before DHS and the FBI issued their alert, NBC News broke a story linking North Korea to breach attempts targeting the OT networks of U.S. electric power companies. These disclosures should tell us that we're fast approaching a flash point. Nation-state operatives, led by Russia, are scrambling into position to fully exploit the profoundly hackable state of industrial controls.
Thankfully, cybersecurity products and services suppliers are on to this as well, and they have the added benefit of a profit motive to help defend U.S. national security. A cottage industry of some thirty or so security vendors, backed by deep-pocketed venture capitalists, has begun to drill down on advanced OT security solutions.
This includes startups like CyberX, Tempered Networks and Veracity Industrial Systems, that are bringing innovation to the table, as well as established tech giants, like Cisco and Honeywell, that are eager to branch into this subspecialty. I wish them god speed. It's high time we lock down our industrial controls.