The full article can be found here.
BlackEnergy is designed to target critical energy infrastructure and is believed to have originated with Russian government-sponsored hackers.
The Department of Homeland Security’s Oct. 29 cyberthreat alert was, unfortunately, business as usual for many of the nation’s companies. However, with the potential attack on water, electricity and other features of the nation’s critical infrastructure linked to Russian cyber criminals, security practices within private companies have become the public’s business.
“It’s really a very serious issue and the fact that sometimes it’s very difficult to detect [this type of malware] and sometimes the places that house industrial control systems may or may not follow very consistent, very rigorous, security practices creates a huge problem,” said James Joshi, a University of Pittsburgh associate professor and lead faculty member of the school’s Information Assurance Program.
DHS announced Oct. 29 that several industrial control systems — vendor-issued programs used by private companies to manage internal systems — had been infected by a variant of a Trojan horse malware program called BlackEnergy.
Infected programs such as GE Cimplicity, Siemens WinCC and Advantech/Broadwin WebAccess have been used by companies responsible for portions of the country’s critical infrastructure, including “water, energy, property management and industrial control systems vendors” according to DHS. BlackEnergy shows enough similarities to a malware called Sandworm — which was used during a 2013 Russian cyber-espionage campaign against NATO, the European Union and overseas telecommunication and energy sectors — that DHS believes they could be “part of a broader campaign by the same threat actor.”
So far, there’s no sign anyone has tried to take control of any critical infrastructure systems through BlackEnergy. However, the malware is described as “highly modular” in the DHS alert and could be lurking inside of yet-to-be discovered files and media.
With control of nuclear facilities and the electrical grid at risk, Mr. Joshi said too much is at stake for the nation to treat this like threats of the past.
“I think we should really seriously consider this. We’re talking about critical infrastructure and I think this kind of malware is very difficult to detect, stays around for a long time and someone who is behind these gets control of the system they can do anything to the system that they compromise,” he said.
Local utilities say they are on alert.
Duquesne Light became aware of the BlackEnergy threat more than three weeks ago, according to spokesman Brian Knavish, and has since performed a “targeted analysis” to determine if it has been impacted. The company concluded it wasn’t.
BlackEnergy is a “credible threat,” Mr. Knavish said, but “there are a lot of these and some of them get more attention than others.”
In recent years, the electric utility that serves 584,000 customers Allegheny and Beaver counties has beefed up its cybersecurity staffing and receives information about threats from many varied sources, including Homeland Security, the Federal Bureau of Investigations, and others in the energy industry.
“Any threat is taken very seriously,” he said. “There’s always viruses out there.”
FirstEnergy Corp., the Ohio-based parent of West Penn Power, which also operates a number of power plants in the region and a transmission line business that serves this area, said it too has been made aware of BlackEnergy and works with industry organizations to monitor the threat.
The flow of electricity in Pennsylvania and 12 surrounding states is managed by PJM Interconnection, a Valley Forge-based grid operator that oversees the largest grid in the U.S. A spokesman for PJM, Paula DuPont-Kidd, said the organization knows about the threat, “however, like all cybersecurity threats, we continually monitor and arm ourselves with the best strategies to protect the grid and our market.”
North Shore-based utility Peoples Natural Gas said it doesn’t use any of the software identified as the target of BlackEnergy and did not detect the malware in its network after it became aware of the threat.
Peoples, which has 14,000 miles of pipeline in its network, operates its assets through a standalone system that’s not connected to the Internet, according to spokesman Barry Kukovich. That’s by design.
“This eliminates over 99 percent of these malicious threats,” Mr. Kukovich said.
Josephine Posti, a spokeswoman for Pennsylvania American Water, said the company, which regularly works with Homeland Security and the Environmental Protection Agency to protect the water supply, is aware of the threat and has not been impacted by it.
“There’s no such thing as 100 percent security,” said Scott Aaronson, senior director of national security policy for the Edison Electric Institute in Washington, D.C. “What we’re doing is not risk elimination, it’s risk management.”
BlackEnergy is one of many threats and vulnerabilities monitored by the trade organization on a regular basis. Some are identified by government agencies, some by companies, and others by researchers, he said.
The Institute, which is central to the information exchange between the groups, has been aware of BlackEnergy for about a month, Mr. Aaronson said.
There has never been a cyberattack in the U.S. that has affected the distribution of power, he said, but there are cyberattacks all the time that successfully target the industry’s business units.
“There are two kinds of companies: those that have been attacked and those that don’t know it yet,” Mr. Aaronson said.
The industry has three lines of defense against such attacks, he said. One is standards — electric utilities and the nuclear industry are the only two sectors with mandatory cybersecurity standards enforceable through hefty fines from the Federal Energy Regulatory Commission. Another is the coordination between government and industry groups. The third is incident response.
“You cannot protect everything from everything,” Mr. Aaronson said. “We may not succeed” in preventing a cyberattack, he said. The question is “how do you recover quickly? How do you make sure that any damage that is done is not catastrophic, but is simply a nuisance?”
Companies operating or managing critical infrastructure generally follow a set of standard practices recommended by the National Institute of Technology, said Mr. Joshi. However he added that individual companies may not follow standards as rigorously as they should, particularly those dealing with industrial control systems. He also said security standards at large might need an across-the-board overhaul in a digital environment that’s more connected than ever before.
The potential link to a nation-state raises the stakes even higher, he continued.
“I think we should be scared and take this very seriously because it could be a nation-state issue. But the fact is, once the tools are there they could just leave it out and anyone could do [the attack.]” he said.
DHS spokesman S.Y. Lee confirmed that the department contacted several entities affected by the malware but declined to say how many. He also said the agency believes there are several entities that do not yet know they have been hacked.
The Oct. 29 threat alert included information to detect the malware and mitigation strategies, including keeping control system devices off the Internet, protecting systems and devices with firewalls and monitoring administrator level accounts used by third party vendors.
By Anya Litvak: firstname.lastname@example.org and Deborah M. Todd / Pittsburgh Post-Gazette. Originally published here.
A summary of the “Data Breach: The Cloud Multiplier Effect” survey from Ponemon sponsored by Netskope is below.
The survey reveals how the risk of a data breach in the cloud is multiplying. This can be attributed to the proliferation of mobile and other devices with access to cloud resources and more dependency on cloud services without the support of a strengthened cloud security posture and visibility of end user practices.
Ponemon surveyed 613 IT and IT security practitioners in the United States who are familiar with their company’s usage of cloud services.
- 51% say on-premise IT is equally or less secure than cloud-based services
- 66% of respondents say their organization’s use of cloud resources diminishes its ability to protect confidential or sensitive information
- 64% believe it makes it difficult to secure business-critical applications
A lack of knowledge about the number of computing devices connected to the network and enterprise systems, software applications in the cloud and business critical applications used in the cloud workplace could be creating a cloud multiplier effect. Other uncertainties identified in this research include how much sensitive or confidential information is stored in the cloud.
For the first time, Ponemon attempt to quantify the potential scope of a data breach based on typical use of cloud services in the workplace or what can be described as the cloud multiplier effect. The report describes nine scenarios involving the loss or theft of more than 100,000 customer records and a material breach involving the loss or theft of high value1 IP or business confidential information.
When asked to rate their organizations’ effectiveness in securing data and applications used in the cloud.
- 51% of respondents say it is low
- 26% rate the effectiveness as high. Based on their lack of confidence
- 51% say the likelihood of a data breach increases due to the cloud
Key takeaways from this research include the following:
Cloud security is an oxymoron for many companies.
- 62% of respondents do not agree or are unsure that cloud services are thoroughly vetted before deployment
- 69% believe there is a failure to be proactive in assessing information that is too sensitive to be stored in the cloud
Certain activities increase the cost of a breach when customer data is lost or stolen.
An increase in the backup and storage of sensitive and/or confidential customer information in the cloud can cause the most costly breaches. The second most costly occurs when one of the organization’s primary cloud services provider expands operations too quickly and experiences financial difficulties. The least costly is when the use of IaaS or cloud infrastructure services increases.
Certain activities increase the cost of a breach when high value IP and business confidential information is lost or stolen
Bring Your Own Cloud (BYOC) results in the most costly data breaches involving high value IP. The second most costly is the backup and storage of sensitive or confidential information in the cloud increases. The least costly occurs when one of the organization’s primary cloud providers fails an audit failure that concerns the its inability to securely manage identity and authentication processes.
Why is the likelihood of a data breach in the cloud increasing?
Ideally, the right security procedures and technologies need to be in place to ensure sensitive and confidential information is protected when using cloud resources. The majority of companies are circumventing important practices such as vetting the security practices of cloud service providers and conducting audits and assessment of the information stored in the cloud.
The findings also reveal that 55% do not believe that the IT security leader is responsible for ensuring the organization’s safe use of cloud computing resources. In other words, respondents believe their organizations are relying on functions outside security to protect data in the cloud.
- 62% of respondents do not agree or are unsure that cloud services are thoroughly vetted for security before deployment
- 63% believe there is a lack of vigilance in conducting audits or assessments of cloud-based services
- 69% of respondents believe there is a failure to be proactive in assessing information that is too sensitive to be stored in the cloud
There is a lack of confidence in the security practices of cloud providers
Respondents are critical of their cloud providers’ security practices. First, they do not believe they would be notified that the cloud provider lost their data in a timely manner. Second, they do not think the cloud provider has the necessary security technologies in place.
- 72% of respondents do not agree their cloud service provider would notify them immediately if they had a data breach involving the loss or theft of their intellectual property or business confidential information
- 71% of respondents fear their cloud service provider would not notify their organization immediately if they had a data breach involving the loss or theft of customer data.
- 69% of respondents do not agree that their organization’s cloud service use enabling security technologies to protect and secure sensitive and confidential information
- 64% say these cloud service providers are not in full compliance with privacy and data protection regulations and laws
Lack of visibility of what’s in the cloud puts confidential and sensitive information at risk
The number of computing devices in the typical workplace is making it more difficult than ever to determine the extent of cloud use. According to estimates provided by respondents, an average of 25,180 computing devices such as desktops, laptops, tablets and smartphones are connected to their organization’s networks and/or enterprise systems.
Ponemon asked respondents to estimate the percentage of their organizations’ applications and information that is stored in the cloud. They were also asked to estimate the percentage of these applications and information that are not known, officially recognized or approved by the IT function (a.k.a. shadow IT).
30% of business information is stored in the cloud but of this, respondents estimate 35% is not visible to IT. This suggests that many organizations are at risk because they do not know what sensitive or confidential information such as IP is in the cloud.
What employees do in the cloud?
- 44% of employees in organizations use cloud-based services or apps in the workplace
- 53% use their personally owned mobile devices (BYOD) in the workplace
- 50% of these employees use their own devices to connect to cloud-based services or apps.
Do certain changes in an organization’s use of cloud services affect the likelihood of a data breach?
- 17% say the use of cloud-based services significantly increases
- 34% say it increases the likelihood of a data breach. Ponemon define a material data breach as one that involves the loss or theft of more than 100,000 customer records or one that involves the theft of high value IP or business confidential information.
Calculating the economic impact of a data breach in the cloud.
Ponemon calculate what it might cost an organization to deal with a data breach in the cloud involving customer records. These calculations are based on Ponemon Institute’s recent cost of data breach research and the estimated likelihood or probability of a data breach based on cloud use. The calculation involves the following four steps:
- First, drawing upon Ponemon Institute’s most recent cost of data breach study. Ponemon determine a cost of $201.18 dollars per compromised record.
- Second, based on a data breach size of 100,000 or more compromised records in the survey and using the unit cost of $201.18 times 100,000 records. Ponemon calculate a total cost of $20,118,000
- Third, from the survey results Ponemon extrapolate the average likelihood of a data breach involving 100,000 or more questions at approximately 11.8% over a two-year period.
- Fourth, multiplying the estimated likelihood or probability of a data breach at 11.8% times the total cost of $20,118,000 Ponemon calculate a baseline expected value of $2.37 million as the average of what an organization would have to spend if it had a data breach involving customer records lost or stolen in the cloud.
Ponemon calculate what it might cost an organization to deal with a data breach in the cloud involving high value IP. Once again, these calculations are based on Ponemon Institute’s recent cost of data breach research and the estimated likelihood or probability of a data breach based on cloud use. The calculation involves the following steps:
- First, drawing upon Ponemon Institute’s IT security benchmark database consisting of 1,281 companies compiled over a 10-year period, Ponemon estimate an expected value of $11,788,000.
- Second, based upon the estimates provided by respondents Ponemon extrapolate the likelihood of a data breach involving the theft of high value information at 25.4%.
- Third, multiplying the estimated likelihood or probability of a data breach at 25.4% times the total cost of $11.788 million Ponemon calculate a baseline expected value of $2.99 million as the average economic impact for organizations in our study.
What can cost an organization the most when it has a data breach involving the loss or theft of IP? The most costly scenarios involve the growth in the number of employees using their own cloud apps in the workplace for sharing sensitive or confidential information (a.k.a. BYOC) and an increase in the backup and storage of IP or business confidential information in the cloud.
The average costs to deal with these two types of data breaches are $5.38 million and $4.93 million, respectively.