Cyber attacks Plague US Department of Energy
Cyber attacks Plague US Department of Energy, to the tune of over 150 times between 2010 and 2014. It shouldn’t come as a surprise that the United States Department of Energy (DoE) is a prime target for cyber attack. For adversaries, it could be a point of entry with the intention of “spring boarding” to an interconnected system or a means to attempt to duplicate what the United States does with regards to energy production. For a terrorist, it could be used for the worst case scenario as depicted in dystopian books and movies. For the security researcher, it could be an opportunity to “get their name on the ‘map'” [or their wrists in handcuffs].
This comes after the notable attack in 2013, when the personally identifiable information (PII) of “over 100,000 employees and contractors [was compromised], auditors noted ‘unclear lines of responsibility’ and ‘lack of awareness by responsible officials.’ In an audit report released in October of last year, the Inspector General found 41 Energy Department servers and 14 workstations ‘were configured with default or easily guessed passwords'” (USA Today, 2015).
Per Forbes and USA Today, “found that in a 48 month period ending nearly a year ago that 1,131 attacks occurred, with 159 of those successful.” The DoE declined to comment, citing the inability to do so when a current investigation is in progress. Per The Hill, “Researchers believe hackers from Russia, China and Iran have all been probing the U.S. power grid for several years, mapping it out and seeking vulnerabilities.”
This comes at a vital time. These reports are released at the end of a 4 day summit between the U.S. and China, where cyber security was a main point of discussion. China has been on the receiving end of blame for numerous attacks on American assets, but not without merit, especially with capable groups like APT1 and Deep Panda (believed to be responsible for the OPM hack).
At the surface, it seems impossible to defend networks against these attacks. While it is more difficult than most vectors used in commercial attacks, it is not impossible. Ultimately, the DoE and Federal Government must be more stringent in selecting the hardware and software they use in addition to the means they use for networking.
Using encrypted tunnels over commercial ISPs is a thing of the past. Dedicated circuits with no outside connection is a great start. Furthermore, more emphasis needs to be put on background checks for security clearances, as a couple of contractors suspected of espionage are believed to be Chinese government employees.
Too often commercially used software is used and the vendor discloses that the DoE is a client, thus providing more information than should be provided to someone conducting reconnaissance. Employees are also a prime vector as they tout their titles and accomplishments using platforms like LinkedIn. This provides a vector for social engineering and phishing.
Breakdown of the Meetings between the U.S. and China
Per The Guardian, “Senior US and Chinese officials have met to discuss cyber security and other issues ahead of Chinese president Xi Jinping’s visit to Washington later this month.” Reuters reports that “Both countries agree it is ‘vital’ they cooperate on fighting hacking, Meng said, adding that China will punish anyone who hacks from within China’s borders or steals corporate secrets.”
Meng met with America leaders of the FBI and DHS in addition to representatives from the Intelligence Community, Departments of Treasury, State, and Justice to discuss cyber security. Speculation is circulating that the main purpose of these meetings stem back to the OPM attacks that compromised the records of over 20 million American people’s security clearance files. You can read our blog about OPM here.
Thomas said, “The attacks at the DoE may help reignite the debate surrounding [the] Cybersecurity Information Sharing Act of 2015 [CISA],” which is stalled out in the Senate.
“CISA does has flaws, it is not a magic bullet that suddenly makes us secure, but it’s a good first step,” Thomas said. “However, this round of attacks leveled against the DoE supports the idea that government should be sharing more than just threat indicators. The DoE itself shares threat indicators amongst its own labs, plants and other sites and yet that sharing did nothing to prevent these attacks.”
Some sort of Federal mandate that puts more emphasis on Cyber Security than FISMA is ideal. The only issues that I could possibly see arising is the lingering sense that governments should have unlimited backdoor access to all encryption systems, which in my opinion, defeats the whole purpose of encryption systems – it’s not if, but when someone other than the government discovers the backdoor.
The NIST Risk Management Framework is not perfect, but it is better (in the Defense arena) than DIACAP and DITSCAP. As long as a culture of security, proper theory to practice, and continuous monitoring (NOT Compliance Management) is enforced, it should be a step in the right direction.