First in a series.
The Citadel cybercrime connection, which has raided bank accounts around the world, was hit hard last year by a team of software firms and a sophisticated financial services organization that is deploying automated systems to share, analyze and block cybersecurity threats in tandem with the Department of Homeland Security.
The Financial Services Information Sharing and Analysis Center (FS-ISAC), formed by the finance sector under a 1999 presidential directive, is the most advanced threat intelligence partnership between critical infrastructure industries and DHS, said Richard Struse, the department's advanced cybersecurity technology chief.
"What we're seeing is, the financial services sector is out in front because they got engaged early, and frankly, they've put [in] significant resources" to create state-of-the-art detection and defense capacity, Struse said in an interview.
The electric power industry has a related threat-sharing organization, the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), set up under the same presidential directive.
However, ES-ISAC currently does not match the analysis capabilities and future potential of the Financial Sector ISAC, energy sector and government officials agree.
"The rigor, maturity and complexity of what is being done in the electricity sector are significantly less than in the financial sector," said one ISAC participant not authorized to speak on the record about the programs.
"These are threats the electrical sector hasn't had to worry about as much until fairly recently. The financial sector has a head start because they had to respond to threats much earlier," this person said.
Cyberattacks on banks by criminal groups have an obvious motive -- that's where the money is. Utilities have customer information, but no ready cash to steal, experts say.
The sharing of cyber threat information is vital to the energy sector's security, industry executives agree.
"We'll be as good as the quality of the information we're getting," said Joseph Rigby, the head of Pepco Holdings Inc., which delivers power to the nation's capital.
And the power industry's threat-sharing capabilities are increasing, officials say. In April, the FBI hosted a two-day conference on grid threats for industry leaders, and between 60 and 80 industry executives and managers are cleared to attend classified cyberthreat briefings by federal representatives.
"The vision is to be a one-stop shop" compiling threat intelligence from all government and private sources for the industry, said Brian Harrell, who directs the ES-ISAC program for the grid's security monitor, the Atlanta-based North American Electric Reliability Corp.
"We have a secure portal, where members can gain access to latest security information," Harrell said, including indicators of compromised data. "We have the tools and expertise in-house to analyze malware and provide expert guidance and opinion and mitigation strategies."
"Utilities are able to download and send us malicious software vulnerabilities they are seeing, and our own analysts are able to break it down, analyze it, figure out typically what it is and where it came from and provide analysis back to the utilities," he said.
Automation is the key
A central difference between the electricity and banking sector programs is automation.
The financial services FS-ISAC employs a set of standardized information sharing formats and procedures named STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated Exchange of Indicator Information), developed by DHS and the MITRE Corp.
STIX enables the 4,400 members of FS-ISAC to automatically share attack information, machine to machine, without hands-on direction. It may be a suspect Internet address, targeted email addresses, malicious code or some other signpost, but once flagged, the threat information speeds investigations into an attacker's chain of command and resources, potentially revealing adversaries' motives, methods and targets, Struse and other officials say.
TAXII provides a secure way of compiling data into the organization's central threat repository and sharing those data with members. "You have automation first of all in the delivery and the accessing of the information," Struse said.
Today, a lot of cyberthreat information requires personal handling -- pure cutting and pasting, he said.
"I have to send an email or check an email," Struse said. "I have to log into a portal, go look at a list of alerts, download something. Those all require people in the loop. First of all, it takes time. It takes resources. If the person who normally does that is out sick today, it sounds crazy, but sometimes threat information just goes unprocessed."
The threat information distributed by the DHS programs is available around the clock without interruption, Struse said. "Since the threat never sleeps, it's really important that this very basic thing is automated," he said.
The Citadel botnet, believed to originate in Russia or Ukraine, involved a network of infected computers that were directed to send "phishing" emails to targeted financial customers to get them to divulge banking credentials. The FS-ISAC group, through its industrywide reach, was able to provide threat data on 3.7 million emails, which was forwarded to Microsoft Corp. and its software industry partners for analysis.
The result was a civil suit against "John Doe" Citadel operators, leading to a court order last year that allowed Microsoft to seize and shut down a large part of the attacker's network, team members said.
"This was taking the offense to the criminals" instead of the other way around, said Patrick Peterson, CEO of Agari, a cybersecurity firm that joined with Microsoft in the Citadel counter-campaign. Peterson described the effort at a cybersecurity conference in February.
Struse said the next evolutionary step is to develop analytical software that will run constantly in the background, searching for commonalities among threats. STIX developers look ahead to new detection tools that can automatically find new attack patterns that relate to known attack information in the past.
"I don't want to overstate how far we are along" in this direction, Struse said. But that capability is likely to emerge in the not-too-distant future, he added. Then, "instead of playing Whac-A-Mole, doing a lot of copying and pasting from one system to another just to stem the tide, the analysts will actually be freed up by having some of the basic tasks automated," leaving more time to look for patterns and tactics, he said.
ES-ISAC uses STIX as the format for recording threat information at that back end, in its database, and is looking into adding the TAXII transport capability. But the electricity sector generally does not have the tools to process machine-to-machine information from ES-ISAC utilizing STIX, and that is a principal distinction between FS-ISAC and ES-ISAC, according to officials with both programs.
Struse did not comment specifically on the relative positions of the banking and electricity sectors. "Each sector has its own set of priorities and own set of challenges," he said. "We continue to try to support the electric sector and energy sector. I'm really hopeful, whether a particular sector is ahead or behind today, over the next few months we're going to see more ... cross-sectoral fertilization" among industries. "This is a pretty fluid and fast-moving environment," he said.
There is a difference in how the two industries fund their ISAC programs. FS-ISAC charges a fee to cover its services. ES-ISAC does not.
As the ES-ISAC operator, NERC has also had to overcome a unique hurdle -- the fear on some utilities' part that disclosing their cybersecurity vulnerabilities will expose them to potential sanctions by NERC, the federally appointed monitor and enforcer of reliability standards for the long-distance grid.
To deal with that concern, NERC trustees approved creating a wall between NERC's ES-ISAC operation and the enforcement side, Harrell said. The two offices may not share information from members.
Harrell said the impact of the change was apparent during a two-day "war games" exercise for grid companies last November that simulated a combined physical and cyber assault on substations and grid control rooms. Some companies held back from contacting NERC during the first of these exercises, GridEx I, in 2011, Harrell said. This time, "the phone was ringing off the hook," he said.
"We were running from fire to fire. Having the amount of folks who reached out to us under duress in a simulated exercise was a welcome change from 2011," he said.
NERC's Mielcarek said about 85 percent of the industry transmission owners and operators and reliability coordinators currently belong to the ES-ISAC, and the portal membership has increased by 16 percent since January.
A survey issued by BitSight Technologies last month praised the electricity sector's security performance in contrast with the health care and retail industries, which got poorer marks. "While the energy industry at large may be more vulnerable to cyber attacks, our analysis reveals that the nation's largest utilities are actually quite good at protecting their public facing Internet assets," BitSight said.
"Similar to finance, the generally positive security performance [for utilities] is likely the result of both executive level focus on cyber risk as well as industry regulation," BitSight said.
"We expected that the utilities and energy companies would be poor performers," said Stephen Boyer, BitSight's chief technology officer. "We heard all the war stories; we knew of a lot of issues. We were pleasantly surprised to see it was not too far behind financial services."
But the report has qualifications, he added. The survey is based on publicly available reports and analysis by cybersecurity defense firms. Because it is limited to the 500 largest U.S. companies, it does not blanket the very wide spectrum of electric power companies. The survey also monitors cyber incursions on Internet-facing networks, and so it does not provide a comprehensive view of potential threats to utility control systems that aren't connected to the Web.
"We don't necessarily know about the control systems," Boyer said.
Like what you see?
We thought you might.
Start a free trial now.