In response to attacks against power companies and at least one nuclear plant last year, the U.S. Department of Energy (DOE) is establishing an Office of Cybersecurity, Energy Security and Emergency Response (CESER).
Dept. of Energy Cybersecurity Initiatives
According to the DOE, the office will be funded by $96 million according to the latest fiscal year 2019 budget proposal. The DOE's budget request (PDF) asked for funding in order to:
- Prevent and address cyberattacks on the energy sector, securing the DOE enterprise
- Research and development for the electric grid and energy sector cybersecurity
- DOE enterprise cybersecurity risk management
- To establish a separate account for the Office of Cybersecurity, Energy Security and Emergency Response (CESER)
However, as The Hill notes, the budget is a proposal and Congress has final say on funding levels, and will decide on whether or not to fund the new cybersecurity office.
Attacks Targeting U.S. Energy and Critical Infrastructure
Last October, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a technical US-CERT (Computer Emergency Readiness Team) alert to inform government agencies and organizations in the energy, nuclear, water, aviation and critical manufacturing sectors about an ongoing "advanced persistent threat" campaign that started since at least May 2017.
The alert references research conducted by Symantec - Dragonfly: Western Energy Sector Targeted by Sophisticated Attack Group.
The targets include:
- Staging targets - Trusted third-party suppliers with less secure networks
- Intended targets - Main networks of targeted organizations
Threat actors would start by conducting reconnaissance via publicly-available information on network and organizational design, control system capabilities, anything posted to company websites that may contain operationally sensitive information.
In one scenario, the threat actors zoomed and enhanced on a high-resolution photo found on a company's human resources page to reveal control systems equipment models and status information in the background, according to US-CERT.
Tactics Used Against Third-Parties
They also accessed third-party networks via their websites, remote email access portals and virtual private networks (VPNs).
In addition, they sent targeted phishing emails to third-parties with attachments that attempted to retrieve documents from the remote server using Microsoft's Server Message Block (SMB) protocol to, in turn, to get access to the user's credential hash, then obtain the plaintext password that let them log in as authorized users.
Tactics Used Against Intended Targets
The phishing email campaign against the larger, intended targeted organizations included:
- Subject lines that disguised the email as a contract agreement - "AGREEMENT & Confidential"
- Email messages referring to control or process control systems and common industrial control equipment and protocols
- PDF attachments disguised as industrial control systems personnel resumes, invites and policy docs
- A malicious link that persuaded users to click on it should a download not automatically begin - led to a website with a malicious file
They also used malicious .docx files to collect user credentials, and compromised websites likely to be visited by those in the energy sector to set up watering hole attacks to steal credentials.
According to Symantec, the threat actors also used the lure of fake Flash updates in order to convince users to visit specific websites, allowing threat actors to install backdoors on their target networks.
Security Best Practices
The CERT alert states that the threat actors used compromised credentials to access victims' networks where multi-factor authentication (MFA) was not used.
Obviously, implement MFA everywhere to avoid this threat, as well as use a secure method like a U2F security token when/wherever possible. The alert recommends:
Use two-factor authentication for all authentication, with special emphasis on any external-facing interfaces and high-risk environments (e.g., remote access, privileged access, and access to sensitive data).
US-CERT also recommends monitoring VPN logs for abnormal activity, like off-hour logins, unauthorized IP address logins, concurrent logins, etc.
To enforce remote access controls for corporate applications, use a secure access solution that allows you to set application-specific policies based on the trust of your users, devices and risk attributes of the login request.
In the campaign against energy and critical infrastructure organizations above, threat actors were able to log into networks as authorized users, rendering them indistinguishable from the rest of your trusted users.
To establish a zero-trust environment, you need a way to verify your users' identities and devices that isn't reliant on their network location (since you can't trust everyone on your network).
Stronger authentication, secure single sign-on, device certificates and security hygiene checks can help you take the first steps toward implementing this new enterprise security model.
See a full list of the general best practices in Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors.