Don’t Want Another Sunburst? Start Thinking Like Your Adversaries

Posted to Idaho National Laboratory in the Digital Utility Group
image credit:
Andy Bochman's picture
Senior Grid Strategist, Idaho National Laboratory

Andrew Bochman provides guidance to senior U.S. and international government and industry leaders on energy sector security challenges and candidate solution approaches. A critical infrastructure...

  • Member since 2020
  • 9 items added with 9,551 views
  • Feb 5, 2021

It may not seem obvious, but state-on-state espionage, like many human endeavors, conforms to certain practical norms. With top tier cyber espionage, adversaries will predictably aim their attacks at the highest value, highest return targets. Depending on the mission objective, sometimes the targets are unique and distinct. But in the case of the Sunburst attack on SolarWinds’ Orion module, we witnessed a massive sweep operation that achieved nearly ubiquitous access and vacuumed up oceans of sensitive corporate and government data. It’s hard to be shocked by major cybersecurity lapses these days, but Sunburst compromises and losses appear to be many times larger than what we’ve seen in the past, and it may mark a turning point in awareness, if not action.

And it may prove to be more than espionage. If in the fullness of time, blueprints, process flow or design diagrams captured in the Sunburst raid help enable a cyber-physical attack on critical infrastructure, then this event could be a precursor to sabotage. Hopefully, this will not be the case. 

There’s no question that massively horizontal threat surfaces – meaning products or components within products that are relied on by hundreds, thousands or even millions of organizations – are highly enticing to adversaries. Why? They offer the biggest bang-for-the-effort buck. The Windows operating system was and remains an attractive go-to target for all manner of attackers, not just nation-states. And anyone in a security position, namely your organization’s chief information security officer (CISO), should express concern when a single product or vendor is relied on across the entire federal government, within the U.S. military and at many Fortune 500 companies. SolarWinds, a software suite that helps organizations manage, monitor, and yes, secure their networks, was largely given unfettered access to network and system access control credentials. When attackers breached their security protocols, it affected nearly everyone.   

It’s hard for experts versed in targeting and cyber risk analysis to understand why organizations continue to place so much unverified trust in products like this. Observation of this behavior is in large part what led to the development of a new approach to defense. While Idaho National Laboratory’s Consequence-driven Cyber-informed Engineering (CCE) methodology was initially conceived as a set of engineering-based defensive measures to thwart top tier cyber adversaries attempting to sabotage industrial processes within critical infrastructure, some of its core concepts apply to defending information technology environments, such as those compromised by Sunburst, as well. Achieving and maintaining robust cybersecurity defenses is one of the most challenging operational requirements in 2021, but thinking through the following questions will put you on a better path toward keeping your organization’s most essential networks, systems and data secure:

What are your digital crown jewels?

In other words, what matters most to you? What kind of losses are simply unacceptable from a strategic business or mission risk perspective? With finite resources, you can’t protect everything uniformly, so which systems or data simply must not be breached or lost? These are the things that the adversary wants.

What are the most proximate pathways to those jewels?

Those assets you identified in #1 … what do you currently do to protect them? Are you aware of all the ways an attacker might reach them? What extra steps have you taken to ensure they are as safe and secure as your organization needs them to be? Are you putting too much trust in any one product, system or defensive measure? One thing is for sure: adaptive, well-resourced, top tier adversaries likely already know the answers to these questions.

Who touches these systems?

The human element: You vet and trust your employees, but how much scrutiny and controls do you apply to human third parties to whom you give access like maintainers and partners? For things that matter most, the vetting and monitoring must be extreme.

The supply chain: The products and services that comprise and theoretically defend your IT environments. How demanding have you been of the suppliers – whether U.S. based or not – whose products or services might provide a skilled adversary a pathway to your crown jewels?

How much can be learned about your networks and systems from public sources?

You shouldn’t make it any easier for adversaries to learn about your environments, dependencies and vulnerabilities before they send malicious packets your way. Scrub your online materials and insist your partners, suppliers and customers do the same regarding anything that might shorten your adversary’s learning curve. And by assuming you’ve already been breached (a safe working assumption), adopt the perspective of your adversaries and ask: “What do we need to know and do, and where do we need to be in a system to achieve the disruptive or destructive effects our bosses seek?”

Are you storing operational technology credentials in IT systems?

If your environment is not an entirely IT operation and you have operational assets that are or support critical infrastructure, make sure you make the adversary’s job as difficult as possible by segmenting your networks. And by all means, DO NOT STORE authentication credentials for operational technology (OT) systems and networks in IT systems. With Sunburst’s penetration into OT still unknown, it doesn’t take an alarmist to know that it’s time for extra vigilance.

For more information on CCE, visit The CCE methodology, its origins and best uses are described in detail in Countering Cyber Sabotage: Introducing Consequence-driven Cyber-informed Engineering, a book being published this month by CRC Press Taylor & Francis.

Andy Bochman is a senior grid strategist at Idaho National Laboratory and co-author of the book mentioned above. A Harvard graduate and former Air Force Academy instructor, Bochman is a leading expert in infrastructure security with more than 20 years of experience. 

Idaho National Laboratory
Part of the U.S. Dept. of Energy’s complex of national laboratories, INL performs work in each of the strategic goal areas: energy, national security, science & environment. INL is the nation’s leading center for nuclear energy research & development.
Matt Chester's picture
Matt Chester on Feb 5, 2021

In other words, what matters most to you? What kind of losses are simply unacceptable from a strategic business or mission risk perspective? With finite resources, you can’t protect everything uniformly, so which systems or data simply must not be breached or lost? These are the things that the adversary wants.

These are tough lessons-- the fact that you may have to triage and leave some areas more vulnerable than others. But with everything so interconnected in systems today, does this way of thinking end up bringing about risk of breach of the lower priority assets leading those adversaries to the higher priority channels that you wanted protected at all costs? 

Richard Brooks's picture
Richard Brooks on Feb 7, 2021

Comment withdrawn

Jim Stack's picture
Jim Stack on Feb 5, 2021

The human is the weakest link. Just one person letting their access be compromised and all the security is gone. Limiting each persons access and rights to certain areas and platforms can help but they are still the weakest link. How can that be covered? Does AI provide a detection system for humans gone wild? 

Richard Brooks's picture
Richard Brooks on Feb 14, 2021

UPDATE 2/14/2021: I was contacted by Robert Smith of INL via LinkedIn pointing out some characteristics of CCE that may be worth reconsidering my decision, here is Robert's expanded description of CCE sent via LinkedIn and my response to reconsider my decision based on his updated description.

We have enough dragons to slay to protect the electric grid from bad guys, so any improvement in cyber protections, especially with the software supply chain, should be given top priority. It helps when we all work together, respectfully, to keep our grid safe.

Never trust software, always verify and report!™

Andy Bochman's picture
Thank Andy for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »