Robert M. Lee thinks we should start taking infrastructure cybersecurity seriously.
For a number of people right now, that may mean calming down.
The U.S. is coming off two high-profile cyber threats that were less dangerous than many made them out to be. They included malware that was falsely reported to be capable of tearing down the electrical grid and hacks of business computers at power plants falsely reported to be capable of interrupting electricity.
At the same time, the founder and CEO of industrial systems security firm Dragos Inc. feels that when the public does not perceive an apocalyptic threat, the issue of cybersecurity seems to slide out of view.
“It’s worse than people think and far better than people want to imagine,” Lee said in a recent interview with The Hill.
Dragos was intimately involved in the first of the two threats, industrial control system (ICS) malware that briefly interrupted power in Kiev, Ukraine, in the last days of 2016.
Alongside antivirus firm ESET, Lee’s company produced one of two simultaneously released reports on CrashOverride, which is only the fourth known type of malware to target ICS. It is one of only two designed to destroy the industrial process and the only one that targets the electrical grid.
Dragos stumbled onto CrashOverride when reporters contacted Lee as an ICS expert June 8, four days before ESET planned to release its own write-up.
“ESET said, ‘Well, since you’re getting it from reporters anyway, here’s our analysis,’ ” Lee said. “They didn’t even give us the malware samples. We had to take their analysis to figure out what the malware samples would be, then go hunt for them.”
Yet Dragos’s report, completed in a whiplash 96 hours, became extremely influential, including giving CrashOverride, borrowed from the 1995 film “Hackers,” its name; ESET had proposed “Industroyer.”
Lee had first worked with ICS as a volunteer in Cameroon. At the time, he was studying electrical engineering at the Air Force Academy. He wanted to help, so he hopped a plane to the country without any real plan on how.
When he got there, he was told that traditional charity work was not what the country wanted — it was focusing on building an economy. What the country did need were wind turbines and water filtration units, all of which run on ICS.
“I said, ‘I can give it a shot,’ ” Lee said.
When he returned to the Air Force and began focusing on cybersecurity, Lee found no one was looking at ICS security, despite its use in the Air Force’s deployed tools, such as satellites and unmanned drones.
So he started researching ICS security in the field’s infancy.
When he arrived at U.S. intelligence, there, too, no one was studying ICS. But as he rose through the ranks, he was tasked with finding unknown threats, and he focused his team on industrial systems.
He founded Dragos in 2013.
For years, the boogieman of cybersecurity warnings has been an attack on the national power grid.
In a catastrophic event, there might be so many blackouts that the strain on remaining plants trying to pick up the slack will cause them all to crash. But such attacks are difficult to pull off. The grid is not a single thing, but a network of separate networks.
That “cascading effect” requires far more damage than CrashOverride or any current malware is likely to provide. The state of the art has yet to reach that level of danger, Lee said.
“CrashOverride is a real threat. Here’s the nuance that was lost: It’s not civilization-ending. It’s a scary evolution of tradecraft, but it’s not something that we should start prepping for and reading Ted Koppel’s ‘Lights Out’ and all that,” said Lee, referencing a book that is notorious within the cybersecurity industry for overhyping the threat to the grid.
Similarly, the “amber alert” recently issued to U.S. power companies warning about successful hacking in the sector is likely not Russia’s final-stage preparations to fell power plants around the country, despite reports the National Security Agency had attributed the attacks to Moscow.
“Right now, the campaign is targeted at energy companies and has only made it into the business networks. We don’t know if it’s made it into the industrial networks of those companies though,” Lee said.
“It’s not trivial to move from the business networks to the industrial networks, and our grid has a lot of safeguards, but it’s concerning to see adversaries targeting civilian infrastructure regardless.”
Lee has been fighting for realism in the industrial hacking space for years.
When a faulty 2015 report from the now-defunct security company Norse alleged Iran was attacking critical infrastructure, the National Security Council called him at 3 a.m., preparing to brief the “big guy.”
“They sent a report. Just right in bold letters, ‘Iran is preparing for a cyber offensive.’ It just goes through all of their ‘data’ on how Iran is going to be attacking U.S. critical infrastructure. They can prove it’s Iran, and here’s the targets that Cyber Command should go back after. I was like, ‘crap,’ ” Lee said.
“It took me like three minutes of looking at it, going this is just shit data. I told them, ‘This is bad and I wouldn’t brief this to anybody.’ I never heard from them again.”
While Norse’s Iran report was flawed, it was emblematic of a greater problem in ICS security space: Marketing the apocalypse to the detriment of the actual threat.
“I can say it very bluntly. Don’t make shit up. It’s simple as that. People care about these issues, especially as you’re talking to critical infrastructure. You will get congressional-level discussion going quickly. If they know you’re full of it, they’ll never invite you back and you’ll never move the needle,” Lee said.
Attacks, he noted, do not need to end civilization to have a large-scale disruptive impact to local communities or economies.
“I think a lot falls on security professionals here, where they look like they’re running into a brick wall all the time with people making change. It feels like nothing’s moving forward. A lot of people say, let’s just hype it up, maybe they’ll take it seriously. Ends will justify the means,” Lee said.
“The problem is, besides the loss of credibility, which you’ll never get back, the real issue is you will end up trying to dedicate resources to the hyped-up threats and you actually won’t be applying resources to the actual impact and threat we have. There’s a reason for the nuance.”