A blue icon with a cannon in the center is floating on Rita Foster’s computer screen at the Department of Energy’s technology lab in the Idaho desert.
The icon looks like a piece from the board game Stratego, and it stands for the malicious strain of Russian malware called CrashOverride that blacked out parts of Kiev, Ukraine, in 2016.
More icons on Foster’s screen represent other elements of CrashOverride, including a description of tactics used by the hacker group behind the blackout in Eastern Europe. For a utility operator in the United States, accessing the information behind the icon could be the difference between suffering a major breach at the hands of a sophisticated hacking group and stopping the hackers cold.
This is no board game, Foster explained, but rather a first-of-its-kind program that allows utility operators to display and analyze threats on their computer screens. It emerged from a $33 million, five-year research project that teamed DOE national laboratories and private cybersecurity firms with California’s three largest investor-owned utilities, Pacific Gas and Electric Co., Southern California Edison Co., and San Diego Gas & Electric Co.
Through the project, called California Energy Systems for the 21st Century, or CES-21, utilities can access the growing body of cybersecurity knowledge amassed during investigations of specific hacking campaigns.
The tool on Foster’s screen is called the Structured Threat Intelligence Graph (STIG), developed by Idaho National Laboratory and Southern California Edison. Behind this icon is information deciphering thousands of lines of computer code hackers use to penetrate, disrupt and possibly destroy grid controls, generators and transformers.
By clicking on icons, electric grid defenders could find, for example, that a group tends to corrupt Microsoft Corp. programs and steal employee information, opening a back door into a utility’s control system. Making that connection could shorten a threat investigation from days to hours or from months to weeks.
Researchers who lead the project say the difference between STIG and today’s threat databases is similar to the difference between getting driving directions from a digital navigation app versus lumbering across the pages of a classic Rand McNally road atlas. It’s night and day.
"How many cybersecurity companies write these beautiful reports?" Foster asked. "They read like Tom Clancy novels. ‘So-and-so did this to so-and-so.’ But you can’t act on it, and you can’t implement it. You can share the information. You know you have a problem, but you don’t know what to do."
With this, utilities can query for information and get going on the solution, she said.
Machine-to-machine
The CES-21 program is the first step toward a much more challenging goal on the security frontier. That’s to equip computers at utilities and at big manufacturing plants with artificial intelligence that would give them the capability to automatically detect and defeat hackers, with minimal human help, project leaders said.
Instead of waiting for a command from a person sitting in a control room, the machines could act on their own.
The wordy name of the lead CES-21 project — machine-to-machine automated threat response (MMATR) — reveals its purpose. "Machine-to-machine" means information is shared directly between computer platforms. "Automated threat response" looks ahead to a time when utility computers trigger actions that automatically slam the door on intruders.
But that vision is some distance off, according to the CES-21 research team.
"We’re not going to have [full] MMATR capability" when the program ends this year, said Robert Caliva, infrastructure security project manager at the Idaho lab. "We’re hopeful that there will be a second phase to CES-21 and that this team can then complete the development through additional research," Caliva said.
Building tools to detect hacker malware signatures sets "a foundation for future automated threat response systems," said Jamie Van Randwyk, leader of the Lawrence Livermore National Laboratory’s Global Security Computing Applications Division.
The innovations were released without charge on the internet in the hope and expectation that utilities and cybersecurity firms will use them as blueprints for new kinds of defensive software.
Van Randwyk said small and large utilities can use them to integrate their operating data into existing cybersecurity tools. This "will require time and effort," he said, but it doesn’t require expensive investments or large staffs.
In addition to STIG, another CES-21 tool is called the Secure SCADA Protocol (SSP), which creates an encryption wrapper to secure essential data and commands flowing between substations and control centers. Developed by San Diego Gas & Electric and cybersecurity firm Automatak LLC, the technology encrypts grid data. "If you’re encrypting all the traffic, your adversary can’t see it. But you can’t, either," said Automatak partner Adam Crain.
In another innovation, Foster’s team assembled equipment to create exact replicas of substations in use or planned by the three California utilities. This allowed defenses from the MMATR program to be tested in real-world conditions, she said. By testing defenses on three different substation designs, research homed in on ones that could be used widely around the grid.
Fixing STIX
One more of the tools improves a frustrating limitation on the most important software technology that utilities now use to share malware data.
That software is called STIX, short for Structured Threat Information eXpression, which sets out a format for describing and organizing the elements of an attack. For machine reading to work, threat data must be entered precisely into a database.
Initiated by Department of Homeland Security cybersecurity specialists in 2010 and now overseen by the OASIS technology standards group, it is cumbersome and complex, requiring expert handling.
"While STIX is a defined machine-readable format, it’s not easy for humans to read it or code in it by hand," Van Randwyk said. "Currently, many threat intelligence reports are delivered manually by email, PDFs and proprietary portals instead of machine-to-machine."
The task of making STIX easier to use went to New Context, a 5-year-old cybersecurity firm, working with Southern California Edison. The result was a new version, STIX 2, which is meant to simplify the effort to see patterns behind a malware campaign, said Andrew Storms, the company’s vice president for product.
Take Russia’s cyberattack in 2015 against a trio of rural Ukraine utilities, he said. The attack hit the utilities in a blitz of assaults on different parts of their operations. A breakdown of a single part of an operation could be misread as a broader malfunction, Storms explained. When several symptoms go awry and that pattern matches known attacks, the program calls for action.
"You can describe time-related events," he said, like a circuit breaker unexpectedly opening or a backup power system going down within a few minutes or seconds of each other. "That could jump out at the operator. Now I want to fire an alert."
In the case of a rapid series of failed login attempts, a tipoff to an attack, "you could tell the machine, if you see this, block that bad IP [internet] address where the login attempts came from," he said.
Defenders now can program computer code into STIX2 in advance, so they can immediately fight back with prepared defenses when specific attack moves show up on STIG screens.
In the future, grid operators can download STIX2 threat data into the STIG platform and instantly see dozens of icons appear on the screen.
In one test of the process at the Idaho lab, thousands of lines of code from an attack filled 52 pages of STIX documentation. It was represented on screen by 70 interactive icons, speeding and simplifying analysis.
In Foster’s demonstration, the images come alive as Foster clicks on different icons, seeking different representations of the attack. "When I get an alert, ‘Look for this [threat] indicator,’ that’s really out of context. This is in context," she explained.
"That’s the problem with data analytics — big data. You’re looking for a needle in the haystack, and you don’t know what the needle looks like," she said.
"Now you have people who can see and understand boxes and relationships and communicate what that threat is and how you’re going to take action, that was key," she said.