Move over election hacking. The Russians have also infiltrated our electrical utilities control rooms. According to CNET:
The hackers -- working for a state-sponsored group previously identified as Dragonfly or Energetic Bear -- broke into utilities' isolated networks by hacking networks belonging to third-party vendors that had relationships with the power companies, the Department of Homeland Security said in a press briefing on Monday.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
The Russians didn’t have to get too creative, it sounds like. They used spearphishing emails to entice someone to click on a link and the third parties involved appeared to use minimal access controls, as Joe Kucic, CSO at Cavirin, explained to me in an email comment:
The hacking occurred via third-party networks that had access to U.S. Utilities ICS Networks. The spearphishing e-mail attack would have gained access to the third-party individual’s computer that could have been used to direct the attack to the utilities. Again, if appropriate multi-factor authentication controls were in place, as per the NIST guidance, then the attack would have failed to breach into the Utilities environment.
Using third parties as a way to access larger, more influential targets continues to be a growing threat – just take a look at a few of the security incidents that occurred in the first half of 2018 because of a third-party security flaw. And more often than not, it is the large organization that takes the reputational hit (I’m sure you all remember the Target breach, but can you name the company from which the incident initiated?).
Compromised credit card data, while a serious crime, is small potatoes compared to a threat to our critical infrastructure. This recent revelation should be a warning sign to enterprises to ensure that their vendors are on top of good security practices, but also to vendors to improve their internal security. (And don’t forget the trickledown effect – while your company may use vendor A, vendor A is working with vendors B and C, and so on, and a phishing attack on one of those vendors could result in higher-level data breaches.) As Fred Kneip, CEO with CyberGRX, said in an email comment, when you are working with third parties, you are in a race with hackers. He added:
You need to be able to identify vulnerabilities within your digital ecosystem before attackers do. If they beat you just once by finding a single exploitable weakness within a single vendor, supplier or contractor, the results can be catastrophic.
It’s vital to be proactive about potential breaches, and that means knowing which of your vendors may have weak security controls before they – and you – are exploited.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba