By Amanda Durish Cook
CARMEL, Ind. — A senior Homeland Security official told MISO employees and stakeholders Tuesday that cyberattacks will escalate in the future and the RTO and its members will be among the prime targets.
Neil Hershfield, deputy director of the U.S. Department of Homeland Security’s Control Systems Security Program, said of the 290 cyberattacks committed by nation-state terrorists that the department investigated in 2016, the energy industry accounted for 59, ranking third in targeted American industries behind critical manufacturing (63) and communications (62).
“Hackers are very interested in what you do,” Hershfield told MISO employees and stakeholders at a May 23 Informational Forum.
The department estimates that by 2020, 50 billion internet-ready devices will be in people’s hands worldwide. “All this adds up to a much-larger attack surface. It’s a long-term threat,” Hershfield said.
The number of sophisticated attacks will climb in the future, he said. “Frankly we anticipate more attacks, as hackers figure out how to monetize them like ransomware attacks,” referencing the international WannaCry ransomware attack, which held encrypted data in exchange for Bitcoin payments. Hershfield also said he believes that the 2015 attacks on power utilities in Ukraine were simply testing grounds for a larger attack. He said trojan malware ― like Havex and Black Energy, which was used in the Ukrainian cyberattack ― were used in most sophisticated industrial control systems attacks in 2014 and 2015.
“You might have to operate in a contested environment someday,” he warned.
The department categorizes cyber threats into three types: small groups or individuals who act out of notoriety or curiosity; criminals and activists that act on revenge or blackmail; and terrorist organizations and nation states with political motives. The government has identified hackers in Russia, China, Iran and North Korea, Hershfield said.
He said companies may have to operate in manual mode while they work to regain computer operations following a cyberattack. But that is not always possible.
“Many of the processes controlled by computerized control systems have advanced to the point that they can no longer be operated without the control system,” Hershfield said. Many of the employees who know how to operate in manual mode have retired, he added. “That’s something to think about.”
Hershfield also said the average company spends 2 to 3% of its information technology budget on cybersecurity, and best-in-class companies spend 8%.
Spear-phishing emails were the most common means of entry identified in the 290 attacks investigated by Homeland Security in 2016.
He said LinkedIn is hackers’ preferred starting point to gain access to work email accounts. “The main reason someone would go after you is access or placement in your organization,” said Hershfield, who advised employees with security access to be on guard, especially when opening emails. “Who here clicks on emails from their bank? I never click on emails from my bank. If I want to do something, I go to the bank’s website myself.” He also admitted that he recently earned low marks because of his Facebook account in a personal cybersecurity assessment. “I had my profile opened to everyone, not just friends,” he said.
Two-Password Authentication
Hershfield urges companies to limit remote access and isolate critical operating systems, recommending that all remote access be routed through a business network that doesn’t hold critical information. He also advised that MISO use a two-password authentication to access a critical control network, meaning one log-in and password for the business network and one for the critical control network.
“Is it less convenient? Yes. Is it more secure? Yes,” Hershfield said.
He also said companies should immediately terminate security access for employees that leave the company, pointing to a former Georgia-Pacific employee in Baton Rouge who remotely accessed computer systems and interrupted operations in February, causing $1.1 million in damage to the paper maker in retaliation for being fired. FBI agents arrived at his home to find a still-active virtual private network connection, Hershfield said. He said MISO and member companies should report control system cyber incidents and vulnerabilities to Industrial Control System Cyber Emergency Response Team by emailing ICS-CERT@hq.dhs.gov or calling (877) 776-7585.