Sunday, May 12, 2013

Critical Information Sharing

I’ve kind of been sitting on an interesting if incomplete story since Thursday evening. Part of the delay is an interest in allowing the intelligence and counterintelligence folks a chance to operate I obscurity (where they do work best), but another part is an effort to protect my access to sensitive information. That plus the fact that I don’t have access to the whole story meant that there was no urgent need to share the information that I do have. Enough time has now passed that I think I can address the implications of what I do know; so here goes….

An Evolving Energy Sector Threat

On Thursday there was a brief and generic article in the Washington Post about DHS warning of “of a heightened risk of a cyberattack that could disrupt the control systems of U.S. companies providing critical services”. About the same time that this article appeared there were messages going out through various information sharing portals. One such message read:

“Energy sector asset owners are strongly encouraged to contact ICS-CERT at and request access to the ICS Cert portal regarding a current non-public advisory. This advisory has to do with a significant active threat detected in the wild in which threat actors are seeking access to control system networks of energy asset owners via the corporate networks of target entities.”

Now, anyone that has been following control system security matters with any level of concern knows that there has been an ongoing attempt to infiltrate energy sector IT networks over the last year or so. This has been discussed by ICS-CERT in many of their open source publications, but most of the details have been kept under closer held distribution to DHS, the intelligence community and the affected organizations in the private and public sector via the restricted Homeland Security Information Network (HSIN). All of the open source information has made it clear that the ‘attacks’ have been targeted on IT networks and not control system networks, though there has been oblique mention that information about control systems may have been exfiltrated in these attacks.

It would seem that the probing of energy sector computer networks may have expanded to include actual penetration of control system networks, not just exfiltration of information about those networks. The actual extent of that penetration is not clear, though any reasonable person would conclude that there has been no attempt made to disable, disrupt, or deny access to any significant portion of the energy network. The government would not be able to keep the lid on anything that major.

Information Sharing Tools

I would be willing to bet that the informal information sharing effort initiated last Thursday was effective at reaching a large percentage of the potentially affected organizations. After all, ICS-CERT and US-CERT have been actively reaching out to these same organizations for a while now. Still, the fact that DHS felt compelled to utilize these secondary information sharing portals to reach this specific audience says a great deal about the current state of information sharing in the energy sector specifically and all critical infrastructure in general.

DHS should have been able to specifically contact an action person at each of the potentially affected organizations and directed them to contact ICS-CERT via HSIN. Or perhaps ICS-CERT should have been able to contact the action person themselves. Obviously neither was possible and that is very scary. If this had been about an actual attack on these organizations, the delay in having to use tertiary communications means could mean the difference between mitigating an attack in progress or coordinating a massive restoration action.

This is going to have to be a primary activity in the establishment of the President’s Cybersecurity Framework. There must be a positive, active, and responsive communication linkage between DHS and each critical infrastructure organization and/or facility. DHS must be able to reach out to each and every one of these facilities in a timely and targeted manner when active intelligence information becomes available. It is not appropriate nor effective to try to establish communications protocols and points of contact when perishable actionable intelligence is available.

No NTAS Alert

There are going to be the inevitable complaints that there has not yet been an alert posted on the National Terrorism Alert System (NTAS) for this cyber-incident. These complaints will be an unfortunate holdover from the bad old days of the over-reactive color-coded warning system. First off there is no indication in any of the information that I have heard that this has anything to do with terrorism; it is almost certainly an intelligence operation conducted by a nation-state.

Second, there does not appear to be anything that would require any action by any member of the public, or even conventional law enforcement or emergency response personnel. Again, everything that I have seen or heard indicates that this is an intelligence operation, not an attack, or even necessarily a precursor to an attack. Thus there is no need for an NTAS alert.

Finally, an alert would have been counterproductive for the same reason that I held off mentioning this any sooner. The intelligence and counterintelligence folks needed to have time to determine the extent of the potential control system breach and identify mitigating controls to put into place before the adversary involved knew that the penetration had been detected. Prematurely announcing the intrusion would allow the adversary to potentially withdraw their probes undetected or otherwise reduce the information that might be gleaned about the probe.

For now, move along, there is nothing to see here.


Anonymous said...

Pat, I've seen some of these alerts. Aside of notification, there doesn't appear to be much actionable information.

It is mostly reactionary stuff that is fine to bring attention to, after-the-fact.

Let's face it: those who fall for this are doing it to themselves through inadequate security measures. Telling them the explicit vectors after such malware has been discovered is interesting, but rather academic.

Anonymous said...


I have seen the FOUO alert that was issued last Thursday and you have pretty much figured out correcty that it is moslty an intelligence vs. an attack issue we are concerned about at this point. And when I say intelligence, I mean "preparation of the battlefield" type of intelligence. That being said, there is no indication that a major attack is imminent. Second there was much actionable information in the Indicator spreadsheet file that accompanied the alert. Third, as a public-private partnership, the owners and operators (O/Os)have to assume their share of the responsibility. All O/Os with control systems should contact ICS-CERT and get on their HSIN portal and alert notification list. The ICS-CERT contact information is shown below.

ICS-CERT Operations Center 1-877-776-7585 Email:
For industrial control systems security information and incident reporting:

/* Use this with templates/template-twocol.html */