Cybersecurity has had a rough year.
Presidential nominee Hillary Clinton’s campaign suffered setbacks when hackers obtained and leaked embarrassing emails. Russian hackers planted code in a Vermont power utility.
Closer to home, hackers — likely located overseas — shut down Bingham County’s computer system on Feb. 15, forcing the county to pay three bitcoins — unofficial digital currency worth about $3,500 — to regain control of their system and get back to work. Last week, Amalgamated Sugar Co. notified nearly 3,000 employees that hackers had gleaned personal information listed on their W-2 tax forms.
Cybersecurity was the topic Wednesday at the Idaho Technology Council’s Energy Connected 2017 conference. One speaker was Zach Tudor, who oversees one of the nation’s leading cybersecurity teams as the associate director of national and homeland security at the Idaho National Laboratory.
Tudor’s team focuses on protecting critical infrastructure such as utility grids, control systems and computer systems embedded in larger systems. He answered the Statesman’s questions.
Q: Tell me about the lab’s cybersecurity team.
A: Across my directorate, we have about 500 people. My cyber-research team is 55 to 60 people. I have about 150 people working on wireless critical infrastructure.
We have wireless technicians and people with some skills you might use working with substation equipment at AT&T or Verizon. We have 110 miles of transmission and distribution equipment for electrical. We have everything from people who climb poles to people who understand power electronic substation automation. We have people who respond to and triage attacks, whether it’s at a water utility or electric utility, or transportation.
We also have analysts who reverse-engineer software, so if a piece of malicious software attacks infrastructure, they reverse-engineer that software, find out how it might affect the system and how to mitigate it.
Q: What other kinds of systems do you research?
A: One example is automotive systems. A couple of researchers went to auto-reclamation facilities and found components from three or four of the same model of car and put together the electronics systems of the vehicle — radios, the navigation system, the lights. They started understanding the protocols and all the messages that go back and forth, and identified some vulnerabilities and how to mitigate them. The research was so compelling that when they wrote their next proposal, we bought them a car. They now have three cars in the lab. We’re taking our expertise out to the automotive industry and working to develop some cooperative research and development agreements to help them make their systems more secure.
Q: In your talk, you pointed to home thermostats as seemingly benign household systems that could be vulnerable to cyberattacks. How can those kinds of everyday items threaten bigger systems?
A: In 2016, we saw an attack where someone found a vulnerability in something similar to a thermostat [with wireless capability] and used that to perform a series of denial-of-service attacks on infrastructure. It basically took control of thousands of embedded structures — things like thermostats — and sent them to the same address of a business with a request for information, over and over. That flooding attack caused the system to be unresponsive to the people doing actual work.
Criminals are starting to figure out how to monetize those kinds of attacks, to hold a business at ransom for extortion. Without even hacking it, they can cause a system to be unresponsive so work can’t get done. We are all very concerned about nation-state attacks and terrorism. But we’re concerned about criminal hacking, too.
Q: Bingham County was recently crippled by ransomware. How is the Bingham County attack instructive for governments and businesses?
A: It shows all levels of business and government are vulnerable. A lot of times, we hear about attacks at the Secret Service, or the Office of Management and Budget, or others, and think the targets are huge government entities. We have to realize there’s valuable information all over the country and all over the world.
Q: Hackers phish their way into systems by duping employees to download malware. That happened recently at Amalgamated Sugar. What needs to happen to prevent those attacks?
A: It starts with earlier education, whether it’s K-12 or STEM training, to make sure we have basic hygiene around cybersecurity from a young age, because we’re going to be living with these systems for a long time. But we also need to educate at the business level to be more vigilant about the things we click on.
Q: What role did the lab play in the response to the Ukraine power-grid hack last year?
A: Ukraine asked the State Department to send some resources out there to find out what happened. The attack affected 225,000 people and 20 percent of the substations. Control operators were literally sitting with their hands on their knees, watching the mouse move without their control as somebody was turning off those lights. We believe some of the initial attacks were based on email phishing to get into the systems.
We learned the Ukraine system is not as automated as our systems here, and because they were in a small geographical area, they were able to send technicians out and manually close relays to get the lights back on.
Our system is so efficient because of automation. But it’s also distributed, so it’s hard for an operator to drive 75 miles to the first station, then 110 miles to the next. We have to make sure our systems are resilient to these attacks.
Q: Are bigger, more complex infrastructure systems more vulnerable?
A: Complexity is one of our key challenges. The ability to be efficient drives the sheer number of features in our systems that potentially make them vulnerable.
They estimate 80 percent of people use 10 to 15 percent of Microsoft Word’s capabilities. They have all these specialized features experts use from time to time. It’s similar with our digital control systems. If you are only using 10 percent, there’s another 90 percent that you aren’t aware about, don’t care about or don’t know how to protect adequately that somebody else might exploit.
Q: Hacking is daily news nowadays, especially following hacks of both the Democratic and Republican parties during the election. Is this the new reality?
A: It’s the evolution of tech. The more valuable information is put on systems, whether it’s control systems, databases or email systems, the more someone will go through nefarious means to get it. Ten or 20 years ago, the mindset was that we can keep hackers out of our information systems. The reality now is hackers are going to get in, so we need to have systems to detect them and be resilient to protect the data to return to business as usual.
In the future, a hacker-attack news story should be: “Hacker attacks IRS. No data stolen.”
Edited for length and clarity. Zach Kyle: 208-377-6464, @ZachKyleNews