Project Grey Goose report on Critical Infrastructure: Attacks, Actors, and Emerging Threats

Last Updated on Thursday, 21 January 2010 07:26 Written by Jeffreycarr Thursday, 21 January 2010 07:26

Proj Grey Goose report on Critical Infrastructure: Attacks, Actors, and Emerging Threats

Is the government of Turkey leveraging its hacker population to build a regional power base?

Last Updated on Tuesday, 10 November 2009 05:26 Written by Jeffreycarr Tuesday, 10 November 2009 05:26

This is the topic for this week’s IntelFusion FLASH Traffic weekly brief. An abstract follows:

The increasing frequency of Turkish hacker crews attacking SCADA-related systems is seen by GreyLogic investigators as an emerging global threat, particularly when combined with two geopolitical events:

One. On October 10, 2009, Turkish Foreign Minister Ahmet Davutoglu signs a historic agreement to work towards restoring diplomatic ties with Armenia. Such an action, according to Henri Barkey of the Carnegie Endowment for International Peace in Washington DC, is necessary if Turkey wants to become an important player in the region.

“With their strong military and economy they have the hard power, but what they are trying to do now is build up their soft power.”

Two. In July, 2009 the World Bank agreed to fund Turkey’s Smart Grid project; the World Bank’s first advent into clean energy; thereby elevating Turkey’s status in the region.

Turkey has the second largest Army in NATO and has 8 countries on its borders creating a strategic presence for itself that hasn’t been seen since the Ottoman Empire. The one thing that Turkish military generals are not speaking about is a Turkish cyber warfare or Information Operations program. The absence of such a component in Turkey’s military arsenal is suspicious at best considering its leadership role in the region. In 2003, Turkey launched its Information Security initiatives to protect its networks. In November, 2008, it was considering a membership in NATO’s Cooperative Cyber Defense Council of Excellence (CCDCOE). A logical extension of both of those facts would suggest that the Turkish Armed Forces (TAF), as part of its ongoing modernization, is certainly exploring some type of Computer Network Operations or other Information Warfare capabilities.

If Turkey is keeping its plans for a military cyber capability a secret, its hacker crews are busy breaching Department of Energy Service Provider websites.

The full briefing is available to subscribers of IntelFusion FLASH Traffic.  Contact me for subscription rates for your company or agency.

CYA, not Cyber security, is Job One for Energy asset owners and operators

Last Updated on Wednesday, 21 October 2009 11:04 Written by Jeffreycarr Wednesday, 21 October 2009 11:04

I’ve spent the last few days reading various papers on SCADA security issued by Sandia and Idaho National Labs and I’m both shocked and stunned at the pervasive CYA (cover your ass) culture that NERC and its members have managed to construct with the support of DoE and DHS.

It’s not a question of whether a cyber intrusion has resulted in a blackout or not. It has. It’s just not made public. The better question is why has the Federal government allowed private industry to keep cyber attacks quiet? Researchers at both Sandia and Idaho know why, and it has nothing to do with national security and everything to do with financial security. The energy operators and owners don’t want to risk huge financial losses resulting from lawsuits if these breaches are made public. Period. End of story.

DoE and DHS enable them in this regard by either classifying the data or locking into protected databases like this one that are shielded from Freedom Of Information Act requests. So what happens as a result? Our critical infrastructure becomes more vulnerable to attack, because actual incidents are not reported and forensic data on the cyber attack isn’t collected by the very companies that are best suited to analyze and advise on corrective measures. That, in term, severely limits the Intelligence Community’s ability to provide accurate threat analysis to DoE, DHS, and the entire SCADA network.

Speaking of “threat analysis”, do you know what passes for that today? Because the researchers at Sandia Labs do not have access to real-time nor historical data on successful cyber attacks, they have been forced to create an open source alternative which relies, in part, on the chance that hackers will be planning their attack online in a forum that is being scanned by pretty much every law enforcement and intelligence agency in the world. You don’t have to be a statistician to know what the odds of that happening are.

The national security argument for protecting every successful cyber attack against the Grid fails because:

1. SCADA vulnerabilities are regularly made public by DoE reports like this one.

2. Hackers who target these systems already know how to do it, and are training others to do the same (we know that from our first Project Grey Goose report which identified an informal hacker hierarchy in the attacks against Georgia).

3. A threat analysis, to be useful to the customer, is only as good as the accuracy of the data that it’s built upon. To expect researchers in a National Lab to provide such an analysis with incomplete or nonexistent data is ridiculous.

The more we dig into the arcane world of SCADA, the more surreal this experience is becoming. I genuinely hope that our report, once its released, stirs up enough public outrage to raise the critical problem of protecting our infrastructure against cyber attacks high enough to draw the attention of the White House, and engage immediate action on the part of the President and his advisors.