Why stopping grid attacks may require more victims

By Peter Behr | 07/30/2019 07:25 AM EDT

U.S. officials say the danger lights are “blinking red” for grid operators, as hacking teams from Russia, China and elsewhere escalate attempts to break in.

Mitre Corp. is developing a tool to track patterns of behavior in hackers who target the power grid and other critical infrastructure.

Mitre Corp. is developing a tool to track patterns of behavior in hackers who target the power grid and other critical infrastructure. Department of Energy/Flickr

U.S. officials say the danger lights are "blinking red" for grid operators, as hacking teams from Russia, China and elsewhere escalate attempts to break in.

A major research firm is heeding that warning from outgoing U.S. Director of National Intelligence Dan Coats, but Mitre Corp.’s push to guard against cyberthreats faces a paradox: It could use more hacking victims.

This is not the cybersecurity version of the Vietnam War aphorism about destroying a village to save it.


The point is to feed a new defensive model with information from actual attacks on grid industrial control systems (ICS), allowing the tool to grow more reliable, as Emily Frye, one of the cybersecurity experts behind the effort, explained.

Emily Frye. Photo credit: MITRE Corp.
Emily Frye. | MITRE Corp.

"In industrial control systems — energy among them — there is simply no way to even gather enough data," said Frye, who leads cyber integration for public-sector programs at Mitre. "We have very few publicized incidents."

Mitre’s close ties to the federal government, coupled with its lack of outside commercial interests, put the organization in a unique position to tackle a problem that has vexed various researchers and cybersecurity startups in the past: How can the power sector gather and use valuable data from cyberattacks and "near misses"?

Successful cyberattacks against ICSes and supervisory control and data acquisition (SCADA) systems that manage power flows are very rare, and what has happened is rarely revealed, Frye said. That poses a fundamental problem for Mitre’s effort to define patterns of behavior that utilities could use to anticipate and stop hackers’ next moves.

The nonprofit research organization has U.S. science and security agencies as major clients and has focused its defensive strategy inside companies’ digital perimeters, rather than trying to build thicker walls. Mitre wants to track and catalog adversaries’ actions inside the walls to get inside their minds, grasp their tactics and learn how to block them. Part of the goal is to expand a free, widely used Mitre cybersecurity program, called the "ATT&CK" framework, to account for hacking threats to critical infrastructure, not just corporate computer networks.

Richard Struse, Mitre’s chief strategist for threat intelligence, likens the process to images on a security camera that record intruders trying to pick a lock, for instance.

When enough nefarious methods are cataloged, paths of attack can be blocked, he said. Tracking past attacks can reveal where future ones are going to go, and there are a limited number of ways that attacks can get through to gain control of operating equipment in the power grid, he said.

"Imagine it as a board game. The adversary wants a board where he can land on any space he wants," Struse said. "Our goal is to remove as many of those safe landing spots as possible."

DOE action

To build the model, Mitre needs data from actual probes and attacks in the energy sector, and there just isn’t enough of it, Frye said.

That forensic gap speaks to a vulnerability in utility systems, where mapping attack pathways is in its infancy. Closing it is a top priority of the Department of Energy’s new Office of Cybersecurity, Energy Security and Emergency Response (CESER), according to that office’s leader, DOE Assistant Secretary Karen Evans.

"CESER is working with government partners and the energy sector to develop a secure platform to provide energy-sector-wide situational awareness and actionable information" to neutralize attacks, Evans told lawmakers at a House Science, Space and Technology subcommittee hearing earlier this month.

A key building block for CESER’s work is Mitre’s foundational ATT&CK program — short for Adversarial Tactics, Techniques and Common Knowledge — which is available online without charge. It has been assembled by Mitre with government and industry input over the past six years as a catalog of methods used to break into internet-facing networks. ATT&CK is also woven into an advanced cyberdefense strategy developed by several DOE national laboratories and California’s three largest publicly owned power utilities.

Frye envisions a version of ATT&CK tailored for utilities.

The success of the program’s original version is built on a huge volume of data from cyberattacks against internet-facing computer networks across the entire economy, shared by the victims and cybersecurity firms.

In those attacks, hackers often manipulate legitimate software applications in Windows and other common information technology platforms to open backdoor channels, smuggling out sensitive information or planting additional hacking tools. But because so many of the attackers’ methods have been found and shared, the ATT&CK program is able to associate certain patterns of behavior with specific adversaries.

For example, APT28, the Russia-linked hacking group accused of breaking into Democratic officials’ computers in the run-up to the 2016 presidential election, likes to use a program called Mimikatz to steal passwords and gain access to documents, Mitre notes. Finding Mimikatz in conjunction with other telltale clues, like domain registrations, could point to other tactics favored by the Russian group. ATT&CK analysis by itself doesn’t promise foolproof identification of attackers, but it can highlight clusters of preferred tactics, Mitre says.

‘Smarter’ foes

There is growing evidence of sophisticated cyber intrusion campaigns aimed at ICSes, ramping up the urgency for defenders to find similar patterns in attacks on ICSes and SCADA systems, Frye said.

In December 2016, a suspected Russian cyberattack on Ukraine’s power grid relied on what cybersecurity firm Dragos Inc. described as "purpose-built" malware to penetrate grid operating systems. The "CrashOverride" tool, as Dragos named it, could be edited to target U.S. power networks, though it isn’t known to have caused any other blackouts.

A 2017 Dragos paper on the threat notes that power company substations typically have unique controls (Energywire, June 13, 2017). But many substations have a common process for managing communications between control room operators and substation equipment that moves power.

Russian attackers were able to exploit several such protocols within the targeted Ukraine substation. Once inside the control network, they were able to inventory the system, select and penetrate certain parts of it, and launch a "wiper" attack that erased critical files and took down the substation, briefly knocking out power to several hundred thousand people north of Kiev.

"Adversaries are getting smarter; they are growing in their ability to learn industrial processes and codify and scale that knowledge, and defenders must also adapt," Dragos said.

Defenders need many more such forensic clues to thwart attackers’ campaigns against grid systems, Frye said.

That requires creating a culture of sharing threat data that is common in many other industries targeted by hackers, but not the electric power sector, she said. Until this year, federally regulated grid companies were required to disclose attacks that led to power outages, but they did not have to report attempts to penetrate systems.

In the IT world, "we are over the hurdle of feeling that hiding is better than sharing," Frye said. But she said there is not yet "widespread uniformity" within the electric power community on sharing threat indicators. "That doesn’t exist."

New strategies

Mitre has to find other ways to make its model work.

Frye said the firm has already taken all the pieces of data now publicly available on ICS attacks, analyzed them and begun cataloging attack methods. "We’ve augmented that through some techniques that are really, really different and that they don’t use with traditional [IT] attacks," she said.

One approach is to think through some very bad consequences of a successful grid attack, and then work backward to figure out how an attacker could have caused that damage, she said.

Frye said that strategy has been "both novel and fruitful," but added that "we are not at this time discussing all techniques that we use" to build out the new model.

"We’ve worked with a closed community — it’s not everybody and their brother," she said. "We feel it’s important to be somewhat more confident than we are right now before we disclose the whole thing to the public, like we did with ATT&CK. It took a number of years to really get that out the door."

Two years ago, the ICS-focused approach was just an idea. Now there are concrete steps toward a threat framework for grid systems, she said. "We are in the very, very early stages of building the community and getting their reality checks on the concept," she said, adding that Mitre does not have outside funding for the work. "It’s us on a shoestring trying to do the outreach and build this one by one."

One goal is to get much more input from the energy sector, she said. "We have a few leading partners, and we would certainly like to have all the leading energy companies … share their data, understanding that we’re not going to share with anybody else," Frye said. "It’s going to be closed for now until everybody in the community is really willing to share the ICS threat framework more broadly. We’re not going to open the kimono."