Lessons for Utilities from the Google Attack

By Andy Bochman, Ounce Labs, an IBM company

Software and the Smart Grid

The biggest difference between today's grid and the Smart Grid is software. Software is the key enabler of the Smart Grid. Over the past 30 years, it has been what separates modern enterprises from their pre-IT ancestors by making them faster, smarter, more efficient and more flexible. However, a well-documented but unintended consequence has been that it has also made them much more vulnerable. It's not just that potential bad guys can cause harm with software tools of their own; the real downside is that even on a good, hacker-free day, a large amount of uncertainty surrounds the consistent operation of this most critical corporate ingredient.

Software Provenance

Most large organizations don't know where their software came from, at least not in a comprehensive manner. Software provenance is often quite opaque to users. Even when you buy a software from Vendor X, there's no guarantee that all the code was developed by Vendor X coders. There is usually no guarantee that the software is bug-free, that it doesn't include glaring programmatic weaknesses that make it an easy target, or even that it's not already harboring malicious code that can be triggered in the future and cause your organization and / or your customers great harm.

Attacks on Software Source

All of this, however, is mere prologue to the story of recent attacks against Google and a variety of other popular software vendors. The details are a bit sketchy, but the core elements include:

• US tech companies experienced a series of very serious cyber attacks that appear to have originated in Asia
• Google admits that a couple of Gmail accounts were partially compromised
• Firms report that the apparent target of the attacks was source code relating to popular software packages

This is an interesting phenomenon, because it describes an organic growth model for further hostile behavior. The accounts of the recent attacks in the press are clear on at least two facts: that a zero-day vulnerability led to the breaches, and that source code for familiar software systems was a target of the attacks. According to Richard Steinnon in darkreading, "as they get more sophisticated, they are very interested in source code and ways to find new vulnerabilities in software companies' products."

One feeds the other. Zero-day vulnerabilities are very hard to find. Most popular software packages have been around for a while, and have been well wrung-out in the market. Finding something new and vulnerable in them is neither common nor simple. With the source code, however, it becomes much more straightforward. Looking from the inside out, it is like having a map to the functionality, and weaknesses are revealed that would be very hard to find just searching from the surface. The fact that one of these vulnerabilities was found and then used to steal more source code indicates that this is a well-thought-out approach. The attack was sophisticated, and using its spoils to sow the seeds of future attack vectors is equally so.

The Curtain Pulls Back

The big news, however, isn't so much that these events are happening, but rather that they're being discussed so openly. According to Atlantic journalist Marc Ambinder, we have Google to thank for that: "Google's revelation that they'd been hit was deemed a "watershed" moment by security industry analysts, but the other 32 companies who were hit have not followed suit and have begged the government to keep their identities a secret. The government has no choice but to protect their identities – even as policy encourages greater transparency about the scope of such attacks."

Two weeks ago events reached fever pitch with Secretary of State Clinton speaking out in Washington against nation-supported (if not sponsored) cyber attacks by China and Iran, among others. Basically, she called out a new opposition axis, only this time it's isn't an Axis of Evil, it is an Axis of Cyber Threats.

On the Cyber Defensive

US companies and government organizations have long been victims of and targets for cyber attack. This doesn't make the US unique, but recent increases in the frequency of damaging attacks are surprising. The main culprit appears to be the innumerable Internet connection points that present attackers with unexpected access to both flaws in software and system configuration errors. These deliver the opportunities for getting to other applications and to sensitive data.

With US companies, there is little recourse for companies, little ability to hit back. That's our policy. Again, Mark Ambinder: "[These are] the U.S. network security rules of engagement. Defend, don't attack.... For example, if a U.S. site comes under attack [from a foreign site], the victim – assume it's an intelligence agency – can defend it by trying to block the attacks, and it can offensively attempt to figure out who's behind them – but once that threshold is crossed, it cannot attack the sites."

US companies are only obligated to disclose the loss of customers' private information, and they don't have to be very specific about how the loss occurred, so there isn't much improvement in protection as a result of understanding how a successful attack transpired.

Take Aways for Utilities

Smart Grid initiatives are driving a huge increase in Web connectivity for utilities at this very interesting point in the evolution of cyber offense and defense. A big part of that increase comes in the form of new online energy applications and services being built by Google and dozens of start-up companies. Are all as forward minded re: security as Google? Time will tell.

We know utilities in other countries have come under cyber attack ... at least one incident induced significant outages. We also know that malicious code has found its way onto US utility computer systems. But there's lots more we don't know and there are many questions to consider while we're still in the formative stages of the Smart Grid build out:

• Will large US utilities become targets for big cyberattacks similar to those that just hit Google?
• Will they have the defenses in place to protect customer data and maintain reliability as well as it appears Google did?
• Especially as they rely so heavily on enormous amounts of reliable, high quality power, will Google and other more mature cyber security victims be willing to share their best practices with the utility community?
• What obligations do utilities have for disclosing cyber attacks they endure, especially ones that cause tangible damage? And if they do disclose this info, to whom do they disclose it: FERC, NERC, NSA, each other, or the general public?

Despite repeated warnings from experts and the press since the Google breach headlines appeared, progress on disclosure from other affected organizations, forensics on the actual mechanisms, and informed recommendations have been slow, and that must change. Utilities and their software/service providers should be pressing for information and for assistance. Nothing could more fundamentally weaken our nation and our competitiveness than an organized and successful attack on our power infrastructure, and these incidents present an uncommon opportunity to learn.