The FBI wants to talk about cybersecurity

Jun 11

Kathleen Wolf Davis

The FBI usually deals with cyber attacks (often referred to as “intrusions”) after they’ve happened, but that hindsight gives them a unique view of how utilities can prepare.

“First, understand that the FBI’s perspective is often from a reactive response to intrusions that have occurred with victims,” said Kevin Kolbye, assistant special agent in charge of the Dallas Division, about utilities and cybersecurity. “As a result, we see the damage done by these intrusions and observe what precautions are needed or what actions could have been taken to prevent such an intrusion.”

Kolbye continued that, while the FBI understands that utilities (and other industries facing cyber attacks) have to balance protection with the bottom line, there are basic steps that can be done on any level, and many of those revolve around education.

“A lot of it, from the inside, is just training,” he noted.

The FBI classifies two types of intrusions: physical and cyber. Physical intrusions usually involve terrorists that seize U.S. interests, usually abroad, although there are American soil versions, including a recent attack in Dallas suburb Plano where a local Texas man has been indicted for unlawful possession of an explosive device.

In the utilities industry, this type of intrusion might involve the invasion of a substation or an attack on transmission lines. Kolbye pointed out that, usually, the motivation behind physical attacks is disruption of services or the taking of hostages. Despite the growing focus on cybersecurity, Kolbye feels that utilities should not let down their guards with physical issues. Those will always remain a threat.

The second type of intrusion, cyber attacks, may also have a disruptive motivation behind them, but most actually focus on the gleaning of proprietary information or industry secrets. And the area most often penetrated remains supervisory control and data acquisition (SCADA) and industrial control systems (ICS).

According to Kolbye and FBI data, 48 percent of system compromises take less than one day to complete. Seventy-five percent are not detected for a week or more. And, close to 90 percent could have been avoided thru simple, intermediate controls.

The FBI categorizes cyber threats by type of attacker: foreign state-sponsored actors, criminal hackers and what they call “hacktivists,” all of whom the Bureau sees as threats to the utility industry (including power grids, gas distribution and water systems).

Those with the highest skills and the most significant threat level remain the state-sponsored actors whom possess layered plans that may work around existing defenses and whom can go undetected in older systems. The criminal hackers sit on the second tier of sophistication and are often “crooks out for financial gain,” as Kolbye put it. The lowest tier houses the hacktivists, often driven by the need to send some type of message—political or social. Hacktivists are the loudest group by far, but the lowest threat. So, don’t let the noise of those messages drown out the quieter threat that the other tiers present.

Kolbye warns that the FBI has seen a significant uptick in foreign state-sponsored intrusions of SCADA systems across the board recently.

So, how does a utility avoid being a part of those frightening stats about compromises? Given that a utility has to plan for three possible kinds of cyber attacks from three varied sources with a number of different potential motives, where does a utility start planning?

Luckily these three tiers (state-sponsored, criminals, hacktivists) can be divided into two types of threats: insider and outsider. For the outsider threat, you start not by assessing your current infrastructure for vulnerabilities. (That’s actually step #2.) You start by mapping out what you have.

“After all, how do you know what to protect and rebuild if the network isn’t mapped out beforehand?” Kolbye asked.