AGA/EEI Accounting Leadership Conference Emerging Trends Cyber Security Robert Mims Director, Security - Gas, Nuclear, and Gen/Tran Operations Southern Company
AGA/EEI Accounting Leadership Conference
Emerging TrendsCyber Security
Robert MimsDirector, Security - Gas, Nuclear, and Gen/Tran OperationsSouthern Company
It could happen to anyone
2
Threat Actors
– Other nations (nation-states)
– Criminals (organized crime, hackers)
– Hacktivists
– Insiders (or external actors acting in the shoes of insiders)
3
Threat Landscape
Cyber extortion – “ransomware” – and spear phishing
Election-year cyber breaches
Economic espionage
Breach of retailers – point of sale terminals
Breach of insurance companies
Possible broader emergence of new Asian threat actor
Coordinated attack in Ukraine impacts electric service
4
Threat Landscape Evolution
Key Issues• Threat landscape continually changing
• Sophistication of threats
• Increased reliance on technology
• New technology introduces new risk
• Mobility of information
• Consumerization of the workplace
• Mobile applications
• Internet of Things (IoT)
5
Threat Landscape – Specific Actors
Distributed Denial of Service (DDoS)
POTENTIAL ADVERSARIES ADVERSARY TACTICS
Focused on media
Decrease in activity?
Visible operations
Activity decrease? Monitor political environment
Emerging
SEA“Spear phishing”
Website compromise
!
Syria
China
Russia
Iran
NorthKorea
India Emerging
CHINA
RUSSIA
IRAN
NORTH KOREA
SEA
INDIA6
Is the Threat Real?
1988
Morris Worm. First person convicted under cyber fraud
and abuse act
1999
Melissa Virus MS Word attachments, resulted in AV
sales increase
2001
Code Red virus
I Love You virus
2006
NASA blocks email attachments before shuttle
launches. Plans for the latest US space launch
vehicles breached
2007
INL demonstrated the Aurora vulnerability. Cyber attack destroys generator.
2009
Albert Gonzalez stole 45.7M credit cards from
TJX costing $256M
2009
Google’s China HQ attacked, accessing Gmail
accounts of Chinese human rights activists.
2010
Stuxnet – physically destroyed over 1,000 Iran
centrifuges
2012
Saudi Aramco – physically destroyed over 30,000
workstations
2013
APT1 Report, Chinese Army infiltrating networks in every US sector to steal IP
2013
South Korea banks attacked by logic bomb
deleting/destroying computers. South Korean
stocks tumbled after attack
2013
Target Breach, 40M cards, CEO & CIO replaced
2014
Home Depot, 56 million credit cards. HVAC vendor's network
Sony Pictures attack
2015
Deep Panda
OPM Breach, 21.5 M records
Anthem 80M records
2016
DNC emails
Yahoo 500M & 1B accounts
DYN (Twitter, Netflix, PayPal, Pinterest), IOT DDoS
CEO email scams
NSA Cyber Tools Leak
Ukraine Electric Utilities
2017
WannaCry ransomware
7
Major Ukraine Oblenergos
8
9
• The country’s grid is synchronously connected to three neighbors (Russia, Belarus, and Moldova)
• Four of a total of 23 Oblenergos in Ukraine, each primarily providing power distribution (as well as some generation and transmission functions) were targeted
• The attacks were synchronized and coordinated, and likely were preceded by extensive reconnaissance
• On December 23, 2015 breaker controls at three of the four Oblenergos came under remote control of the attackers The fourth provider thwarted the attack by removing remote access functionality
The Targets
TLP GREEN
Ukraine Power Grid IncidentPrykarpattyaoblenergo: What We Know
Power restored after 6 hours by utility workers shutting down SCADA devices and switching to manual operations (validating manual recovery / operations strategies)
December 23, 3015 – Issues reported at several Prykarpattyaoblenergo’s substations resulting in the loss of power
KillDisk malware component found in electric utility’s network linked to cyber attacks on Ukrainian media during local elections in October 2015.
Call centers for Prykarpattyaoblenergo and Kyivoblenergo experienced a telecommunications based denial of service attack (DoS)
Investigation concluded that malware was not the cause of the power outage, although it was present on Prykarpattyaoblenergo’s devices
Other power distribution companies were affected including Chernivtsioblenergo and Kyivoblenergo
Industry experts agree, based on the logistics and complexity of the incident, this was a coordinated attack (including disruption of telephony and websites to hinder communications)
10
Ukraine Electrical Grid AttackAttack Sequence
Malicious Email
(Spear Phishing)
Workstations Compromised
Malicious Communications
Established
Passwords and User IDs
Compromised Remote Access
GainedManual Power
ShutoffDestructive Kill
Disk
Data Center Power Shutoff Telephony Attack
Industry experts agree, based on the logistics and complexity of the incident, this was a coordinated attack (including disruption of telephony and websites to hinder communications)
Ukraine Attack SequenceUnauthorized remote access to manipulate breakers via
the Human Machine Interface (HMI) [SCADA
workstation]
11
Video of Attack
Internet of Things DDoS – Unknown Actor
• Carrier DDoS Protection
• Daily scanning of IoT devices
IoT, Botnets and DDoS• A Distributed Denial of Service (DDoS) attack is an
attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.
• Internet of Things (IoT) connects everyday devices to the internet (e.g. IP cameras, routers, smart TVs, refrigerators, and other non-traditional computer devices).
• Manufacturer default passwords on these IoT devices are being compromised – allowing them to participate in botnet operations and DDoS attacks.
Publicly confirmed DDoS attacks• Krebs on Security blog attacked by record breaking 620
Gpbs DDoS, Sept 2016
• French hosting firm, OVH, attacked by DDoS which set the new record 1.1 Tbps also occurred in Sept 2016
• Dyn, a domain name service provider, was taken offline for half a day, Oct 21st 2016, impacting connectivity to PayPal, Twitter, Amazon, Netflix, Reddit, and others.
DDoS Protection
12
Cyber Strategies to Address Risk
Defense in Depth
Segmentation of assets
Defense Evolution
Leverage Federal Capabilities
Outer Defenses
Isolation Zones
Network
Internet
Intelligence Sharing
Industry Government Agencies
Industry ISAC
3rd Party Threat Intel
Partnership agreement
Partnership Agreement, Automated Intel Sharing Southern Network Vulnerability Scanning
DOE CRISP (Cyber Risk Information Sharing Program)
Technology Refresh
Spear Phishing
Protection
Government intelligence
Operating System Controls
Remote Access
Removable media
protection
New Approaches
-Technology
13
Questions?