AGA/EEI Accounting Leadership Conference

Emerging TrendsCyber Security

Robert MimsDirector, Security - Gas, Nuclear, and Gen/Tran OperationsSouthern Company

It could happen to anyone

2

Threat Actors

– Other nations (nation-states)

– Criminals (organized crime, hackers)

– Hacktivists

– Insiders (or external actors acting in the shoes of insiders)

3

Threat Landscape

Cyber extortion – “ransomware” – and spear phishing

Election-year cyber breaches

Economic espionage

Breach of retailers – point of sale terminals

Breach of insurance companies

Possible broader emergence of new Asian threat actor

Coordinated attack in Ukraine impacts electric service

4

Threat Landscape Evolution

Key Issues• Threat landscape continually changing

• Sophistication of threats

• Increased reliance on technology

• New technology introduces new risk

• Mobility of information

• Consumerization of the workplace

• Mobile applications

• Internet of Things (IoT)

5

Threat Landscape – Specific Actors

Distributed Denial of Service (DDoS)

POTENTIAL ADVERSARIES ADVERSARY TACTICS

Focused on media

Decrease in activity?

Visible operations

Activity decrease? Monitor political environment

Emerging

SEA“Spear phishing”

Website compromise

!

Syria

China

Russia

Iran

NorthKorea

India Emerging

CHINA

RUSSIA

IRAN

NORTH KOREA

SEA

INDIA6

Is the Threat Real?

1988

Morris Worm. First person convicted under cyber fraud

and abuse act

1999

Melissa Virus MS Word attachments, resulted in AV

sales increase

2001

Code Red virus

I Love You virus

2006

NASA blocks email attachments before shuttle

launches. Plans for the latest US space launch

vehicles breached

2007

INL demonstrated the Aurora vulnerability. Cyber attack destroys generator.

2009

Albert Gonzalez stole 45.7M credit cards from

TJX costing $256M

2009

Google’s China HQ attacked, accessing Gmail

accounts of Chinese human rights activists.

2010

Stuxnet – physically destroyed over 1,000 Iran

centrifuges

2012

Saudi Aramco – physically destroyed over 30,000

workstations

2013

APT1 Report, Chinese Army infiltrating networks in every US sector to steal IP

2013

South Korea banks attacked by logic bomb

deleting/destroying computers. South Korean

stocks tumbled after attack

2013

Target Breach, 40M cards, CEO & CIO replaced

2014

Home Depot, 56 million credit cards. HVAC vendor's network

Sony Pictures attack

2015

Deep Panda

OPM Breach, 21.5 M records

Anthem 80M records

2016

DNC emails

Yahoo 500M & 1B accounts

DYN (Twitter, Netflix, PayPal, Pinterest), IOT DDoS

CEO email scams

NSA Cyber Tools Leak

Ukraine Electric Utilities

2017

WannaCry ransomware

7

Major Ukraine Oblenergos

8

9

• The country’s grid is synchronously connected to three neighbors (Russia, Belarus, and Moldova)

• Four of a total of 23 Oblenergos in Ukraine, each primarily providing power distribution (as well as some generation and transmission functions) were targeted

• The attacks were synchronized and coordinated, and likely were preceded by extensive reconnaissance

• On December 23, 2015 breaker controls at three of the four Oblenergos came under remote control of the attackers The fourth provider thwarted the attack by removing remote access functionality

The Targets

TLP GREEN

Ukraine Power Grid IncidentPrykarpattyaoblenergo: What We Know

Power restored after 6 hours by utility workers shutting down SCADA devices and switching to manual operations (validating manual recovery / operations strategies)

December 23, 3015 – Issues reported at several Prykarpattyaoblenergo’s substations resulting in the loss of power

KillDisk malware component found in electric utility’s network linked to cyber attacks on Ukrainian media during local elections in October 2015.

Call centers for Prykarpattyaoblenergo and Kyivoblenergo experienced a telecommunications based denial of service attack (DoS)

Investigation concluded that malware was not the cause of the power outage, although it was present on Prykarpattyaoblenergo’s devices

Other power distribution companies were affected including Chernivtsioblenergo and Kyivoblenergo

Industry experts agree, based on the logistics and complexity of the incident, this was a coordinated attack (including disruption of telephony and websites to hinder communications)

10

Ukraine Electrical Grid AttackAttack Sequence

Malicious Email

(Spear Phishing)

Workstations Compromised

Malicious Communications

Established

Passwords and User IDs

Compromised Remote Access

GainedManual Power

ShutoffDestructive Kill

Disk

Data Center Power Shutoff Telephony Attack

Industry experts agree, based on the logistics and complexity of the incident, this was a coordinated attack (including disruption of telephony and websites to hinder communications)

Ukraine Attack SequenceUnauthorized remote access to manipulate breakers via

the Human Machine Interface (HMI) [SCADA

workstation]

11

Video of Attack

Internet of Things DDoS – Unknown Actor

• Carrier DDoS Protection

• Daily scanning of IoT devices

IoT, Botnets and DDoS• A Distributed Denial of Service (DDoS) attack is an

attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.

• Internet of Things (IoT) connects everyday devices to the internet (e.g. IP cameras, routers, smart TVs, refrigerators, and other non-traditional computer devices).

• Manufacturer default passwords on these IoT devices are being compromised – allowing them to participate in botnet operations and DDoS attacks.

Publicly confirmed DDoS attacks• Krebs on Security blog attacked by record breaking 620

Gpbs DDoS, Sept 2016

• French hosting firm, OVH, attacked by DDoS which set the new record 1.1 Tbps also occurred in Sept 2016

• Dyn, a domain name service provider, was taken offline for half a day, Oct 21st 2016, impacting connectivity to PayPal, Twitter, Amazon, Netflix, Reddit, and others.

DDoS Protection

12

Cyber Strategies to Address Risk

Defense in Depth

Segmentation of assets

Defense Evolution

Leverage Federal Capabilities

Outer Defenses

Isolation Zones

Network

Internet

Intelligence Sharing

Industry Government Agencies

Industry ISAC

3rd Party Threat Intel

Partnership agreement

Partnership Agreement, Automated Intel Sharing Southern Network Vulnerability Scanning

DOE CRISP (Cyber Risk Information Sharing Program)

Technology Refresh

Spear Phishing

Protection

Government intelligence

Operating System Controls

Remote Access

Removable media

protection

New Approaches

-Technology

13

Questions?