What the Sony Attack Teaches Us About Security Convergence - Lessons for the Power Industry on Securing Critical Infrastructure
- February 12, 2015
- 724 views
The hacking of Sony Picture Studios over the release of a movie mocking North Koreas head of state was a serious cyber-attack on vital corporate assets, business data and the private personal information of Sony employees, contractors and vendors. The severe economic and reputational consequences of Sonys failure to adequately protect its systems will be more expensive by orders of magnitude than the cost of first-rate security to prevent, detect and rapidly respond to breaches. While experts work to shore up remaining systems and architect fortified systems for the future, law enforcement authorities search for the perpetrators, politicians debate proportional responses and the North Korean government and hackers issue more threats.
Sadly, despite the significant damage done to Sony Picture Studios, this is not a worst case scenario. Worse still would be attacks on critical U.S. infrastructure, like the power grid, water systems, oil and gas transmission systems, telecommunications and dozens of other systems, the failure of which could result in widespread death, injury and chaotic social conditions.
Sony Pictures Attack Overview
Hackers appointing themselves Guardians of Peace (GOP) penetrated Sony Picture Studios exfiltrating a reported 100 terabytes of data, wiping hard drives and damaging servers. Incident data and numerous reports suggest that this level of attack was made possible by a physical presence in the organization (insider or otherwise, no one is certain). The data and its subsequent release to the public contains an unprecedented amount of detail about the internal workings and personnel at Sony Pictures including;
- - Employee PII - Everything from names, addresses, social security numbers and other typical PII data to criminal background checks and offer letters. A complete loss of HR data.
- - IT Documents - The internal networks detailed specs including thousands of RSA SecureID tokens and credentials for internal application. Also exposed were the business credentials at third party providers such as UPS/FedEx, iTunes, Sprint, YouTube, Verizon and others. From passwords to asset lists, all that was needed to run an environment supporting 6,000+ employees was lost
- - Healthcare Data - Along with the HR documents, numerous healthcare related documents were released, further showing how deep the attackers penetrated into the network
- - Movies & Business - Numerous yet to be released movies were uploaded to flittering sites, along with business documents detailing release schedules, and private emails between executives and talent, having both a financial and reputation impact on the organization
Only a fraction of the data was released by the GOP. Other critical and damaging information could be released in the future as part of an extortion plan to block Sonys release of the film, The Interview. With this significant loss of control and denigration of the IT and physical systems, the only disaster recovery plan left to Sony may be to start over.
Entertainment Today, Energy Tomorrow
Now lets turn to a worst case scenario: a cyber-attack attack on the nations electric power grid and supporting entities. While any number of threats to the grid can be imagined from impulse weapons to coordinated, armed attacks, Remote hackers working with or without informed or clueless internal accomplices are believed to be the most probable threat. Pure cyber-attacks against critical infrastructure organizations are typically downplayed (the power will still flow), but with an increased reliance on IT supporting infrastructure to carry out business operations, the Sony incident provides an chilling example of how damaging and far reaching an attack can have. So what can we do to prevent, detect, and mitigate the effects of an attack on the grid?
Like in the Sony incident, a major attack on the electrical grid will most likely be caused by a combination of cyber, physical and ICS (industrial control system) attack vectors.
- - Physical Security Systems - Identifying the insider threat is difficult without physical access data correlated with online actions and data analytics. Why is an employee badged into the control center when he/she is not on shift or on vacation? Who is logging into the control system in one location while being badged in at the corporate office hundreds of miles away?
- - IT Systems - Enterprise environments do a lot more than provide email and internet access. IT departments now provide the critical supporting infrastructure for physical security systems (such as badge readers, cameras and perimeter defenses), real-time operational SCADA systems and mission critical data on maintenance, inventory, personnel, equipment configuration and dozens of other factors essential to up-to-the minute control, safety and security. With this support comes traditional cyber vulnerabilities and risks that require data from multiple systems for contextual understanding and informed action. .
- - Operational (ICS) Systems - The threat of cyber-enhanced attacks has grown as operational systems have become more automated and integrated. A single threat actor can now effect multiple, integrated systems from a single location. Furthermore, a single action can have a domino effect on multiple systems. Combined with physical access, cyber attacks against the grid can change an isolated outage to a system-wide event.
The Solution: Security Convergence
Unfortunately, the essential data for fast, contextually informed prevention, detection and mitigation is typically stored in separate silos overseen by IT security, physical security and operational systems controllers. This separation of data that should be available for real-time checking and correlation is the antithesis of contextual intelligence and the vulnerable under-belly of security in most organizations. Only by correlating the information and data alerts, triggers and data calls - from each of these silos can an effective defense be implemented.
A major reason for the growing number of security fiascos in the todays headlines is the failure to design rule-based systems that enable convergence of data relevant to potential or current breaches. One common theme continues to emerge. Only after the event has taken place do security investigators look at all of the relevant security data.
Investigations at Sony Picture Studios will no doubt look at physical access logs, anomalies in employee access, contractors and visitors. They will no doubt look at how tens or hundreds of terabytes of data was exfiltrated and passed through cyber perimeter defenses without automated authorization checks or how malware propagated throughout the network and which credentials were utilized to gain more access and authorization for action. Connecting these dots will give Sonys investigators the hindsight to discover which systems and/or employees acted in ways that were damaging to the organization. Abnormalities will be detected and a timeline of events will be created. This will be too little, too late.
Why wait for a catastrophic breach and massive economic, reputational and community cost to justify a system to converge security data in real-time from disparate silos? With all the puzzle pieces from physical, cyber and operational data systems in place, the final piece called convergence is all that is needed to complete the picture. While disastrous for Sony Picture Studios, the incident pales in comparison to a similar event occurring in the power industry. All the experts predict this will happen. The only remaining questions are when, where and to whom it will happen. Will it be you?