The head of the National Security Agency and the U.S. Cyber Command said yesterday that unnamed foreign nations and groups have gained the technical capability to take down control systems that operate U.S. power grids, water systems and other critical infrastructure.
"We have seen instances where we're observing intrusions into industrial control systems," Navy Adm. Michael Rogers told members of the House Select Committee on Intelligence, in the starkest assessment about the cyberthreat to U.S. critical infrastructure made to date by a senior government official.
"What we think we are seeing is reconnaissance by many of those actors in an attempt to ensure they understand our systems, so that they can then, if they choose, exploit the vulnerability within those control systems."
Committee Chairman Mike Rogers (R-Mich.) pressed the NSA director about whether the vulnerability of industrial control systems is a potential or actual threat. "Does that mean they already have capability to flip the switch if they want to?" the congressman asked.
"There shouldn't be any doubt in our minds that there are nation states and groups out there that have the capability to do that," the admiral responded, "to shut down or stall our ability to operate our basic infrastructure, whether it is generating power across this nation, or moving water and fuel."
"We have seen individuals loose inside of critical U.S. infrastructure, that has a presence that suggests that there is a vulnerability that others want to exploit," he said. "All of that leads me to believe it is only a matter of when, not if, we are going to see something dramatic."
Michael Assante, former chief security officer of the North American Electric Reliability Corp., the U.S. grid security monitor, noted that the admiral's warning followed discoveries this year of a series of highly sophisticated penetrations of industrial control systems.
"It is an incredible admission by a sitting official," said Assante, a director of the Sans Institute, a cybersecurity training organization. "It is a new level of discussion."
"He basically is saying they [cyber adversaries] have found the time and opportunity to get footholds on control systems networks." If an infrastructure utility has been targeted by advanced cyberattackers, first-generation cyber defenses cannot be depended on to work, he said.
"They learn how to modify malware, to hide it, to test it to make sure they can get under your radar," Assante said in an interview.
Adm. Rogers and Chairman Rogers seemed to be completing each other's sentences yesterday in spotlighting the cyber hazard. Rep. Rogers and his committee members expressed frustration that the bipartisan cybersecurity legislation that has passed the House has not been allowed to reach the Senate floor for a vote.
The NSA director's message may have been aimed at the other side of the Capitol, and Rep. Rogers' comments clearly were.
"We are watching the threat grow and spread. Attacks have hit the State Department and the White House. The danger is not waiting," the congressman said. "So what's the full Congress waiting for?"
The Department of Homeland Security has begun holding secret briefings for energy company leaders to highlight "ongoing" cyberthreats to control systems, security experts said last month.
The DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has scheduled about a dozen meetings at FBI field offices across the country to discuss the Havex malware family and the recently discovered BlackEnergy cyberthreat, sources say (EnergyWire, Oct. 31).
"They have two case studies of targeted ICS campaigns to brief to participants -- that's huge," said Robert Lee, in an interview with EnergyWire. Lee researches critical infrastructure cybersecurity at King's College London and is familiar with ICS-CERT's activities. "You have two campaigns that are going on almost back to back: this Havex malware campaign bumping up right next to what's happening with BlackEnergy."
A DHS spokesman declined to discuss the briefings.
ICS-CERT has issued alerts on two cyberthreats to control systems this year, focusing on the Havex malware -- also known as Dragonfly or "Energetic Bear" -- and the BlackEnergy criminal malware, in an alert last month (EnergyWire, July 8).
The Havex malware represented a new escalation of attack sophistication, experts said, exploiting security breaches by targeting company personnel to gain entry and then hiding itself within the target's system so it could inventory operating structures, access pathways, internal commands and controls and other strategic internal parts of the system architecture. "The hackers have one thing in mind: gaining access and setting up the command-and-control channel," Assante said in an previous interview.
"Havex, Sandworm, BlackEnergy -- it's pretty eye-opening that people have been developing specific tools and delivery methods to get into the control systems," Assante said.
The attacks expose a very troubling weakness, Assante said. There is a critical time period when the attack malware may be detected as it is establishing itself. But then it may go dormant and disappear from the target's view. Too many companies aren't imposing around-the-clock scrutiny of their own operations to look for anomalous behavior when the attacks may be discerned.
"We're not ready for this. We're not looking," Assante said.
"Those control systems are fundamental to how we work," the NSA director told subcommittee members yesterday. "They are foundational to almost every network [central] to our life, from our water, to our power, to financial" networks.
Once installed in a control system, attackers may operate like trusted insiders, he added. "If I want to tell power turbines to go offline and stop generating power, you can do that. If I wanted to segment the transmission system so you couldn't distribute power ... this would enable you to do that."
Asked specifically about cyber offensives originating in China, Adm. Rogers would not name any countries, but he added, "There is more than one nation-state out there that we watch that we believe has that capability" to attack control systems, he said. Russia, Iran and North Korea are also potential threat actors, experts say.
"We see them doing research in this area. We see them attempting to steal information on how our systems are configured," Assante said, including specific information "down to the engineering level of detail so they can work out the vulnerabilities in how they are constructed."
The Cyber Command detects state actors trying to obscure their "fingerprints" on attack malware by employing cyber crime groups as surrogates, he said. "That suggests to us that increasingly in some scenarios you're going to see linkages between nation states and some of these groups. That is a troubling development."
Adm. Rogers was asked by Rep. Jim Himes (D-Conn.) about the prospect for agreements among China and other nations with advanced cyber capabilities to define and limit the boundaries of cyber incursions.
"I'm obviously worried that in the absence of such agreements or norms, it may take a catastrophe and retaliation to a catastrophe to force people to the table," Himes said.
Rogers said he strongly agreed. "There doesn't seem to be a sense of risk among nation states and groups and individuals ... that you can just do literally almost anything you want and there is no price to pay for it.
"We have got to develop, I believe, a set of norms or principles. ... Absent that kind of thing, being totally on the defensive is a very losing strategy," he said.
He said the White House has drafted a set of limits as negotiating points, including protections for hospitals and critical infrastructure.s
"We need to define what would be offensive, what would be an act of war. Those are all issues we're trying to come to grips with right now," Rogers said. "And in the absence of any current definition ... we're trying to guess how far things are going to go. That is not a good place for us to be."