Cyber Attacks and Risk Mitigation in Critical Infrastructure

Critical infrastructure is a term used by the government to describe assets that are essential for the functioning of a society and economy (think oil and gas, water, electricity, telecommunication, etc.). According to the Department of Homeland Security, there are 16 sectors of critical infrastructure. In the past few years, we’ve seen attacks on departments of transportation, cities, and other network infrastructure that are prompting many cyber security leaders to pay closer attention to their readiness strategy and risk management. With the threat of cyberattacks against public and private sector infrastructure on the rise, it is important to understand the history of these attacks, as well as what critical infrastructure cyber security professionals can do to protect themselves against them. Today, we are going to focus on three sectors: oil and gas, energy and electricity, and transportation.

Oil & Gas Cyber Security

Much of how we live and work is dependent upon the energy produced from oil and gas production, including cooking, heating/cooling, driving, and use of electronic devices and appliances. There have been several successful attacks on this industry already:

  • One of the most famous noted attacks came in 2010 with Stuxnet, a malicious computer worm used to hijack industrial control systems (ICS) around the globe, including computers used to manage oil refineries, gas pipelines, and power plants. It reportedly destroyed a fifth of Iran’s nuclear centrifuges. The worm was delivered through a worker’s thumb drive.
  • In August 2012, an unauthorized user with privileged access to one of the world’s leading National Oil Companies’ (NOCs’) computers unleashed a computer virus called Shamoon (disk-wiping malware). This virus erased three quarters (30,000) of the company’s corporate personal computer data and resulted in an immediate shutdown of the company’s internal network.
  • National Security Authority Norway said 50 companies in the oil sector were hacked and 250 more were warned to check their systems, in one of the biggest hacks in Norway’s history.
  • Ugly Gorilla, a Chinese attacker who invaded the control systems of utilities in the United States, gained cyber keys necessary to access systems that regulate flow of natural gas. In January 2015, a device used to monitor the gasoline levels at refueling stations was remotely accessed by online attackers, manipulated to cause alerts, and set to shut down the flow of fuel. Several gas-tank-monitoring systems suffered electronic attacks thought to be instigated by hacktivist groups.
  • In December 2018, Sapeim fell victim to a cyberattack that hit servers based in the Middle East, India, Aberdeen and Italy.The attack led to cancellation of important data and infrastructures.

Energy & Electricity Cyber Security

While we may not think of the energy sector as being a large cyber vulnerability, it is not only of intrinsic importance to a functioning society but necessary for all other sectors that make up the nation’s critical infrastructure.

There are not many documented cases of a successful power grid attack but that doesn’t mean they don’t occur! The first known instance taking place on December 23, 2015 in Ukraine. Hackers were able to compromise information systems of three energy distribution companies in the Ukraine and temporarily disrupt electric supply to end customers. A year later, Russian hackers targeted a transmission level substation, blacking out part of Kiev.

Although there may not be many examples of historical energy utility hacks, these kinds of attacks are no longer a theoretical concern. In 2014, Admiral Michael Rogers, director of the National Security Agency, testified before Congress that China and other countries likely had the capability to shut down the U.S. power grid. An adversary with the capability to exploit vulnerabilities within the electric utility silo may be motivated to carry out such an attack under a variety of circumstances, and it seems increasingly likely that the next war will be cyber.

Transportation Cyber Security

Via plane, train, or automobile, the transportation sector supports nearly 10 percent of the U.S. GDP (gross domestic product), which includes monetary value of all goods and services produced within the United States. Over the past couple of years, the industry has grown in operational complexity with logistical chains, production, facility and manufacturing partners and plant management. As a result of this growth, it has become an even more alluring and accessible hacking playground for cybercriminals. There have been a few noteworthy attacks on this silo of infrastructure in the last few years:

  • Maersk: Petyamalware variant infected the IT systems of the world’s largest shipping company with 600 container vessels handling 15% of the world’s seaborne trade in June 2017.
  • LOT: A Polish airline canceled 10 flights due to an attack against the airline’s ground computer systems at Warsaw’s Okecieairport in June 2015.
  • Jeep Cherokee: A coordinated attack in 2015 by Charlie Miller and Chris Valasek demonstrated the ease by which a connected car can be remotely hacked into, in this case, using Uconnect.

 

You can see that attacks on these silos of industry have already begun (and show no signs of stopping) and we need to be prepared for what the future holds. To mitigate cyber attacks and protect critical infrastructure against looming threats, teams need to be prepared to address all possible scenarios that can occur on said attack surface in order to effectively protect and defend IT and OT critical infrastructures.

Reducing Risk in Critical Infrastructure Cyber Security

Project Ares® cyber security learning platform can prepare cyber teams with the right skills in immersive environments that emulate their own IT and OT networks to be most effective. In fact, there are exercises within the cyber range platform that have players detect threats on a water treatment plant and in an oil and gas refinery. It is designed for continuous learning, meaning it is constantly evolving with new missions rapidly added to address the latest threats in any critical infrastructure sector. Further, targeted training can be achieved from the library of battle room scenarios to work on specific skill sets like digital forensics, scripting and Linux.

Training in cyber ranges is a great way to foster collaboration, accountability, and communication skills among your cyber team as well as cross-departmentally. Persistent and hands-on learning will help take your cyber team to the next level. Benefits of this kinds of learning include:

  • Increased engagement – by keeping learners engaged they are able to stay focused on the subject matter at hand
  • Opportunities to close gaps immediately – instant feedback, instruction, and critique make it easy for learners to benefit from interaction with the instructor and peers and immediately implement this feedback to improve
  • Risk mitigation and improved problem solving – hands-on training allows learners to master skills prior to working in real-world environments. People can work through tough scenarios in a safe training environment – developing problem-solving skills without risk.

By placing the power of security in human hands, cyber security teams can proactively improve a company’s ability to detect cyber-related security breaches or anomalous behavior, resulting in earlier detection and less impact of such incidence on energy delivery, thereby lowering overall business risk. Humans are the last line of defense against today’s adversary, so prioritizing gamified training for teams will foster the level of collaboration, transparency, and expertise needed to connect the dots for cyber security across these critical infrastructure sectors.

Photo by Ian Simmonds on Unsplash

Kickstarting Your Cyber Security Career Path

Jumpstarting a new cyber security career path can feel like a daunting initiative, however, it may be more attainable than you think. By utilizing online cyber resources and persistent learning exercises, you can start learning everything you need to know to understand career options and land your dream job.

Virtual machines and digital libraries are great places to start on your cyber learning journey. A virtual machine is a software program or operating system that exhibits the behavior of a separate computer and is capable of performing tasks such as running applications and programs like a separate computer. This enables you to create multiple independent VMs environments on one physical machine and it aids in detecting things like malware and ransomware attacks. A digital library is an online platform that offers a diverse collection of cyber security learning objectives, along with an online database of digital materials like videos and reports.

Here are some resources that can help you pursue a career in cyber security:

  • Oracle VM VirtualBox – this powerful virtualization product is for enterprise as well as home personal use. This is the best VM for home users and can be run on a multitude of operating systems.
  • Kali Linux – this is an open source tool used in information security training and penetration testing services. Kali Linux is one tool available for use in our Project Ares platform for offensive skill building and practice.
  • Security Onion Virtual Machine – this free and open sourced Linux distribution aids in intrusion detections, enterprise security monitoring, and log management. Security Onion is also available in Project Ares.
  • Flare Virtual Machine – a freely available and open sourced Windows-based program that offers a fully configured platform with a comprehensive collection of Windows security tools.
  • Cybrary – this community based digital library gives you the ability to collaborate in an open source way and create an ever-growing catalog of online courses and experiential tools to learn all things cyber security from offensive, defensive and governance.
  • Clark Cybersecurity Library – a digital library that hosts a diverse collection of cyber security learning objectives from Intro to Cyber to Adversarial Thinking. It is a high-quality and high-availability repository for curricular resources in the cyber education community.

From entry level positions to cyber security professionals, digital libraries help in understanding cyber concepts and virtual machines allow learners to apply and hone cyber skills that security professionals use on the job such as risk management, information systems security, and network security.

To complete your well-rounded cyber education, pairing these tools with hands-on practice in cyber range like Project Ares is key.

Circadence’s own Project Ares uses gamified cyber range learning environments to emulate immersive and mission-specific network threats for a variety of cyber security work roles and job titles. The Project Ares platform is constantly evolving with new battle rooms and missions to address the latest threats and includes targeted training scenarios to learn specific skillsets. This platform also offers digital badges in its Academy license, which represent credentials that can be used to indicate a variety of accomplishments and skills. These are a great way to show a prospective employer just how much you’ve taught yourself about cyber security (and you can add them to your social profiles so prospective employers can see your skills)!

From concept learning to skills application, gamification paired with persistent, hands-on training in virtual environments is an ideal approach to understanding the ins and outs of complex cyber networks and how to recognize potential vulnerabilities in today’s evolving threat landscape. Pairing Project Ares with any of the aforementioned resources is a sure-fire way to kick off your cyber security career and prepare for security certifications!

Photo by Andras Vas on Unsplash

Microsoft Azure Government Secret Helps Enhance Cyber Training

Across the board there’s been a push from a policy perspective to get into secure cloud environments that provide organizations with the on-demand and protected availability that they need to improve business processes. Azure Government Secret is a cloud solution that delivers comprehensive and mission-enabling cloud services to US Federal Civilian, Department of Defense (DoD), Intelligence Community (IC), and US government partners working within Secret enclaves. It can also have global implications for how cyber defenders prepare for tomorrow’s threats.

The April 2019 announcement of Azure Government Secret enables Circadence to deliver Project Ares to similar defense industry partners in support of their cyber training and readiness missions. Having the power of the Azure Secret cloud infrastructure behind Circadence is necessary to deliver infinite cyber range scalability for gamified training and learning opportunities to defenders across the globe who need specialized security and scalability in training programs.

As cyber threats grow more frequent and more malicious, it is mission critical to government cyber protection teams to have the flexibility and accessibility to scale training to their needs, with limitless opportunity for enhanced cyber preparedness. The persistent, gamified training and frontier learning that occurs in Project Ares, coupled with this new level of secure cloud, enhances the protection of the nation’s most critical digital assets and will undoubtedly contribute to our overall national security.

VP of Global Partnerships Keenan Skelly tells us how it helps improve cyber training today.

“Our partnership with Microsoft Azure allows us to build infinitely scalable cyber ranges to do cyber exercises and trainings,” said Skelly.

With the help from Microsoft Azure Government Secret cloud, Circadence can continue to evolve cyber training solutions that help today’s elite, DoD cyber security professionals anticipate, prevent, and react to threats more efficiently and effectively. In doing so, we are proud to contribute to a world-class security culture that proactively protects our most critical assets and our people.

The Future of Cyber Security in the Wake of Standardized Workforce Development

The implications of the Executive Order on America’s Cybersecurity Workforce and what it means for cyber workforce development going forward

The White House recently issued the Executive Order on America’s Cyber Security Workforce. This forward-looking executive order aims to close the cyber security skills gap and increase the number of cybersecurity professionals working in the field. This is a huge need for our critical infrastructure, national defense and modern economy. We are bound to see some changes across the industry with the passing of this bill. Although we don’t have a crystal ball to see the future, there are some implications we anticipate for the cybersecurity industry overall.

Improved Global Security from Nationally Recognized Standards

The executive order encourages widespread adoption of the cyber security workforce framework created by the National Initiative for Cyber Security Education (NICE). The use of the NICE framework will create some national standards in the industry and allow for more qualifying leverage. This will provide evaluation requirements used in contracts for IT and cyber security services.

Prioritizing Cyber Workforce Diversity

According to Cyber Security Ventures, there will be up to 3.5 million job openings by 2021 and currently, females represent less than 12% of the global cyber security workforce. This stat is crazy! To keep pace with sophisticated adversaries and develop technology that supports human cyber operator decision making, diversity of thinking and skill and approach should be a hyper-focus for the security industry.  Women are well suited for, and extremely talented at, technical fields such as information security, security engineering, and AI engineering; however, recruiting and retaining women in these fields is not where it needs to be. There is a long-standing stereotype that cybersecurity is too technical for women and that’s not the case. There are many critical skills that women bring to the table including an incredible attention to detail, problem-solving, and communication skills that are as important in cyber work as the technical know-how. Groups like Cyber Patriot, Girls Who Code, and more recently Women’s Cyberjutsu are wonderful organizations that inspire young girls and women to pursue careers in cyber and technology.

The aptitude for cyber security lies not only in the technical fields, but can also be found in many unexpected disciplines. Some of the best cyber defenders started their career out doing something completely different. We need this type of diversity and people with different backgrounds to join the industry. We need to improve thinking and skill, both technical and critical thinking skills to combat today’s adversaries.

New Methods of Cyber Security Training

In developing the workforce, we need to be cognizant of the need for new methods of training that inspire the next-gen learner. The traditional ways of learning in a classroom have worked in the past, but there are a lot of statistics that show traditional classroom settings alone aren’t the most effective in terms of applied skill preparedness and learning retention. Studies on the effectiveness of traditional classroom settings show that students lose  40% of what they’ve learned after 20 minutes and between 50 – 80% of what they’ve learned after one day, and 90% of what they’ve learned after six days.

Gamified learning approaches are currently being adopted federal agencies, banks, oil and gas and other infrastructure organizations as well as academic institutions such as the University of Colorado,  Divergence Academy, and Loudoun Public Schools. This form of active learning generally includes on-keyboard activities along with team collaboration and applying concepts to real-world scenarios, which has shown to improve retention to 75% compared to 5% through more passive learning methods like lectures with PowerPoints. Recently, a graduate student at the University of Colorado shared his experience after he played one of the cyber games in Project Ares, Circadence’s flagship learning platform. He mentioned that he liked the feeling the game created of a sense of impending danger from the robots and that made him think better and learn more as he worked to defeat them.

Pursuing ‘Cyber as a Sport’ to Capture Talent

We embrace the idea of “cyber as a sport” believing cyber security skill building can and should be fun, like sports. Cyber competitions are a great way to encourage skill-building plus they bring attention to the industry. These kinds of competitions should be happening from early school age (Girls Who Code), through high school (Cyber Patriot), and university (NCCDC), and then throughout the professional career. Competition categories can include individual and team-based events, software reverse engineering and exploitation, network operations, forensics, big data analysis, cyber analysis, cyber defense, cyber exploitation, secure programming, obfuscated coding and more.

Wicked6 Cyber Games, cyberBUFFS, SoCal Cyber Cup, and Paranoia Challenge are several examples of events where students can engage in healthy competition and skill-building among peers in an active, living lab setting. Circadence’s gamified training platform, Project Ares is used as the platform to deliver the competitive exercises though its immersive, gamified cyber range.  Realistic scenarios challenge players in mission-specific virtual environments using real-world tools, network activity and a large library of authentic threat scenarios.

Without continued effort to increase the cybersecurity workforce, our critical infrastructure, national defense and modern economy will be jeopardized.

The publication of this Executive Order is an indication that government is ready to proactively address our very serious cybersecurity challenges and is looking to new ways of training and skill building to meet the demands of today’s workforce.

To keep organizations better protected in the wake of digital transformation, legislative progress like this is a significant stepping stone to alleviating the industry’s largest challenges.

3 Ways to Prevent Cyber Security Election Interference

Voting is the crux of what we refer to as an American Democracy. Since the 2016 elections in the United States, numerous reports have cited concerns of vulnerabilities in the voting ecosystem, detailing attempts of foreign interference by organizations such as the Russian government to exploit election results with pervasive cyber attacks.

To assist in securing critical infrastructure and preventing cyber attacks, Congress provided federal funding under the recent 2018 Consolidated Appropriations Act Election Reform Program, authorized by the 2002 Help America Vote Act (HAVA). This funding grants states additional resources to make improvements in election cyber security.  Failure to negate election interference will only perpetuate future cyber attacks, which will lower voter confidence in the democratic process and impact on voter turnout.

Now more than ever, election security officials need to revisit their voting systems to leverage this newfound funding and better secure the human element that often causes cyberattacks. While the cyber attack surface of election systems is extensive due to the more than 8,000 jurisdictions in counties, states, and cities that maintain election infrastructure, there is one constant in the elections security system that can be leveraged—humans. With individuals and teams informing the entire voting process from voter registration to casting votes to reporting outcomes and auditing, humans are a key part in managing and directing both digital and manual processes.

If election security professionals can be better trained to understand how to stop cyber attacks using their own tools in emulated environments, the state of election cyber security will be greatly improved.

We’ve detailed three ways for election security officials to upskill their cyber security teams in spite of the variability in equipment and process.

1. ADOPT A CONTINUOUS LEARNING APPROACH TO ELECTION CYBER SECURITY  

In previous Circadence blogs, we’ve shared the benefits of a continuous learning approach, and there’s a reason for it—if cyber teams cannot keep pace with evolving adversary techniques and tactics, they won’t know how to stop them from causing mass damage. Learning basic cyber skills as well as how adversaries are using social engineering to influence election campaigns will help state, local and government election officials be better prepared to identify and respond to cyber attacks on voting systems.

Unfortunately, there have been documented instances of untrained personnel who have knowingly and unknowingly jeopardized the security of elections thus far. Notably, one of the first cryptic signs of cyberespionage came when a Democratic National Committee (DNC) help desk contractor ignored repeated calls from the FBI who were reporting a cyber threat from a computer system hack conducted by a Russian group referred to as “the Dukes28.” The article notes the contractor “was no expert in cyber attacks,” and couldn’t differentiate the call from a prank call.

Fortunately, with the passing of the Election Reform Program, now is the time for election cyber security professionals to dedicate the resources necessary to address all aspects of cyber security that affect a strong cyber posture. This includes:

  • having the proper equipment and security protocols in place
  • employing a trained team who can identify and combat threats quickly
  • deployment of cyber resilience when attacks do occur, and much more.

2. ANALYZE PREVIOUS ATTACKS TO UNDERSTAND ADVERSARY TECHNIQUES  

It is insufficient to solely analyze the specific cyber attacks from the past few years, but it is still important to see and understand the tactics and vulnerabilities exploited, particularly since electronic voting machines are not upgraded often. Two cyber attack groups, Fancy Bear and Cozy Bear are worth investigating further since their methods have been analyzed in detail already. From using fake personas to deliver stolen emails and documents to journalists, to the use of malware and spear-phishing, adversaries were able to access an operational infrastructure, implant the agent and encrypt communication to silently exfiltrate data remotely.

Understanding adversary techniques like this can inform how cyber teams train for future cyber attacks. Election officials can begin to assess the skill level of their teams and all involved in the election process to get a sense of their capabilities and how they would approach a “Cozy Bear 2.0” for instance.

3. PARTICIPATE IN OR HOST TABLETOP AND LIFE FIRE EXERCISES  

Recently, Circadence used its Project Ares platform to help the City of Houston simulate a realistic cyber attack exercise to help public and private entities better prepare for an attack scenario. Emergency response simulated a cyber attack on transportation, energy, water, and government sectors while senior leaders worked directly with technical professionals to develop timely responses.  This type of collaborative approach could be undertaken in every voting jurisdiction to test election systems.

There will always be risks, but cities and counties are realizing that the key is getting ahead of the cyber attack and to develop effective cyber readiness policies and procedures, realistic virtual training environments can help. Running through these cyber exercises with multiple players helps leaders see apparent gaps in offensive and defensive techniques while reaffirming the practices that must take place to secure any type of infrastructure.

As election security officials plan for new ways to leverage the HAVA Election Security Fund to improve processes, they will be pressed with justifying expenditures while also demonstrating that said security measures have indeed improved. The above recommendations will make elections safer and likely contribute to the restoration of public confidence in our democratic process.

The more focus election security officials place on upskilling their cyber teams with 1) continuous learning approaches, 2) analyzing past cyber attack methods, and 3) participating in realistic training events, the more effectively they reduce human error as a dominant source of cyber attacks.

To learn more ways to prevent election cyberattacks download our whitepaper “Protecting Democracy from Election Hacking.”

DOWNLOAD WHITEPAPER

Common Cyber Security Issues and Challenges

We’re taking a 30,000-foot view of cyber security to understand the state of the industry from an enterprise perspective and share some common challenges faced by diverse industries. Doing so provides infosec leaders insight into how challenges emerge in their workplace and potentially a sense of relief knowing their industry (and themselves, as professionals) are not alone in this struggle.

Cyber security remains dynamic and turbulent as businesses and technologies grow in complexity and hackers become more sophisticated. There is much discussion regarding the need to increase cyber security spending to expand cyber teams to cover more ground. And, we know that many businesses lack confidence in their current cyber readiness, due in part to many of these common challenges detailed below.

Lack of qualified cyber security experts

Finding cyber security professionals who possess specific technical skill sets is an uphill battle for many infosec leaders who are trying to grow and expand their cyber teams. According to Harvard Business Review, one of the main reasons is that businesses tend to look for people with traditional technology credentials instead of individuals possessing a wide variety of professional and technical skills. As attacks get more sophisticated varied skill sets of both technical (forensics, network analysis, malware detection) and professional (communication, problem-solving, analysis) will be required to combat them effectively, so leaders would be wise to expand their talent searches to include more diverse skill sets moving forward.

Lack of structured upskilling among talent

Senior staff often have a significant advantage over newer hires because they understand the ins and outs of their company. However, simply because they have advanced in their careers, they are not necessarily the most effective when trying to teach junior staff new skills and approaches to cyber security since conducting effective training is often a full-time job itself. Concurrently, it is difficult for IT professionals to consistently remain up-to-date on best practices across all aspects of cyber security. The 2019 IT Security Employment Outlook report and many other resources note a 3 million staffing gap in cyber positions. Skills needed include the ability to identify key cyber terrain and risks, protect organizational assets and data, detect unauthorized access and data breaches, respond to cybersecurity events and attacks, and recover normal operations and services. Investing in consistent, structured, measurable training to upskill existing team members is an effective way to assess and combat these deficiencies. 

Staff retention and fatigue

Since many organizations do not have the proper resources to alleviate heavy workloads and to effectively combat cyber threats, information security employees are often fatigued from long hours, immense pressure, and unreasonable workloads. These issues contribute to dissatisfied employees and high attrition rates across the industry. All of these issues taken together pose a serious problem because organizations that are trusting their security to a fatigued and undermanned or under-skilled cyber team is ultimately a threat to us all. CSO magazine recommends that companies assess “the state of mind of key staff members, create work schedules to rotate personnel off the front lines, and provide the right levels of support, stress relief programs, and career counseling.” 

Combating common cyber security challenges

These challenges are daunting and exist across many industries, keeping many infosec professionals up at night. Fortunately, by expanding the pool of candidates for positions by looking for more diverse skill sets, investing in immersive cyber security training, and understanding the state of mind of key staff members including monitoring their level of job satisfaction and fatigue, firms can more effectively combat these common challenges.