Security Experts:

Industry Reactions to U.S. Department of Energy Cyberattacks: Feedback Friday

The systems of the United States Department of Energy were breached more than 150 times between October 2010 and October 2014, USA Today reported this week based on records obtained through the Freedom of Information Act (FOIA).

The documents obtained by the news outlet are redacted so it’s unclear how many of these attacks resulted in the theft of sensitive information. The Energy Department has refused to comment on who might be responsible for the cyberattacks.

reactions to DoE hack attacks

Records show that Department of Energy components were targeted 1,131 times over a 48-month period and 159 of these attacks were successful. The National Nuclear Security Administration accounts for 19 of the successful attacks, while the DoE’s Office of Science suffered 90 breaches.

Federal records also revealed that in 53 cases the attackers had gained administrative access to the compromised systems.

At least two of the breaches suffered by the Department of Energy over the past years are public knowledge. One incident, which resulted in unauthorized disclosure of employee and contractor information, was reported in February 2013. Another breach was reported in August of the same year, when the personal details of 14,000 DoE employees were compromised. These security incidents came to light shortly after an office of inspector general report slammed the department for lack of cyber incident management.

Many of the industry professionals contacted by SecurityWeek warn that such attacks could have serious consequences unless the government takes steps to properly protect its systems. Others, on the other hand, believe there is no need to panic just yet.

And the feedback begins…

Foreground Security's Director of Cyber Operations, Mark Orlando:

"Having consulted at the NNSA (National Nuclear Security Administration) for a number of years prior to joining Foreground, I can say confidently that successful intrusions into the NNSA environment don’t necessarily equal successful compromise of information about the nation’s power grid or nuclear weapons stockpile. To assert that it does overlooks the network segmentation and other controls in place to separate 'corporate' data from national security and/or nuclear data.


That said, we know these controls are not infallible and this doesn’t mean the news isn’t cause for alarm. We know that several of the National Labs were breached going back to 2011, and prior to that. The larger concern here is that much of our nation’s critical infrastructure, including the power grid and related industrial control systems, are at risk. NNSA has at least implemented enough instrumentation to know that there have been intrusions into some of their systems. We should worry about the nuclear utilities and supporting infrastructure that is not as well instrumented and may not even be monitored to such an extent.”

Jalal Bouhdada, Founder and Principal ICS Security Consultant at Applied Risk:

“The latest incident demonstrates that critical-infrastructure companies must shift cyber security higher up the agenda. In April this year, the Department of Energy warned of the risk of terrorism on ageing electrical grids. A few months later, we discover its computer systems have been the subject of continuous infiltration since 2010.


The USA’s federal records are the tip of the iceberg when it comes to attacks against the global energy sector. With a growing number of ICS vulnerabilities and exploits being uncovered, it is clear critical infrastructure is seen as a highly susceptible and lucrative target. Over the coming years we will see incursions by nation states or terrorist adversaries grow exponentially as they hit nuclear facilities, power grids and pipelines.


In each case, attackers have a clear strategy that involves going after a variety of data stores, including IP, economic espionage and CI information, along with plans and projects that are under review by the Department of Energy. Clearly, the driving force behind these attacks is economic and strategic gain. Attackers are looking to hit the jackpot by infiltrating military offense capabilities and gaining early access to new technologies.”

Shay Zandini, CEO of Cytetgic:

"In Israel, the chairman of IEC (the Israel electricity company) was quoted saying that that they are the target of a few thousands attacks per hour … While this is certainly apples-to-oranges, if you look at the "success rate” for attacks against the US Department of Energy, 1,131 cyberattacks over a 48-month period in which 159 were successful…that is almost a 10% success rate, which for hacking to critical infrastructure is scary.


Critical infrastructure defenders should aim for a zero successful attack ratio, or at least zero meaningful successful attack. These organizations, and the government needs to help them, fund them, train them, and audit them rigorously. As far as what they can do to prevent this from happening: Implement controls to contain the attack once it happens, ideally diverting attacks to specific honey pots or servers that could create some forensics processes. Moreover, these organizations must put in place controls that physically segment between the production network and back office networks. They should put extra care with their SCADA systems, since in the past it has taken way too long to detect attacks, which makes them much harder to remediate.”

Ilia Kolochenko, CEO and founder of High-Tech Bridge:

"Personally I don't think there is any immediate need to panic as we'd have to get further details about and a clearer view on these attacks to see them as true cyber security threats. If a secondary website is defaced by hacktivists for fun, it's much less dramatic than professional cyber mercenaries taking over complete control of the DoE's SCADA system.


However, the number of cyber attacks that the DoE has been victim to between 2010 and 2014 highlights the necessity of ensuring your website has regularly updated and improved cybersecurity systems in place. The majority of attacks, including complicated APTs, start with insecure websites and vulnerable web applications, so companies and governments should definitely pay more attention to their web assets to prevent such attacks in the future."

TrapX Executive Vice President Carl Wright:

"Attacks against the Department of Energy's information systems are targeting the core of our critical infrastructure: the nation's power grid and information about our nuclear weapons stockpile. This is a large and visible target. To put this in context, within the United States alone there are 7,300 operational power plants. These power plants include many types of generators which may include nuclear, hydro-electric, coal-burning and more. A core part of our power grid is powered by nuclear energy. Certainly these nuclear plants stand out immediately as extremely dangerous if the Industrial Control Systems (ICS) within them are compromised in any way.


The DOE information technology networks leverage ICS within many of the power plants. This provides supervisory systems used to control a variety of processes remotely using internal networks and management software including Supervisory Control and Data Acquisition (SCADA) systems, Programmable Logic Controllers (PLC) and Distributed Control Systems (DCS). All of the ICS have become the key pivot points and bulls-eye center targets for the attackers within utility plants and their networks. In addition, most of the ICS components are running old operating systems such as Microsoft XP, and remain highly vulnerable to attack and compromise if the attackers can penetrate the networks.


Once an attacker has penetrated these networks, it is very difficult to scan and detect their presence within SCADA, PLC and DCS components using traditional cyber defense.”

Lior Div, CEO, Cybereason:

“While operating off limited information, to me, this sounds like the number of successful attacks is a function of the “P” in APTs, or that the Department of Energy needs to up it’s post breach detection and remediation game. My guess is that they never fully got ride of all the elements of previous attacks, making it very easy for those behind the attacks to get back in. So what might look like thousands of attacks are really a much smaller set of attacks that were never fully remediated. We have seen this before, situations where post-breach, organizations think they fully remediated the environment from the adversary, while in fact - they haven't....


While you need to have continuous monitoring in place (this is a given), technology aside, security teams need to be merciless in asking themselves, "is it over?”, and deeply question it. Most of the time, APTs are hard to clean, that’s what makes them so devious. Experts might scoff at what they believe is simple or known code, but is it really? Maybe its known code that’s been modified…. It is a concern the whole industry should look at, but government agencies that are in charge of securing critical infrastructure – they need to consider themselves a military target and take appropriate measures.”

Philip Casesa, (ISC)2, Director of Product Development and Portfolio Management:

"We live in a time of unprecedented intelligence gathering by any number of hostile information adversaries. This includes individuals that hack for sport, hacking groups with a social agenda and governments spying on each other. Information security teams in all areas of our critical infrastructure are required to perform superhuman vigilance in the defense of these systems against attackers that can truly come from anywhere. These personnel are now as critical to our national defense as early warning radar personnel were for NORAD during the Cold War. They must see the attacks on our systems and repel them because a severe attack on the power grid, a dam or other critical power element can have a devastating impact on civilians if an outage lasts even a few hours over a large population. Despite all the military advances of the last 30 years, cyber threats remain the one of the largest and most likely threats to our way of life.


With 150 successful attacks against the Department of Energy, these groups may already have what they need to conduct a successful operation. They have personnel records that can be mined for weak links and, potentially, other information that can also be reviewed for weaknesses. I hope the lessons from this latest DOE revelation are clear and the proper vigilance applied to its systems to protect our most critical infrastructure."

John Pirc, Chief Strategy Officer and Co-Founder, Bricata:

“The fact they only had 1,131 cyber attacks in a 48-month period seems rather low considering they are a U.S. Federal Government Agency. Additionally, it only takes one weak link and they found 159 that lead to 53 instances of gaining root/administrative privileges that they are aware of. One instance of root/administrative privileges is bad enough let alone 53 instances.


However, the great thing is that they found it and are likely addressing the problem. With any cyber attack, time to protection against both current and legacy threats are extremely important. This requires both endpoint and network security devices to provide the capability to offer expanded coverage that will provide the greatest amount of protection, which goes to my point on awareness…identifying what you know is good but it’s what your security products don’t know that can and will place your organization at more risk. In the end, it’s all about coverage and the ability to identify said attack."

Stephen Boyer, co-founder and CTO of BitSight:

"The data from the FOIA request obtained by USA Today demonstrate that every sector is the target of attack and often victim of compromise. What differentiates high performing organizations is not necessarily the absence of intrusions but the speed of response and recovery. The very fact that DOE has detected the issues and marked them as ‘losses’ is a signal that they have a process in place for detection, response, recovery, and reporting."

Todd Helfrich, Federal Director at ThreatStream:

“If you've been paying attention to media the last few years there's no doubt we are in the middle of a cyber-arms race. In fact over the last decade attacks and adversary motives have matured in their sophistication and intent. [...]


SCADA/ICS systems are critical to our life today. Our energy, our water, our fuel are just a few resources managed by SCADA (supervisory control and data acquisition) and ICS (industrial control systems). We have to protect these vital resources.


There are enemies of the USA that have malicious intent and wish to insight fear or attain political, financial and military advantages over the USA. The cyber war is upon us and we need to sure up our defenses. I don't think there is any question that cyber is on the agenda of every "C" level executive and board member today.


The adversaries attacking U.S. interests are known as are their motives, integrating that knowledge into deployed IT & IT security technologies deployed will help fend off the adversaries as the arms races continues.”

Vijay Basani, President and CEO of EiQ Networks:

“Clearly, securing the infrastructure of our nation’s government agencies is just as important as securing the critical infrastructure these agencies oversee. I am amazed that after the US Government was accused of being involved in STUXnet that successfully compromised Iranian PLCs, DOE wouldn’t do everything in their power to ensure that their security was bulletproof. It’s incredible to see that large number of servers with sensitive data had default passwords and that a significant percentages (more than 10%) of attempts to breach the network were successful.


After all of the conversations about cybersecurity frameworks and the need to shore up Federal systems, the DOE seems to have turned a blind eye to the need to do so. I wonder, is this due to a lack of funding or skill set? Regardless, they must pay attention to the critical responsibility of securing these systems. Think of how catastrophic even one attack could be.”

Jason Lewis, Chief Collection and Intelligence Officer, LookingGlass:

“This is a common story across government because the low priority of security in the budget makes the task of preventing intrusions more difficult. I'm starting to think the best chance for agencies to combat threats is government wide programs that give them access to tools and services without spending their own budgets. DHS has those programs and the capability to create more. If agencies aren't asking DHS for help, they are missing opportunities to prevent breaches.”

Robert Griffin, Chief Security Architect at RSA:

“The recent report on cyber attacks on the US Department of Energy (DoE) underscores the serious and on-going threats to critical infrastructure not only in the U.S. but around the world. These threats have been increasingly visible over the past several months. [...]


Fortunately, there is considerable effort already underway to improve the security of critical infrastructure. The White House has issued several executive orders related to critical infrastructure, including EO 13636 “Improving Critical Infrastructure Security” and EO 13691 “Improving Private Sector Information Sharing,” which have increased awareness and support for improving the security of critical infrastructure. There are a number of important government-sponsored projects on critical infrastructure security around the world, including the creation of national initiatives for critical infrastructure security in the US and Europe, and government-funded projects such as the EU-funded SPARK Smart Grid security research project (project-sparks.eu) for which I am technology director. [...]


Though there is certainly lots of work to be done, essential building blocks for effective security of critical infrastructure do exist, including not only technology, but also process- and people-related capabilities.”

Yuval Eldar, Founder, Secure Islands:

"In this day and age, the first thing any organization needs to do is to accept the fact that it will be hacked – that is, if it’s not already infected.


The second is to understand that it’s impossible to prevent a hack, and when it comes to cyber that you don’t win on “points,” meaning, preventing 149 attacks won’t help you when number 150 breaks through your defenses. It only it takes is one successful attack to bring down the entire defense system, and one very well executed attack can easily turn into 159 from the same people or affiliated groups.


Given this reality, that the paradigm/mindset has to shift from securing the holes in the security perimeter and investing the efforts in protecting the information itself. Because it’s the information (the records, the files, the emails, the accounts) that the hackers are after, and if they can’t obtain them, they are likely to move on."

Steve Durbin, Managing Director of the Information Security Forum:

“First, it should be understood that intrusions do not necessarily mean data was compromised or exfiltrated so we always have to be careful to distinguish between an intrusion and either loss or damage to data as a result of such intrusion. Secondly, the recent attacks targeting the U.S. Department of Energy clearly demonstrates the need for a resilience-based approach.


No longer can we assume that our systems will be 100% secure. Organizations of all sizes, governments included, need to plan for intrusion and potential loss or damage in their security and business continuity plans. Furthermore, it is incumbent upon us to ensure that we adequately protect our assets in line with their business criticality since it is unrealistic to expect to be able throw a blanket level of security over all of our assets to the same degree. This attack once again reinforces that sound business impact analysis, in the context of our risk appetite and vulnerability profile, is essential in a resilience driven organization.”

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.