Monday, October 23, 2017


Last week I attended and spoke at the North American Electric Reliability Corporation (NERC) GRIDSECCON – electric grid security conference in St. Paul, Minnesota.  The meeting was very well attended with around 500 attendees from around the US, Canada, and even Japan.  My compliments to the organizers!  It was a terrific meeting and worth everyone’s time.

I’d like to raise three key points that surfaced during the meeting and go into more detail on one of them.

  1. There were several presentations regarding the risks to critical infrastructure by commercially available drones.  This was a bit of a surprise to many attendees since the drone threat has not really be recognized as one.
  2.   A major threat to electric utilities is the challenges of INSIDER THREAT.  This is an issue that makes one wonder “why would anyone want to attack my company from the inside?”  Well, the NERC Electricity-Information Sharing and Analysis Center (E-ISAC) team mentioned this risk repeatedly.  So, take some time to be sure you are paying attention to the inside of your company for both physical and cyber-attacks and disruptions.
  3.   The third threat of mention is of the “bad guys” trying to harvest credentials that can be used against the company.  This is where I’d like to spend a few extra lines of text.

Right now, the current and potential attackers are trying to harvest and collect credentials used for cyber access into a utility/energy company.  These credentials can make the attacker’s life much easier and using ill-gotten credentials has been demonstrated in such notorious attacks as in the Ukraine. 

The attackers try to harvest credentials via the “normal” means such as using PHISHING attacks on email.  But the attackers are also surveying and monitoring social media for a user’s credentials and password access answers. 

For example, if I know a person works at Utility X, then I can monitor their social networking – including non-work-related posts – for such things as the names of their kids, pets, mother’s maiden name, etc.  All good information to use when you are trying to reset a password.  Also, by monitoring their social networking I may be able to glean information about upcoming utility operations such as a planned outage that keeps Dad or Mom away from their kid’s soccer game. 

Useful information for the attacker.

One particular issue that is really disconcerting is how individuals use the same username and password for their social networks and personal email as they use for work.  THIS IS REALLY DANGEROUS AND SHOULD NOT BE DONE!  If I can hack into your social network and determine your username and password, that allows me to “pivot” to the utility username and log in and enter the utility network.

Such a practice should not be condoned by any organization and, in fact, should be an Employee Awareness posting at least every six months.


NERC GRIDSECCON was a useful meeting and I look forward to next year’s event – somewhere in the Western Electric Coordinating Council (WECC) territory.  This meeting raised some very key points of concern and as you’ve seen above the utility and critical infrastructure management needs to pay attention to Drones, the Insider Threat, and Credential Harvesting.

Thanks for reading!

Friday, June 9, 2017

WannaCry Ransomware and Industrial Control Systems

The following article was posted on my LinkedIn account and was prepared by me with assistance from several of my colleagues at my employer, BBA (  
The actual article can be located at this LINK.
There’s been substantial discussion in the media and on the interwebs about the ransomware called “WannaCry”. This malicious software (malware), which blocks access to data until a ransom is paid, has been destructive. It’s caused financial consequences as well as extreme inconveniences for critical businesses across the globe, such as the National Healthcare Service in the United Kingdom, which was one of the first and most significant victims of the attack (a total of 300,000 computers in 150 countries had been locked by WannaCry as of the end of May 2017).


Ransomware is a type of malicious software that carries out the cryptoviral extortion attack from a cyber program that blocks access to data until a ransom is paid. It displays a message requesting payment to unlock the data.
Where did ransomware originate? The first documented case appeared in 2005 in the United States, but quickly spread around the world.
How does it affect a computer? The software is normally contained within an attachment to an email that masquerades as something innocent.
How much are victims expected to pay? The ransom demanded varies. Victims of a 2014 attack in the UK were charged $864. However, there’s no guarantee that paying will get your data back.
How did WannaCry operate? It appears to have used a flaw in Microsoft's software, discovered by the National Security Agency and leaked by hackers, to spread rapidly across networks locking away files.


However, it appears that the ransomware was focused on the Enterprise IT systems and not the Operations Technology (OT), also known as Industrial Controls Systems (ICS), although a small number of U.S. critical infrastructure operators were reportedly affected. In any case, understanding the difference between these two types of systems is crucial to ensure the cybersecurity of your plant or facility… and whether or not ransomware like WannaCry can affect them.
The above figure illustrates the typical separation between Enterprise Information Technology (IT) and Operational Technology (OT), also known as ICS. Enterprise IT is composed of systems used to run a business: emails, time sheet reporting, finance, expense reporting, purchasing, etc. These systems are normally Windows-based, including Windows Servers and Windows operating systems.
On the OT side of the business, most of the “computers” are small and specialized machines, such as programmable logic computers (PLCs), distributed control systems (DCSs), engineering work stations, historians (basically focused, real-time databases), etc. Some Windows operating systems are used on the OT side, but there are also many other types of industrial communications protocols for data exchanges beyond normal TCP/IP.
Most importantly, Enterprise IT networks are usually connected to the Internet, while OT networks tend to be separated from the world wide web. There’s normally no direct communication links between IT and OT networks. That’s why WannaCry ransomware is affecting applications and data on Enterprise IT systems more than on the OT systems.
To date, a handful of cases where ICS were infected were reported. Nonetheless, “the news should put all companies that rely on industrial control systems (ICS) on high alert because the choices available to protect the systems within an industrial process facility are much more limited than those in corporate IT”, explained PAS Global CEO this week. Indeed, there are opportunities for WannaCry to locate and encrypt an unpatched Windows system in any ICS.
As of this time, there are no verified examples where WannaCry attacked and “bricked” a human machine interface (HMI) on a factory floor or caused an industrial system to fail quietly or catastrophically. But the opportunities are present wherever Windows operating systems are installed in the ICS in such places as HMIs, ICS engineering workstations, etc. ICS components of a plant are not patched or updated as often as IT systems components for a simple reason: reboot activities and software uploads require a production shutdown or the production lines must be in “safe mode” to avoid undesirable consequences on the production systems.


Here are four basic recommendations to ensure that ransomware, such as WannaCry, doesn’t endanger your production line and operations:
  1. Make sure the ICS is separated from the Enterprise Information Technology (IT) network and from the Internet where the WannaCry malware could migrate.
  2.  ICS operators/engineers/security personnel should make it a high priority to patch the Windows systems as soon as practical to reduce the risk and impact of the WannaCry malware.
  3. ICS operators should ensure that any portable media (e.g., USB drives) and/or laptops/test equipment capable of “carrying” the WannaCry malware (or any malware in all cases) is checked for known malware before the portable media even comes into contact with the ICS and its components.
  4. ICS operators, engineers and security personnel should make it a point to closely monitor the US ICS-CERT alerts and advisories or subscribe to their mail alert.


Simply stated, WannaCry can impact ICSs and susceptible components; it takes hard work and constant, 24/7 due-diligence to stay on top of the security of your ICS. Assuming the risks of a breach or successful attack should be a mantra and should always be at the top of everyone’s minds.

Monday, January 9, 2017

DHS Designates Election Infrastructure as a Critical Infrastructure Subsector

On Friday, January 6, 2017, Secretary of the US Department of Homeland Security announced that DHS has designated the US Election System as "CRITICAL INFRASTRUCTURE."

In the press release, Johnson noted that "Given the vital role elections play in our country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure."

According to the press release, "Election Infrastructure" is defined as:

  • Storage facilities
  • Polling places
  • Centralized vote tabulation locations
  • Information and communications technology to include:
    • Voter registration databases
    • Voting machines
    • Other systems to manage the election process and report and display results on behalf of state and local governments

Johnson reiterated that this designation does not mean a federal takeover, regulation or oversight or intrusion concerning elections in the US.  The designation does not change the roles state and local governments have in administering and running elections.

However, the designation as Critical Infrastructure does mean that election infrastructure does become a priority within the National Infrastructure Protection Plan (NIPP).