The taxonomy of cybersecurity often includes alarming declarations on par with acts of war. But cyber campaigns outside of active conflict hardly meet such a coercive threshold. While there are major concerns over the cybersecurity of the nation’s critical infrastructure – the power grid, water treatment plants, transportation hubs, energy production, and even election systems – it is important to add nuance to the discussion. The Cipher Brief’s Levi Maxey spoke with Robert M. Lee, a former Cyber Warfare Operations Officer in the U.S. Air Force who founded Dragos, an industrial cybersecurity company that investigated the allegedly Russian cyber attacks on the Ukrainian power grid, about where cyber operations turn from mere intrusions to disruptive attack with physical consequences and what to look for should nations seek to disrupt the critical assets that their target societies depend on.
TCB: People often refer to Ukraine as a Russian test-bed for cyber operations. What is the evolution of cyber attacks in Ukraine?
Lee: Generally we are looking at crime and espionage in the cyber realm. But sometimes it does escalate to the point where we do see an attack. But the idea that we are going to see visible, tangible nation-state attacks in this space outside of conflict zones is pretty misleading. When you look at nation-state attacks, it really tends be in conflict zone centers. So you might expect to see attacks between North Korea and South Korea or Taiwan and China, or in Iraq and Afghanistan. We see things between the U.S. and Iran in the same way we see it between Russia and Ukraine.
In Ukraine, there are patriotic hackers supporting the Russian government – or at least acting in a way they perceive to be in support of the Russian government, though not dictated by the government. We also see what appears to be sanctioned activities coming from the Russian government targeting civilian infrastructure. Most notably, of course, are the 2015 and 2016 attacks against Ukraine’s power grid.
We have long talked about cyber attacks on power grids, but before Ukraine, we had never seen a public cyber attack actually take down portions of the grid. We heard rumors, but there is no real tangible proof at any other time in history that we have seen, and many of the other cases were debunkable hype. But in the Ukrainian case, we actually saw it happen. We saw adversaries break into three power companies in Ukraine over the course of six months, and in that time they learned how to leverage the electric grid infrastructure as if they were insiders and disrupt the power.
The attack really resulted in power outage for only about six hours – but not because the attackers couldn’t do more – maybe they could have. Rather, the Ukrainians went back to what is known as manual operations. They pushed away from computer technology, or what is commonly referred to as supervisory control and data acquisition (SCADA) systems that run the electric grid, and instead started manually interacting with the circuit breakers at the substations to get power back on. That is not something that scales well.
There are two important things to note about the attacks. First, there was a component of the attack that didn’t fit with the rest of it. The actual attack disconnected upwards of 60 substations from the grid, and these were distribution level: local village and town substations.
But exactly one of them was done differently. In this case it wasn’t done through the actual manual distribution system – it wasn’t disconnected like the others. Rather it was a remote command that was sent from the adversary’s networks to disconnect the substation, which appears as a completely legitimate network communication – essentially making it a SCADA hijack.
The only legitimate reason to conduct only one attack differently is testing. When considering an industrial control system (ICS) attack, one step is always testing. There are physical engineering processes that you have to account for, and so you need to be able to test. But with something as complex as the electric grid, it is not possible to just set up a test site in your home or government offices.
As it was considered to be a test, it was expected there would be a follow-on attack at some point. Then in 2016, it was revealed that the second attack leveraged a piece of malware that had learned and codified electric grid operations by using the legitimate network protocols we saw in the first attack. The two events were clearly linked.
TCB: What was the public response to the 2015 attacks on Ukraine’s power grid?
Lee: At the time of the first attack, no senior level policymakers came out and condemned the attack – not in the Obama Administration, or in Western countries. Forget attribution. Attacking civilian infrastructure is definitely crossing the line. We have complained for 30 plus years now that civilian infrastructure should be off limits, we have had discussions and all sorts of pleasantries, but when it actually happened, nobody said anything.
Then the 2016 Ukrainian power grid hack happens and it’s a malware called CrashOverride – basically a framework to be able to scale what was done and it is immediately usable all throughout Europe. It would need some very slight tailoring to work in the U.S. power grid, but it is an escalation. We see a capability that is not designed just for the localized conflict in Ukraine, but something that can impact others around the world. And whether or not adversaries ever use it, that tradecraft is now public for anybody to adopt. And yet, we didn’t see any senior government level officials nor the Trump Administration coming out specifically to condemn the attacks.
TCB: There were reports of intrusions into the back offices of a U.S. nuclear facility. Could you explain why this might be worrying, but not necessarily as alarming as the attacks on the Ukrainian power grid?
Lee: In Ukraine we saw actual disruption of electric grid operations. In the U.S. and some parts of Europe, they are calling this new wave of intrusions “attacks” inappropriately. There are no attacks taking place. It doesn’t mean we should ignore it, but we should use the right taxonomy. When you look at intrusions or adversary attempts to break into civilian infrastructure, it is almost always concerning. It is an impressive act that really has no legitimate value to foreign adversaries other than positioning and scaring people.
What happened here are intrusions – what we would commonly refer to as a stage one ICS campaign. The first stage is just breaking into systems like the business networks – which was the case here – and siphoning off information. To pivot to stage two, you need to steal the kind of information that would be useful for actually creating an attack. So the fact that the adversaries are stealing passwords and user information from the network is, again, concerning, but it is not alarming. Why? Because we would expect to see engineering documents, integration documents that give insight into actual the physical process being stolen to begin preparation for stage two.
It is a myth that there is an “air-gap” between everything, but that myth actually holds true in the case of nuclear plants. In electric energy you’ll have a connection, and while it’s not trivial to jump the air gap in business and industrial networks in most cases – it is doable, including in the American electric infrastructure. But it is exponentially more difficult when you are talking about going from business to industrial networks at nuclear plants, because those are actually disconnected networks.
So why would I be concerned about this? Simply because it is an aggressive action on the heels of attacks in Ukraine where we have seen people cross the line. For that reason it deserves attention. But does it deserve fear or calling it an attack? No, that is simply fear mongering and hype to drive an agenda.
If we are not going to take actual power grid attacks seriously in Ukraine, then I don’t want to see policymakers complain about phishing emails to the business networks of the electric sector.
TCB: But could it migrate to the plant’s isolated networks similar to how Stuxnet moved into the Iranian nuclear facility at Natanz from contractor back offices?
Lee: In Stuxnet there was a very human component to the operation. There is also an interesting contrast here. When you look at the Stuxnet case, you had two world powers – reportedly the U.S. and Israel – focus a lot of attention on one site, Natanz. No industrial infrastructure is the same as others; even with the same vendors and equipment, there is a different physical process behind it. So if you really wanted to attack a facility, you have to put a lot of focus on just one or two locations. The more far reaching a campaign is, the less concern I have of it quickly pivoting to the attack stage, as it is likely just general target-building and espionage. When I see 14 plus sites in the U.S. getting targeted, maybe it’s just a new operations team that got activated in some foreign country and are trying to build their target portfolios. Maybe there is also an agenda as well around scaring politicians. But if I see only one breach of infrastructure, or just a handful coming from a foreign power, and they start stealing things like engineering documents, that’s when I get concerned because now they have an actual ability to attack.
TCB: Regarding policy to protect critical infrastructure, what seems to be going well and what can the U.S. government do better moving forward?
Lee: As far as the federal government is concerned, regulations set up years ago have considerably made the American power grid better off today than it was before. We have a much more secure grid. That being said, we are now getting to a point where regulation is stagnating for innovation and people need to start thinking about new approaches. Plus, you simply can’t regulate away foreign powers.
But there are also two other large issues. First, it is not just about the power grid: there are a lot of interdependencies between infrastructures. We need to take lessons learned from what the power grid has done and apply it to other industries.
Second, there is a belief that Washington has more control over civilian infrastructure than it actually does. They argue that when an attack happens, they are going to take control of the power grid. Generals and base commanders often ask how they can protect the grid near their bases. The simple answer is that they can’t – it is civilian infrastructure and they are not going to deploy army units into a substation when a cyber attack happens. It’s just not realistic.