SECURITY:

A 'bear' leaves clues in the hunt for energy industry's best cyberdefenses

It's 9 a.m. in Moscow, and the "Energetic Bear" is awake again, sniffing around oil and gas companies' computer networks.

The cyberattacker's ursine nickname, coined by security firm CrowdStrike, combines Russia's national animal with a taste for targeting energy companies. Analysts at the startup say the powerful "Energetic Bear" could step up attacks this year as the U.S. energy sector struggles to keep its secrets and infrastructure safe.

"It appears that [Energetic Bear's] motive is intelligence collection -- finding out what these companies are doing, where they're drilling," said Shawn Henry, president of CrowdStrike Services and the company's chief security officer. "But the reality is, with the depth and breadth of access adversaries have into these networks, they could actually turn things off; they can disrupt and they can destroy computer networks."

Henry is no stranger to electronic threats, having formerly overseen global cybersecurity operations as executive assistant director of the FBI. CrowdStrike was able to trace cryptonym "Energetic Bear" back to Russia based partly on the fact that most of the group's malware building and infrastructure monitoring coincided with Moscow working hours, according to the company's "2013 Global Threat Report" released last week. The firm said it has been tracking the so-called bear since 2012.

CrowdStrike's focus on ferreting out attackers' locations and motivations is one of several ways Western energy companies are handling an influx of tech-savvy adversaries.

Fixed on a multibillion-dollar market for cyberdefenses, vendors are pressing their solutions on exploration and production companies, utilities and other energy firms. But as energy companies struggle to balance spending on cyber security with other growing demands on their budgets, they must confront how best to counter the cyberthreat.

Basic hygiene

The Council on CyberSecurity, a nonprofit advocate for a secure Internet, is promoting what it calls basic rules of cyber hygiene that companies should adopt to block the most common intrusion vulnerabilities.

Jane Holl Lute, the council's president and CEO and former deputy secretary of the Department of Homeland Security, draws a contrast between a "ready to wear" defense of best practices that suit all companies and "bespoke," tailor-made countermeasures against the most advanced "zero day" attacks.

Lute and Dave DeWalt, chairman and CEO of network security firm FireEye, offered contrasting strategies at a conference on cyberthreats in November at the Center for Strategic and International Studies.

DeWalt, whose company deploys tailored defenses against complex attacks, issued a stark warning about the cyberthreat to energy infrastructure.

"Our current controls aren't working very well. Our best practices aren't working well," he said. "The offense and the defense have got highly dislocated. The offense and the adversaries are easily able to defeat the defensive architectures we have out there.

"For years, we've preached defense in depth," DeWalt continued, referring to multiple layers of firewalls, gateways, anti-virus software and similar tools. "What's the Achilles' heel in that entire defense-in-depth architecture? We have the exact same detection engine at every layer."

He dubbed that vulnerability "the Maginot line," referencing the French border defenses that were expected to block an attack by Germany but were simply bypassed by the German offensive during World War II.

Today's cyberdefenses deploy the same, signature-based blocking model at each level of defense. "If you can evade that architecture, you've defeated the entire model," DeWalt said.

"Not to paint too dire a picture, when you compound the fact that now the adversaries are sharing [information] and you've created a capitalistic community where you can purchase advanced weapons and advanced malware kits on the black market, you end up having a situation where these advanced attacks in the hands of the wrong individuals create a potentially catastrophic scenario," he added.

DeWalt's answer calls for new methods for recognizing and detecting high-risk threats, which is what his company offers. Another need is multistep identity authentication to thwart the constant probes seeking to compromise company officials' passwords.

"That doesn't mean they have to spend hundreds of millions of dollars more to fix it," he said, suggesting that companies align their defenses to places where they've identified the biggest risks.

Lute responded at the November CSIS conference, "Surprisingly, there are people in the technological community that say there is no such thing as adequate cyber hygiene. There is nothing you can possibly do to defend yourself unless it's tailor-made to you. Frankly, the policy community thinks that's nonsense."

The council is preparing an updated version of a "basic hygiene" plan -- a set of "critical security controls" created in collaboration with cyberdefense experts. It builds on an initial group of controls developed by the Defense Department, National Security Agency and private sector.

The new version of the top five controls will be announced next month at the RSA Conference on cybersecurity, in San Francisco.

The five "best practices" call on energy companies to inventory authorized and unauthorized devices, and to do the same with software; to develop and manage secure configurations for all devices; to actively manage and control the use of administrative privileges; and to carry out continuous (automated) vulnerability assessment and remediation.

"Nothing will prevent everything," Lute said in an interview. "At the moment, the adversaries who are capable of mounting advanced persistent threats, we're not even making it hard. They are achieving success through shockingly simple methods that these five [practices] will prevent.

"We're saying the 20 critical controls represent the most important things we do first, and the first five, in our view, and in the view of the community that has looked at this very carefully, are the ones that give the biggest bang for the buck; they are the quick wins, are the things you should be doing to protect yourself.

"One school of thought says, there are so many things that you have to do. ... We need a control or fix for every possible thing that's out there, and the encyclopedia gets bigger and bigger and bigger," Lute continued. "Unless you're doing all, it's not worth doing any.

"I'm not arguing whether one size fits all, but one approach fits most. McDonald's has sort of proven that."

An 'unfair fight'

A third strategy operates under CrowdStrike's mantra that there are two types of big energy companies -- those who've been hacked and those who don't yet know they've been hacked.

CrowdStrike's switches the focus from shoring up defenses to finding out what data adversaries are after, who they are and where they reside.

"We believe we've seen both Russia and Iran targeting the oil and gas sector for information related to business practices, to research and development, to acquisitions -- perhaps to get some advantage in advance of drilling," CrowdStrike's Henry said.

Attempting to block the full weight of what could be Russia's foreign intelligence service -- with its round-the-clock resources, linguistic experts and real-world assets -- is not for the faint of heart. CrowdStrike thinks companies should be realistic about whether they can entirely keep out a colossal, deeper-pocketed opponent like Russia.

But FireEye thinks that with enough defenses, such a task isn't altogether impossible.

"It does seem sometimes like an unfair fight," said FireEye's Kenneth Geers.

Geers said that "preventing espionage or surveillance is hard, but it's not a hopeless cause" with enough defenses and practices in place.

In his role as senior global threat analyst, Geers tracks about 160 advanced persistent threats, many of which likely trace their origins back to state-sponsored groups in Russia, China and Iran. APTs, as such nation-state-level campaigns are abbreviated in the security industry, can dwarf the cyber capabilities of "lone wolf" hackers or even terrorist groups.

While FireEye works with a range of industries from health care to aerospace, Geers said the energy sector has consistently ranked as a top target globally.

Energy, petroleum and utility companies were the fourth-most-targeted business group in North America and Europe, based on 2013 FireEye data. In the Middle East, the energy sector was the second-most-common target last year, Geers said, likely because of the oil industry there.

"There are going to be attacks that are associated with intelligence collection and analysis -- to give nations a competitive advantage," Geers said. But "there'll be a subset of [attacks] that are stealthier and more compartmented, maybe to give nations some leverage during possible crisis scenarios in the future," he said.

Such attacks could target the U.S. electric grid, as utilities implement new technologies that may leave sensitive control systems more likely to be compromised. Skeptics have questioned the probability of a devastating attack on the power grid, given traditional expectations of deterrence.

But "when everything is run by computers and networks, they're going to be a part of any conflict," Geers said.

Utility executives say they're taking the cyber warfare threat very seriously.

Douglas Myers, vice president and chief information officer of Pepco Holdings Inc., parent of the electricity utility in the nation's capital, said his company's defenses start with fundamental "hygiene," including, for example, specific controls to prevent employees from clicking on external Web links from their office computers, not realizing they may have opened a door to cyberattack.

"There is annual training people have to go through, or we'll turn their network access off, regardless of the level they're on," Myers said.

Once the basic defenses are in place, he said, "that's when you can start talking about these sophisticated tools that these vendors want to bring in -- because if you start with the tools and don't have all that other stuff in place, I suggest that you won't have as much success. But if you have those fundamental layers in place, then you're going to end up picking the right tool for the risk, and adding to your defense, as opposed to assuming that simply buying the tool is going to protect you."