- January 10, 2017
- Posted by: Kerry Tomlinson, Archer News
- Category: Archer News, Cyberattack, Hacking, Industrial Control System Security, Information Sharing, Posts with image, Power Grid
But these “indicators of compromise” may have nothing to do with Russian hacking at all.
All-points bulletin: look for a man in a blue hoodie, 5’10”.
That kind of crime suspect alert might not help you much—you’d probably see a lot of medium-sized guys with blue sweatshirts, and how would you know which one committed the crime?
That’s how generic the Department of Homeland Security and Federal Bureau of Investigation’s recent warning on possible Russian hacking is, according to some cybersecurity experts.
The result, they say, could be confusion, fear and even less security overall.
So far, only one case of the “GRIZZLY STEPPE” clues has come to light—and in a disastrous way.
But there could be many others who have uncovered the information and are trying to figure out what it means and whether they should report it, experts say.
Title of DHS/FBI Joint Analysis Report on Russian hacking.
The DHS and FBI laid out a list of “indicators of compromise”—possible signs of malicious activity—in its report on GRIZZLY STEPPE, the government’s name for Russian-sponsored cyber attacks.
But some analysts said the indicators of compromise were too vague.
“Someone in the government put a lot of generic identifiers on a list of ‘bad things,’ said Ron Fabela, senior threat hunter with cybersecurity company Dragos, Inc.
“It’s the equivalent of saying, ‘Look for a male wearing a blue hoodie, 5’10”,’ with no other information,” said Patrick C. Miller with Archer Security Group, Archer News’ parent company.
Information about indicators of compromise from GRIZZLY STEPPE report.
The FBI recommended in a statement that companies use the information to check their networks for signs of attack.
One utility—Vermont’s Burlington Electric Department—came forward to the federal government, saying it found one of the indicators on an office laptop.
Suddenly, things went sour, and quickly.
“In 60 seconds flat, this story went from a normal office computer finding a potential indicator to the entire ‘power grid’ being hacked by Vladimir Putin and his elite hacker/soldiers,” said Michael Toecker with Context Industrial Security.
Vermont’s Burlington Electric Department Facebook page.
The Washington Post reported that Russia had hacked the U.S. electric grid through Burlington Electric, based on information from unnamed U.S. officials.
Did the small utility serving 20,000 people become an international target?
“You have a public utility going to the Feds for help and to report an issue, and suddenly they are front and center in a national debate about hacking, Russia, and politics,” Toecker said.
The problem is—there was no Russian grid hack, according to Burlington Electric.
“What didn’t work was someone inside the federal government took the information, misinterpreted it, leaked it to The Washington Post, and The Washington Post ran the story without confirming it first,” Burlington Electric General Manager Neale Lunderville told Archer News.
One of the headlines from Washington Post articles about “Russian hacking” of Burlington Electric.
The laptop was an office computer, not a grid operations computer, the utility said.
“The computer was not connected to our grid control systems. It was on the—as we say—business side of our shop,” Lunderville said.
In addition, the supposed evidence of Russian hacking was simply the laptop communicating with an IP [Internet Protocol] address that had at one point been associated with malicious activity, rather than a definitive, current connection to GRIZZLY STEPPE, according to Burlington Electric.
IP addresses change hands frequently, experts say, so it could belong to a legitimate group now.
The Post corrected the story, and Burlington Electric spent more than a week dealing with the fallout.
Corrected headline from Washington Post.
The same kinds of clues most likely showed up in other companies around the country.
After all, the signs were generic, according to analysts. Like a 5’10” guy wearing a blue hoodie.
“How many of those are you going to spot?” asked Miller.
“Are we expected to believe that some number of the 3306 electric providers in the U.S. ran the DHS IOCs [indicators of compromise] and didn’t find this traffic?” said Fabela.
A number of businesses contacted cybersecurity firms, saying they had run the indicators as recommended, found the signs, and were concerned that they had been compromised, the Associated Press reported.
But you may not hear about those findings.
Not willing to share?
Some cybersecurity firms advised that the businesses who found the indicators do further research to make sure there is an actual problem before reporting, according to the Associated Press.
But some small utilities don’t have the luxury of doing extra research or hiring cybersecurity firms, so they have to trust the government’s information, Fabela said.
“Small utilities have to rely more heavily on outside intelligence and because of their limited cyber workforce, cannot double-check everything coming from a supposed authoritative source,” he said.
That could mean some utilities may be choosing to ignore the DHS/FBI recommendations to run and report.
“Either the utilities thought it was too generic to report, or they weren’t looking. Or they were not willing to share,” Miller said. “Or they did share, but their information didn’t leak,”
Their information is not supposed to leak, according to a DHS official who declined to have his name used in this news story.
But the Vermont case may inspire businesses to not report, according to some experts.
“That does not encourage a culture of security-minded companies,” Toecker explained. “It encourages a culture of secrecy and cover-ups.”
“Due to the charged political environment, the reporting of this non-event was leaked and ultimately did damage to the trust between private electric utilities and government agencies,” Fabela said.
For its part, Burlington Electric said it will continue to work with government agencies and advised that other utilities should so so as well.
Burlington Electric alerted its customers via Twitter, Facebook & its website that the grid was not compromised.
Misconceptions about the power grid may have fueled the fire.
“Automatically assuming that the U.S. power grid has been hacked because of malicious traffic seen on a laptop is irresponsible,” said Miller.
“Somehow, no one at The Washington Post recognized the story as a massive leap in plausibility that required due diligence and a questioning attitude,” Toecker said.
Archer News contacted The Washington Post about the incorrect article.
Kristine Coratti, vice president of communications and events for The Post, sent a statement.
“We have corrected the story, prominently displayed the correct information after further reporting, evaluated what transpired, and had the appropriate discussions internally to make sure something similar does not occur again,” the statement said.
The FBI said it would not comment on the situation.
A DHS official told Archer News that the GRIZZLY STEPPE report was designed to help infrastructure owners protect themselves.
“Information sharing is something that both the department and industry owners, private sector, state and local governments work together so we can, as a community, work to protect our networks,” the official said.
Facebook posters commented & joked about the reports of Russians hacking the U.S. electric grid through Burlington Electric.
The Vermont situation may add to the confusion about cyber attacks and the electric grid.
It would be extremely difficult for a cyber attack to cause catastrophic impact to the North American grid on a widespread scale, though it could indeed affect a city or local area, Miller said.
“I think the power grid is misunderstood,” he said. “I think virtually everything cyber is misunderstood,”
“Folks who don’t know about our national electric infrastructure tend to add and reinforce their own assumptions about how it works, and smashing isolated facts together until they fit an existing narrative isn’t an accurate way to portray vulnerabilities and successes,” Toecker said.