sign in sign up
<<
Home , Fancy Bear, HBGary, Kirk Ransomware

STAYING CLEAN: CYBER HYGIENE & SOCIAL ENGINEERING

WITHIN SCADA & INDUSTRIAL CONTROL SYSTEMS

______

A Thesis

Presented to the

Faculty of

San Diego State University

______

In Partial Fulfillment

of the Requirements for the Degree

Master of Science

in

Homeland Security

______

by

Drew Kirk Facetti

Summer 2018

iii

Copyright © 2018 by Drew Kirk Facetti All Rights Reserved

iv

ABSTRACT OF THE THESIS

Staying Clean: Cyber Hygiene & Social Engineering Within Scada & Industrial Control Systems by Drew Kirk Facetti Master of Science in Homeland Security San Diego State University, 2018

Critical infrastructure facilities allow the United States and other nations to run smoothly every day. Many critical infrastructure facilities that use Supervisory Control and Data Acquisition (SCADA) systems are susceptible to a cyber-attack. Among the plethora of facilities that use SCADA systems are: electric grids, nuclear power plants, water treatment facilities, transportation, etc. These Industrial Control Systems (ICS) then commonly feed into response and management systems mandated by the Department of Homeland Security for protecting United States assets and people and responding to natural and manmade events. Enhancing the US national SCADA/ICS protection is becoming more and more important as the interconnectivity of the national and the world is expanding with the Internet of Things (IoT) and Industrial Internet of Things (IIoT) with the known risks and threats continuing to rise. Creating and providing in-depth Cyber Security and Cyber Hygiene recommendations will allow privately owned Critical Infrastructure (CI) facilities using SCADA/ICS the tools to prevent cyber-attacks from occurring. Finding ways to further the Cybersecurity of SCADA and ICS systems will benefit the public and the owners of the systems, as more and more attacks continue to occur via the profoundly interconnected nature of today’s internet. New solutions are very promising such as enhancing major public- private partnerships like the FBI InfraGard and potentially new national bodies like the Department of Energy’s Office of Cybersecurity and Emergency Response or other specialized agencies. Private-sector and government professional organizations and conferences focused on SCADA and ICS are also leading the nation and world in being better prepared and learning from the attacks or mishaps that have impacted others. Turning security recommendations of SCADA/ICS provided by the National Institute of Standards and Technology (NIST) into requirements will better prepare the workers of CI facilities for cyber-attacks. Turning the recommendations into requirements will also strengthen the government contracts that are meant to perform security audits on the CI facilities.

v

TABLE OF CONTENTS

PAGE

ABSTRACT ...... iv LIST OF FIGURES ...... vii CHAPTER 1 INTRODUCTION ...... 1 Problem Statement ...... 2 2 CYBER CRIME...... 7 Cyberterrorism ...... 9 Cyber-Espionage ...... 15 Cyber war ...... 18 3 ATTRIBUTION ...... 20 4 CYBER WEAPONS ...... 22 Types of Attacks ...... 23 ...... 23 DDoS...... 23 ...... 24 and Spear-Phishing ...... 24 Zero-Day Vulnerabilities ...... 25 ...... 26 5 NUCLEAR POWER PLANTS...... 28 Electric Grid ...... 29 Water Treatment Facilities ...... 32 Fiber Optic Cables ...... 33 6 NIST ...... 36 Recommendations and Suggestions ...... 36 Requirements ...... 44

vi

Relationships, Resources, and Collaborations ...... 44 CESER ...... 44 Office of Intelligence and Counterintelligence ...... 45 InfraGard ...... 46 USNORTHCOM...... 46 OSAC ...... 48 Fusion Centers ...... 48 ICSJWG ...... 49 ISACs ...... 49 7 FIBER OPTIC NETWORKS ...... 51 Zero Days ...... 52 Attribution ...... 53 8 FINAL STATEMENT/CONCLUSION ...... 55 REFERENCES ...... 56 APPENDIX SUPPLEMENTARY FIGURES ...... 67

vii

LIST OF FIGURES

PAGE

Figure 1. SCADA diagram...... 2 Figure 2. Photograph depicting the US F-35, left, and the Chinese J-20, right...... 16 Figure 3. Picture showing what computer screens looked like after the Sony Hack ...... 21 Figure 4. Screenshot of a computer with the “WannaCry” Ransomware activated. The instructions within need to be followed or the encrypted files will be deleted...... 27 Figure 5. Map of the eight different power grids in the United States...... 31 Figure 6. Firewall diagram...... 38 Figure 7. Libelium smart world concept...... 43 Figure 8. Screenshot from Shodan.io which provides the user with information about a Verizon Wireless page for CI...... 67 Figure 9. Screenshot showing the “http” which will allow anyone to connect to the login page for Verizon...... 67 Figure 10. Screenshot of the login page to access crucial CI information...... 68

1

CHAPTER 1

INTRODUCTION

Cyberspace is ever growing and, there is no obvious indication that it will stop, so the vulnerability of our world to attacks using Cyberspace is also an ever-growing challenge. One such area of society around the world is critical infrastructure for having society function---attacks on our critical infrastructure (CI) through cyber-attacks has become a significant concern as once isolated systems are being added to the internet for ease of control and linkage to other CI systems, producing potentially cascading dangers from interconnectivity (Deibert, 2012). Everyday CI is used in the United States and around the world to manage parts of our life from providing water from water treatment facilities to their destinations, providing electricity from electrical grids and nuclear power plants, and even administering medical services to individuals at hospitals. Those three CI’s use the internet and cyber every day to function as they do in helping society. That is why it is crucial that protecting our nation’s CI from a cyber-attack should be a top priority for leaders and Homeland Security managers charged with protecting such CI. This thesis will evaluate why specific components of the CI world such a Supervisory Control And Data Acquisition (SCADA) and Industrial Control Systems (ICS) should be considered as significant risks to the nation from attacks by individuals and state actors, perhaps even to the level that a “cyberwar” could occur. In particular, this thesis looks at the fundamental problem of cyber hygiene, which are simple things that people do via the internet that can compromise SCADA and ICS infrastructure that were largely designed to be air gapped and standalone so not subject to things like spear fishing or malware. This thesis will also assess the recommendations provided by the National Institute of Standards and Technology (NIST) towards protecting SCADA/ICS and why companies/groups accepting government contracts need to be compliant with NIST standards.

2

PROBLEM STATEMENT Supervisory Control And Data Acquisition (SCADA) is a control system (software) that allows the user to monitor and see a live feed of a process in their facility. SCADA systems are used in many industries including: energy, food and beverage, manufacturing, oil and gas, power, recycling, transportation, and water and waste management (Inductive Automation, n.d.). While SCADA is the software that allows the user to see the commands and process, the Programmable Logic Controller (PLC) is the hardware that does the work and sends it to the CPU of a computer. Many different industries that use SCADA systems are a part of the Department of Homeland Security’s critical infrastructure sectors. Some such specific industry sectors are: Chemical Sector, Critical Manufacturing Sector, Dams/Energy Sector, Food and Agriculture Sector, Nuclear Reactors Sector, Transportations Systems Sector, and the Water and Wastewater systems sectors (Department of Homeland Security, n.d.). A generalized diagram of a typical SCADA system is shown in Figure 1 from the 2015 NIST report Guide to Industrial Control Systems (ICS) Security (Stouffer, Pillitteri, Lightman, Abrams, & Hahn, 2015).

Figure 1. SCADA diagram. Source: (Stouffer et al., 2015).

There have been attempts in the past to educate the President of the United States, Congress, and other members of the Federal Government about the importance of protecting CI and ways for the government to be helpful in protecting assets mostly owned by the private sector, but relied on by everyone in the nation. Some Federal leaders and lawmakers have proposed good ideas while others have enacted laws that did not reflect the reality of

3 critical infrastructure ownership, responsibility, and response to disruptions. One example is the 1997 Cyber Policy, which introduced the idea of creating a partnership between the government and private owners of critical infrastructure (Marsh, 1997). The partnership was to include information sharing between the private sector and the government and shared responsibility among owners and the government (Marsh, 1997). The 1997 Cyber Policy provided great insight and recommendations to protect America’s CI from a cyber-attack through means of partnership, but it is still being finessed as more and more nuances of policy, responsibility, and interconnectedness impact the CI world. When a privately-owned CI facility is attacked, informing the government should be one of the first steps taken because of the criticality of CI to the United States and its people. Lack of fresh water, communications, transportation, and other forms of CI for an extended period can potentially lead to many problems with the public such as rioting, injuries, crimes committed, and even death. The government obviously needs to know if an attack occurs, though often times determining that something like a fire or explosion is an “attack” is a secondary determination where the primary concern is the event where firefighters work to respond to the event however it started. Disrupting water, electricity, medical care or other CI will generally cause impacts that First Responders and others will respond too---and then others will respond to determining how it occurred as from a SCADA attack. The complexity of understanding cyber-attacks, being able to label the attacks as attacks and not “system failures,” or “acts of God” or other common labels makes interaction with the government challenging because the government can also be the prosecutor if the company was at fault. A simple example was the Witch fire near San Diego in 2007 when power was lost and the fire started---later it was determined in court that the wind swinging the power lines swung into trees and ignited the fire. San Diego Gas and Electric was fined $1.1 Billion dollars for the event---so reporting the power outage, which was totally obvious, also involved actions that were used in court to equate with negligence. Owners of critical infrastructure are often in a challenging position of certainly working to resolve challenges like power failures, but also knowing that government may be the group that comes after them as the responsible party for the failure to protect the infrastructure (failure to foresee wind speed) (Jones & Rowe, 2017).

4

Shared responsibility between the government and privately-owned CI is crucial for a host of reasons, including simply the resources needed to respond to failure of CI from whatever caused the failure as natural disaster, cyber-attack, or system failure. Fending off a cyber-attack at the level of or cyber-espionage from a nation such as China will require far more resources than an attack from a lower-level intruder such as for ransomware (Pagliery, 2015). For example, it would take a far more resources and time to fend off an attack from nation such as Iran or China, compared to a group of hacktivists (Chapter 2) trying to prove a point or cyber criminals trying to extort money via ransomware. This is even more complicated as cyber-attacks are most successful when no one knows that an attack has occurred, but that the attacker has gained control of or access to critical information or infrastructure. As an example, Chinese hacking into US military and intelligence community think tanks has been extraordinary, but not always discovered until well after it has taken place---so China had access to those networks for an unknown time without the military or intelligence think tanks knowing and therefore without responding. In many situations, the government can come into play and provide resources to help with the attacks especially by assisting in linking security experts with SCADA to each other---though most such experts are likely in the private sector because most SCADA- empowered critical infrastructure is owned by the private sector. A national and even international SCADA and ICS protection and response team could absolutely help in such situations, but doesn’t really exist at the moment. The 1997 policy provides excellent insight into why robust and multi-level connections between the government and the private sector should be established as it regards to cybersecurity (Marsh, 1997, p. 27). Actually accomplishing this is far more difficult than setting the governance policy. Much has also changed in technology since 1997, so the regulations were written around very different systems than are largely used now. Another example of documents that help articulate the challenges in cybersecurity and what might be done to prepare for and respond to attacks against critical infrastructure is the 2011 cybersecurity report conducted by the Center for Strategic and International Studies (CSIS) (Lewis, 2011). The CSIS report offers some helpful insights into cybersecurity. Among these are high-level strategic insights such as the understanding that cyber-attacks and cyber espionage are a more significant concern, as of now, rather than a cyber-war. The

5 report goes on to say that the risks are too low for a cyber-war, but there is still the concern for one to occur in the future (Lewis, 2011). A crucial critical area to focus on is to develop new ways to work with the private sector. The 1997 policy discusses potential partnerships between the government and the private sector. Fourteen years later the CSIS policy is continuing with the same idea on how to make CI more secure. The continued discussion of CI in cyber policies shows how essential they are to the United States. However, whenever CI is mentioned, it is brought on as a double-edged sword. Producing security solutions for CI on a cyber level shows how vital it is in the US but providing the same solution (teamwork) for fourteen years is not likely realistically valid as technology and attack actions have changed dramatically. Although it raises the recurring solution of teamwork in its broad-brush recommendations, the 2011 CSIS report does not mention SCADA systems, so no specific recommendations are made because they are simply not mentioned. A 2006 report conducted by the United States Government Accountability Office (GAO, 2006) after Hurricane Katrina showed that 85% of CI in the United States is owned by private corporations. Since a majority of CI is owned and operated by the private sector, teamwork and partnerships between private sector owners and operators of CI and different agencies and officials in government are obviously both critically important and in a constant state of flux and need for renewal, rethinking, and revising as technology, threats, and risks change. SCADA is a crucial element that allows CI to perform every day in the United States as well as in most other parts of the world where similar software-hardware and embedded systems are used. It is how everyday life functions from having clean running water to ensuring that the trolley runs in San Diego every day. SCADA systems are used across in an incredible number of systems like water, electricity, health care, and transportation that are just part of life and not high-powered computer centers where traditional Cybersecurity efforts are classically focused. How the US can protect these very basic systems with millions of sensors located in nearly every part of every community is a daunting challenge from both the magnitude of the need and the importance of protecting life-giving functionality in communities. Similar needs and challenges exist globally, but no specific international SCADA organizations are prominent, though collaboration in critical infrastructure is widespread because the companies involved in providing it are often global

6 companies and can effectively share capabilities around the globe as they protect such private-sector assets. Just as Cybersecurity threat and risk information are shared by cyber companies working around the globe, threats to SCADA systems are generally part of such global web services available to most companies with SCADA systems as they protect their assets and functionality in a multitude of ways. As SCADA and Industrial Control Systems (ICS) become more and more linked to the internet, concepts such as the “Internet of Things” (IoT) and the “Industrial Internet of Things” (IIoT) are now burgeoning fields of activity. The connectedness of linking SCADA and Industrial Controls to the internet raises a strange vulnerability to these control systems-- -people. As an example, where companies use the internet to control their SCADA and ICS systems and also use similar software and Cybersecurity for other functions like finance and normal operations, a major vulnerability of people is introduced into the system. How SCADA and ICS systems can be kept clean rather than compromised by bad decisions like clicking on a spearfishing link to introduce malware into the system is functionally introducing simple people problems into industrial controls. The Cybersecurity of this overlap of the basics of cyber hygiene and SCADA/ICS is the focus on this work.

7

CHAPTER 2

CYBER CRIME

Cyber-crime is the most basic version of using a computer to a suspect’s advantage. Two things are needed to commit a cyber-crime, a computer and a network connection. The major types of cyber-crime are: , ransomware, Distributed Denial of Service (DDoS) attacks, phishing, and many other types (Kelly Warner Law, n.d.). Cyber-crimes are carried out for a personal gain, unlike cyber-terrorism where the primary influence is likely to be political. The Department of Justice and the Bureau of Justice Statistics classify cybercrime into three categories (Bureau of Justice Statistics, 2006). The first is when the computer is the primary target of the crime. The second is when a computer acts as a weapon to commit the crimes. The third is when a computer acts as a legal accessory (Kelly Warner Law, n.d.). An example of the first category of cybercrime would be when an individual is trying to gain information from a computer. Gaining information from a computer can either be done in person or by using different types of attacks, which will be discussed further in Chapter 4. The second category focuses on when specific types of attacks are used to carry out the crime. The second category is when the computer is the primary weapon used when carrying out the attack (Kelly Warner Law, n.d.). Finally, the third section deals with cases where content such as child pornography or information on stolen identities is stored on a computer’s hard drive (Kelly Warner Law, n.d.). Cyber-crimes usually have a specific goal of someone making a profit. One example of making a profit from cyber-crimes comes from “Attack Kits.” An Attack Kit (Exploit Kit) allows anyone with any knowledge of cyber to create and distribute malware (Cannell, 2016). The process of how an Attack Kit works can be generally accomplished in three simple steps. First, an individual creates a type of malware (Attack Kit), which is then sold or rented on the black market/deep web. The creators of the malware make a majority of their profit from renting out the software (Attack Kit) to individuals rather than selling them

8

(Cannell, 2016). From there, individuals will usually rent the software for a month at a time with the payments going to the creator (Cannell, 2016). Each is designed to exploit vulnerabilities to a specific software (Java, QuickTime, Adobe, etc.) (Cannell, 2016).Error! ookmark not defined. Those vulnerabilities will be used to spread the malware. Specific vulnerabilities known as zero days (Chapter 4) are lesser-known vulnerabilities to the public, which makes the kit more lucrative to rent. Some Attack Kits with zero-day vulnerabilities allow the author to rent them for up to $10,000 per month (Cannell, 2016). Finally, the individual will spread the malware to victims across the internet through the software vulnerabilities. Once an individual’s computer has been affected by the malware certain types of spyware or ransomware (Chapter 4) are often installed (Trend Micro, 2018). Ransomware encrypts an individual’s files and demands a payment for them to be unlocked (Glaser, 2017). If the payment is not made in a certain amount of time, the victim’s files are then in danger of being deleted. Another type of malware that has been widely used in this same setting is spyware such as a keylogger that may be installed on the victim’s computer. A keylogger monitors what keys are struck on a keyboard without the victim knowing (McAfee, 2013). Keyloggers can allow the attacker to gain the victims passwords to different websites, credit/debit card numbers, pin codes, usernames, and other confidential information. That information can be used to gain access to bank accounts and log in to the victim’s email account where more information can be stolen or, the malware can spread further through the victim’s email (McAfee, 2013). However, most creators of Attack Kits know that the renter does not have a significant understanding of cyber and how malware works, they have money and a desire to illegally impact someone or some organization. They will sometimes install code into the Attack Kit that allows them to gain access to their buyer’s/renter’s email address or install a keylogger. If the creator of the Attack Kit feels that they are not being paid back, they can easily search for the buyer’s bank account information or wait for them to log into their account and take what “belongs” to them. An example of an Attack Kit would be, “ZeuS.” ZeuS was a very popular Attack Kit that affected over 3.9 million computers in the United States alone (Lawrence, 2015). ZeuS became such a big problem that the FBI decided to

9 launch an investigation to find out who created the malware. The FBI reported that an estimated $70 Million was stolen in the United States because of the malware (British Broadcasting Corporation [BBC], 2010). Cybercrime is a substantial issue that not only affects citizens, but businesses and CI as well (Armerding, 2016). Preventing cybercrime from targeting CI and SCADA systems is crucial for allowing the United States to operate smoothly. The same type of challenges are really global as similar water, electricity, oil and gas, transportation, chemical, and energy systems are used internationally. Cyber is obviously global, so that linking CI needs and approaches in the US to those on a global scale is extremely attractive. Internationally an additional challenge is that some nations who also have CI are a likely bad actor in the criminal world of Cybersecurity, so some solutions need to be held more closely than trying to protect everyone. In this way, both defensive and offensive Cybersecurity concerns are of importance in the SCADA world.

CYBERTERRORISM The term “cyberterrorism” gets thrown around a lot by the media, which can make it difficult to understand what it is. Below is a quote by Dorothy Denning (2000), an information security researcher, which defines what cyberterrorism is: Cyberterrorism: unlawful attacks and threats of attack against computers, networks, and stored information when done to intimidate or coerce a government or its people in furtherance of political, religious, ideological or social objectives. Further to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear comparable to that from physical acts. Attacks that lead to death or bodily injury, extended power outages, plane crashes, water contamination, or major economic losses would be examples. Disruption of nonessential services or costly nuisance would not qualify. (p. 1) Two years later Denning went on to say, “I don’t lie awake at night worrying about the ruining my life. They don’t rank alongside chemical, biological, or nuclear weapons. They aren’t anywhere near as serious as other political, physical threats like car bombs or suicide bombers” (Green, 2002, p. 2). Cyberterrorism is a significant threat faced by SCADA systems and CI, but in a report produced by the United States Institutes of Peace, there has never been a recorded incident of cyberterrorism (Weimann, 2004). Because an

10 incident of cyberterrorism has never occurred, cybercrime and cyber espionage likely pose a higher threat to CI and SCADA systems than cyberterrorism. Denning does an excellent job at explaining the difference between cyber-crime and cyberterrorism. Cybercrime is committed to obtaining a personal gain while cyber terrorism is done to further a belief whether it is political, religious, ideological or social objective related (Green, 2002). The critical part that will differentiate cybercrime from cyberterrorism is that cyberterrorism should result in “violence against persons or property, or at least cause enough harm to generate fear comparable to that from physical acts” (Denning, 2000). Without that quote from Denning, cyberterrorism and cybercrime claims could be erroneous. The difference between cybercrime and cyberterrorism is especially significant as it deals with SCADA systems. Cyberterrorism should be a concern to those trying to protect the cyber realm but should not be put above cyber-crime and cyber espionage. One way for a cyberterrorist attack to occur is if a SCADA system is targeted by a group or individual and there is a loss of life or damage to property or persons with a message from the group or individual responsible. An example would be if a nuclear power plant were a target for an attack by a group that wanted to push the message across to stop the illegal dumping of nuclear waste into the environment. For the hack to classify as cyberterrorism, a group would need to, raise the temperature of the reactors causing a meltdown, have a loss of life occur as a result, then release a message threatening other nuclear facilities to stop illegally dumping materials into the wild. It is a big “if”, but groups have gone to extremes in the past in their worldwide view of seeking to protect the environment. For example, the Earth Liberation Front (ELF) is a terrorist group that has used such methods as arson to send their message about their view of claiming to protect the environment and earth. In March 2008, ELF set fire to three seven-figure houses because the builders claimed that they were environmentally friendly. The total estimated damage was around $7 Million (Gillespie, 2008). It would be challenging for an eco-terrorist group like ELF to conduct a hack on a nuclear power plant or other CI. It is because ELF relies on guerilla warfare tactics to conduct their terrorist activities rather than on a cyber level (The threat of eco-terrorism, 2002). But, the threat of a hack on a nuclear power plant still exists. In July 2017, there was an attempt to hack into the Wolf Creek nuclear power plant facility in Burlington, Kansas (Greenberg, 2017). The hack was unsuccessful due to air gaps (Chapter

11

6) put into place by the facility. The were only able to gain access to “business networks” rather than the equipment used to control the nuclear facility (Greenberg, 2017). If the hackers were able to obtain access to the PLC’s controlling the nuclear facility they could tamper with the security alerts and raise the temperature of the facility potentially causing a meltdown. Because of the hack, the FBI and Department of Homeland Security stepped in to investigate the source of where the hack originated (Greenberg, 2017). When discussing cyberterrorism, is also a concern. Hacktivism is defined as, “the act of using legal and/or illegal digital tools in pursuit of political ends, free speech, and the favor of human rights” (Trend Micro, 2015). The only difference between the two is that hacktivism does not result in the loss of life or damage to property or persons. There are many major hacktivist groups, four of which are; , WikiLeaks, LulzSec and, . Anonymous is one of the best known hacktivists groups in terms of its media perception or perceived reputation They do not have set goals to achieve, but they want to combat censorship, promote freedom of speech, and counter government control (Sands, 2016). One of the first instances of an Anonymous hack was called Project Chanology (Singel, 2008).Error! Bookmark not defined. Project Chanology occurred when nonymous hacked the Church of Scientology following their attempts to censor a video of Tom Cruise that involved an interview about Scientology. Anonymous claimed the hacks as punishments due to the “Church’s abuse of copyright laws and alleged brainwashing of its members” (Singel, 2008). Anonymous made DDoS software available for anyone to download so they could use it against the Church. They also made prank calls to the Church, released more documents to the public and, “faxed endless loops of black pages to the Church’s fax machines to waste ink” (Singel, 2008). Unless facilities using SCADA systems somehow make Anonymous members angry and they wish to retaliate, groups protecting CI should not need to specifically worry about the group as being likely attackers of CI. WikiLeaks is another famous hacktivist group. Founded by in 2006, the group’s primary goal is to publish censored/classified or restricted materials for the world to see (WikiLeaks, 2016). They are mainly the middlemen in the process. They allow individuals to send them classified documents and after they review them, they either decide to release them for the public to see or hold them for further review. WikiLeaks classifies as

12 a hacktivist group rather than a journalist website because they publish classified documents without permission and have instructed/helped individuals such as to obtain specific classified documents for them to publish rather than only accepting the documents (Perez, Brown, Prokupecz, & Bradner, 2017). According to their website, the materials include, “war documents, spying, and corruption” (WikiLeaks, 2016). It has so far published more than “10 million documents and associated analyses” (WikiLeaks, 2016). One of the more notable leaks came in 2010 when WikiLeaks started to release classified documents on the Afghanistan and Iraq War. WikiLeaks has claimed to receive 466,743 documents, and as of today, they have released 90,000 documents (Zittrain & Sauter, 2010). WikiLeaks also published over 20,000 emails and 8,000 files from staff members of the Democratic National Committee (DNC) in 2016 (Peterson, 2016). There are at least two major reasons to be concerned about WikiLeaks regarding CI and SCADA systems. The first is the concern that they actually have any documents that show vulnerabilities/zero-day vulnerabilities of SCADA systems. If they have such documentation, they could release them either intentionally or unintentionally exposing SCADA data while exposing other data to let the world know how to attack CI. The other reason would come from each facility internally. If a disgruntled employee has documents and evidence of their Company doing something ethically, morally, or “politically” wrong, they could send the documents to WikiLeaks (WikiLeaks, 2016). If WikiLeaks were to publish the documents then there could potentially be a rise in attacks towards SCADA systems and CI as they were identified with some political or ethical or religious cause or group. Another primary hacktivist group is LulzSec. LulzSec was a sister group of Anonymous that was formed by former members of the Anonymous group. LulzSec is not a typical hacktivist group (Arthur, 2013). They left Anonymous to have the freedom of hacking whoever they wanted for whatever reason. The freedom to hack “whoever” did not fit the historical agenda of the Anonymous group, so some individuals with different viewpoints left Anonymous to form LulzSec (Arthur, 2013). LulzSec and Anonymous both believe in freedom of information, but the type information is diverse between the two due to their agendas. Back in 2010, Aaron Barr, the CEO of security company HBGary Federal, was bragging that he had names of members of Anonymous and that he was going to release them

13 to the public. The threats by Barr angered LulzSec so in retaliation they decided to hack not only Aaron Barr, but the company as well. They did so and released sensitive information such as emails, names of employees, and credit card information (Bright, 2012). After the HBGary debacle, several members of the group were either arrested or left the group (Bright, 2012). Due to the arrests of former members, the group seems to have largely disbanded and does not currently pose a major threat to CI facilities. Fancy Bear is a significant hacktivist group with ties to the DNC hack and email leaks (Sanger & Corasaniti, 2016; Stone, 2016). According to CrowdStrike, an American cybersecurity company, Fancy Bear is a part of GRU (Main Intelligence Directorate), which is the military intelligence agency for (Stone, 2016). Fancy Bear is suspected of hacking their victims to either allow the Russian Government to have a political advantage (DNC hack) in a situation or for revenge purposes (Stone, 2016). In addition to their alleged involvement in the DNC hack, the group has been suspected of hacking the World Anti- Doping Agency in 2016, tracking Ukraine artillery weapons, hacking the International Association of Athletics Federations in 2017, and, releasing emails from the International Olympic Committee in 2018 as a result from being banned from the 2018 winter Olympics (BBC, 2016; Matsakis, 2018; Meyers, 2016; Rogers, 2017). Fancy Bear (Russia) attempted to impact the 2016 US Presidential Election results in a host of ways, including using information from the email hack (Brandom, 2016). Fancy Bear appears to have executed a spear-phishing attack (Chapter 4) against Hillary Clinton’s campaign manager, John Podesta (Brandom, 2016). Fancy Bear obtained Podesta’s login credentials to his email address, along with access to others from the DNC as a result of the hack (Entous, Miller, & Nakashima, 2016). After gathering information through the emails, they allegedly provided 20,000 emails to WikiLeaks to publish online for the public to see (Entous et al., 2016; Peterson, 2016). A report published by the Office of the Director of National Intelligence (2017) stated that: We assess Russian President ordered an influence campaign in 2016 aimed at the US Presidential Election…. We also assess Putin, and the Russian Government aspired to help President-elect Trump’s election chances when possible by discrediting Secretary Clinton and publicly contrasting her unfavorably to him. (p. 7).

14

Official statements from the CIA, FBI, and NSA all agree that the Russian Government tampered with the 2016 US election, though the impact of their efforts is difficult to quantify, but is most commonly interpreted as efforts to sway the votes in Donald Trump’s favor (Entous et al., 2016; Office of the Director of National Intelligence, 2017). Along with the top three intelligence agencies in the United States, a senior White House official stated that “Putin believed he [Donald Trump] would be much friendlier to Russia, especially on the matter of economic sanctions” ( Staff, 2016). The 2016 DNC hack meets criteria that fit Fancy Bear’s intentions (Stone, 2016). They were able to allegedly meet Putin’s goal of having Donald Trump in office rather than Hillary Clinton. The complexity of this issue and the continuing revelations about the people involved, their real motivations, and their effectiveness will likely take years to appropriately understand and resolve, but efforts to attack global elections will likely only accelerate as governments seek to impact other governments. A sobering challenge in this is also how much the US seeks to impact the elections and affairs of other countries, most of which is likely unknown though indeed exposed in part by WikiLeaks and similar revelations. A specific example of CI that is considered to be susceptible to a terrorist attack is the trans-Alaskan oil pipeline (Harball, 2018). Bill Rosetti, chief information officer of the Alaskan pipeline, stated “We see about 22 million attacks a day. It can be six or seven million some days and 45 million the next” (Harball, 2018). The details of the nature of these attacks and how serious they are is not publicly exposed, so there is no easy way to know who or what the “attacks” represent. Rosetti also fears that a cyber-attack could “interrupt the flow of oil down the pipeline or result in people getting hurt (killed)” (Harball, 2018). As a result of the hacks, Rosetti has placed cyberattacks in the top three risks faced by the pipeline (Harball, 2018). The FBI and Department of Homeland Security released a report warning sectors of CI, especially the energy sector (oil), that the Russian government has increased cyber-attacks against United States CI facilities (United States Computer Emergency Readiness Team, 2018). An established relationship between the FBI, Department of Energy, Department of Homeland Security, and the private-sector owners and operators of CI clearly is of enormous importance, including in extremely remote and challenging physical environments like Alaska.

15

CYBER-ESPIONAGE Cyber-espionage is something that is not brought up too often when discussing cyber- security, perhaps because it is known that countries do this to each other, through mostly in a secret way. According to the National Cybersecurity and Communications Integration Center (2017), there have been emerging cyber espionage campaigns that have been targeting multiple sectors in the United States such as the; “technology sector, energy sector, healthcare, communications and critical manufacturing (CI).” The awareness of such threats emerged in force in May 2016 and continued to cause issues through May 2017 (National Cybersecurity and Communications Integration Center, 2017). Using the definition that Cyber-espionage is the use of computers to gain confidential information that is usually held by the government, the military, or businesses, it is obvious that likely Cyber-espionage has been occurring since the beginning of computers as states spying on states has been a standard action for thousands of years, including the US spying on other nations. Cyber- espionage is also something that companies do to each other, often under the more gracious term of “business intelligence”. Cybercrime and cyberterrorism are usually carried out by a group or by an individual. Cyber-espionage is generally carried out by a state-sponsored group or by another nation trying to gain classified or critical information from another state. One of the biggest threats to the United States regarding Cyber-espionage is China (Department of Justice, 2014; Nakashima, 2013). China has been accused multiple times of hacking into United States networks and stealing valuable information. Back in 2009, an article from was released which mentioned that the Pentagon’s $300 Billion-dollar project to create the F-35 had been hacked (Gorman, Cole, & Dreazen, 2009). United States officials went on to say that the attack had appeared to come from China. In 2011 the J-20 took flight and showed many very similar features to the F-35 (Figure 1) (Huang & Lee, 2016). China reportedly stole over 50 terabytes of data from the Department of Defense to help build their high-tech jet (J-20) (Gertz, 2015). The F-35 is the most expensive defense project in the United States (Gorman et al., 2009). Because of the cost of the program, China decided to let the United States be the “test dummies” so they could save money by stealing information rather than creating their program from scratch. They let the United States propose the idea, create the jet, update what was working and what wasn’t and spend $300 Billion to try and make sure

16 the jet works. All China had to do was hack into the system where the F-35 plans were being stored and steal the information to create their jet (Gorman et al., 2009). Not only is this a problem for cybersecurity, but it could lead to future problems if a war were to break out between the United States and China. Since China stole the F-35 data, they know the weak points of the jet and what makes it work. China is not only stealing our military files, they are stealing anything they can get their cyber hands on. Mike McConnell, former director of the NSA, said: The Chinese have penetrated every major corporation of any consequence in the United States and taken information… We’ve never, ever not found Chinese malware. The Chinese are stealing planning information for advanced concepts, windmills, automobiles, airplanes (F-35), spaceships, manufacturing design, and software. (Pagliery, 2015)

Figure 2. Photograph depicting the US F-35, left, and the Chinese J-20, right. Source: (Huang & Lee, 2016).

Because China is stealing any information they can get, that puts facilities that use SCADA at risk. Anything from using an internet connection to using Chinese made parts in their computers can increase their risk of finding Chinese malware in the system. China could look for vulnerabilities (zero days) in SCADA systems, or they could sell the task of hacking SCADA information online and let others do their dirty work.

17

Preventing cyber-espionage is a crucial step to protecting nations cyberspace and economy. Cyber-espionage seems almost impossible to stop. Everyday phishing attacks are sent out to major business/organizations such as the Democratic National Committee, , and Sony (Bisson, 2015; Ragan, 2016). The first recommendation to prevent cyber-espionage and phishing attacks from occurring is to educate the user. Many of these attacks can be prevented if the user knows what to do. For example, if an employee at a company receives an email from their billing department to send their W-2 info, they should first call to make sure that the email is real. Many times, employees do not want to bother calling and just end up sending their information that allows the malicious attacker to receive their information. The next recommendation has to deal with the same type of attack (spear- phishing not phishing), but rather than sending information to the attacker, making them download a file. Spear phishing attacks usually come from what seems like trusted email rather than a malicious one. Here is an example of spear-phishing; an individual receives an email from the address, [email protected]. At first glance, the email address seems legitimate. The email includes a Excel attachment that deals with new contact info for everyone at the company. So, like any other employee, the individual decides to download it. However, the email did not come from HR, but instead from an attacker that found the name exposed in ’s email service. Also, that attachment the individual downloaded wasn’t the new contact info. More than likely the Excel document had malware attached to it and could be doing several different things. It could be recording a live shot of the individual’s desktop and sending it back to the attacker, it could have allowed a keylogger to be installed so the attacker can see everything the individual types, or it gained access to their email address and will send the same type of message to everyone on their contact list from their email account while attempting to log into their personal accounts such as a bank account. One solution to prevent a spear-phishing attack from occurring would be to create a private Google Drive and allow only employees from the company to share and edit documents online. That way no one runs the risk of spreading malware. Cyber-espionage is something that should not be taken lightly. The United States, China, England, Germany, and many other foreign powers all use cyber-espionage to spy on each other (Knake, 2015; McKelvey, 2013). For the United States and the rest of the world to

18 gain the upper hand and protect their CI, they need to educate the employees working at these facilities to ensure that no sensitive information is stolen. Cyber-espionage is normally seen as being the concern of agencies such as NSA and the FBI and the FBI InfraGard program (Chapter 6), but many other agencies from the CIA and DIA to Department of Commerce for ITAR issues to DoD for military implications are also deeply involved in this. In particular groups like US Cyber Command are now charged with protecting the US from attacks from other nation states that would include Cyber espionage as well as other forms of Cybersecurity.

CYBER WAR Cyber war is the last term that has been used by the media and other members of the government to describe attacks. There has not been an instance of cyber war only cyber- attacks (Rid, 2013). Thomas Rid, a cybersecurity expert and Strategic Studies professor at Johns Hopkins University has stated that, “To count as an armed attack, a computer breach would need to be violent. If it can’t hurt or kill, it can’t be war” and “Cyberwar has not taken place in the past, is not taking place at present and is unlikely in the future” (Johns Hopkins School of Advanced International Studies, n.d.). As of right now, we are in a cyber-Cold War, but are not at the level of a Cuban Missile Crisis. During the Cold War, the United States wanted to show Russia that they had nuclear weapons and should not be threatened. A vital aspect of the Cold War was that the number of official casualties was zero (Crigger & Santhanam, 2015). To the extent that is where we are today. Stuxnet was the closest time a cyber war has occurred. Stuxnet was a worm that was allegedly created by the United States (NSA) and Israel (Mossad) that targeted Iranian centrifuges at the Natanz Nuclear Facility. Stuxnet was successful in targeting the centrifuges due to zero-day vulnerabilities being used by the equipment at Natanz (discussed in Types of Attacks) (Anderson, 2012). Stuxnet was allegedly installed at the Natanz facility via USB by a spy or double agent to bypass the Air Gaps (Chapter 6) put in place by Natanz (Terdiman, 2012). Once Stuxnet was inserted into the facility, it recorded previous data from the SCADA system that was being run by specific PLC’s (Siemens Simatic S7-300). After a few days of recording data, the worm was able to start taking effect. The centrifuges at the facility were meant to spin at 800-1200 Hz to

19 separate nuclear material and help harvest uranium to make nuclear weapons. Stuxnet went into the Siemens PLC and made the centrifuges spin upwards of 1400 Hz, which caused them to explode and released Uranium Hexafluoride, a toxic gas (Mills, 2010). The reason the scientists never noticed a difference was because Stuxnet used old, previously recorded data to show up on their computers that the centrifuges were spinning at an appropriate level (Mills, 2010). Two aspects need to be mentioned because of Stuxnet. The first is that it is only known publicly because of Israel. Israel and Mossad were allegedly getting tired of the attacks taking so long (Instructions of the NSA) that they changed parts of the code of Stuxnet and were attacking the facility at a faster rate (Melman, 2016; Sanger, 2012). At Natanz, an engineer allegedly used his laptop at the facility, and as a result, his laptop became infected with the worm (Sanger, 2012). Once the engineer went back to his residence, he used the same laptop to connect to the internet, and the Stuxnet worm spread across the globe due to the alleged change of code by the Israelis (Sanger, 2012). During a briefing at the White House, Vice President Biden was overheard saying, “It’s got to be the Israelis…They went too far” in regards to the code being changed (Sanger, 2012). Because of the change in code and the aggressive attacks from Israel, Symantec’s threat analysis team was able to figure out who was responsible for the creation of the worm and why Iran’s nuclear facilities were being targeted (Shearer, 2017; Zetter, 2014a). The second issue that could have emerged was is someone was killed as a result of Stuxnet. If someone was killed because of Stuxnet, it could have been classified as the first instance of a cyber war. Iran might have hacked back in retaliation due to the potential loss of life at Natanz or, a conventional physical attack might have occurred.

20

CHAPTER 3

ATTRIBUTION

Attribution is difficult as it relates to the cyber world (Larsen & Wheeler, 2003; Newman, 2016). It is arduous to try and pinpoint not only where a hack originated from, but who was behind it as well (Larsen & Wheeler, 2003; Newman, 2016). One recommendation that is brought up to being hacked is, why not hack back? In a typical war, it is easy to know who the enemy is and how they will attack, sometimes. For example, if a squadron of Russian planes flew over to the United States and dropped bombs on them, the United States would know who exactly attacked them. In the cyber world, it is relatively effortless to hide an individual’s identity. Some normal ways of hiding an IP (internet address) are using proxies or VPN’s, using Wi-Fi at a coffee shop (public place), or by using someone else’s computer. Proxies or VPN’s allow the user to mask their IP address and show it coming from a different location (Eddy, 2018). For example, someone who lives in New York could use a proxy before hacking to show their location in California or England. Another way is by using someone else’s computer almost like a (Chapter 4). Once a victim’s computer is infected with malware, the attacker can use that computer to carry out attacks from the victims IP address. Hiding an individual’s IP is what makes attribution difficult in the cyber world. It is challenging to find out who hacked who. Most of the time, the culprit is found out because of a mistake made during the hack. An example of attribution was the hack on Sony. The Interview is a comedy movie produced by Sony Pictures Entertainment, that depicts the killing of North Korean leader, Kim Jong-un. North Korea announced that “unspecified attacks” would occur against the United States, allegedly due to the movie (BBC, 2014). In October 2014, Sony Picture Entertainment was the victim of being hacked (Peterson, 2014). Due to the threats made by North Korea, many believe that they were behind the attack (Reuters, 2017). When the hack

21 occurred, the media picked up on the story and most headlines included North Korea due to the movie (Grisham, 2014). It is still not known today who was actually behind the Sony hack. The FBI, after conducting a report came out and said that no definitive evidence showed that North Korea hacked Sony (Ragan, 2014). Figure 2 below was shown on Sony computers after the hack and was presented with gunfire noises in the background. It would seem likely that nations usually wouldn’t do something like this. Nation states would be expected to proceed with the hack and once finished get out and disappear. They would not likely advertise that they are going to continue to hack as they sought to get their demands met. Major insight actually comes from seeing that this was not the first time Sony had been hacked. Since 2011, Sony has been hacked 24 times (Szoldra, 2016a). Two of the hacks were conducted by Anonymous and LulzSec (Szoldra, 2016a). Sony’s susceptibility to being hacked has lead hackers to create the term “Sownage” (Szoldra, 2016a). Due to the number of times Sony has been hacked along with the FBI report, blaming North Korea is perhaps too much of a generalization. The lack of succinct evidence makes attribution a difficult hurdle in the cyber world.

Figure 3. Picture showing what computer screens looked like after the Sony Hack. Source: (Zetter, 2014b).

22

CHAPTER 4

CYBER WEAPONS

Cyber weapons can be classified into three different sections. They are: Cyber weapons of mass destruction, weapons of mass distraction, and weapons of mass disruption. A cyber weapon of mass destruction is a primary concern in regards to dealing with SCADA systems (National Initiative for Cybersecurity Careers and Studies, 2017). An example would be if a uses a worm to overheat a reactor in a nuclear power plant that results in the loss of life and damage to property. The media will play it off as a terrorist attack, but without the use of cyber, this attack would not have occurred the way it did. It is much easier for an attack to occur using vulnerabilities of the cyber world rather than physically being at the site, taking it over with force and manually overheating the reactors. The next weapon is a weapon of cyber distraction (Lee, 2012). Cyber distraction is when an individual will hack into news stations or radio stations and broadcast on them. An example would be broadcasting a message across the screen of TV’s on a network that reads, “Large Fire approaching these counties…. evacuate immediately.” That would cause citizens in the area to respond quickly and dangerously trying to leave the area. It could result in the loss of life or cause injuries. Local authorities should handle these types of attacks. They will be able to send a message quickly and can provide support to those that need it. Finally, the last weapon is mass disruption (National Initiative for Cybersecurity Careers and Studies, 2017). These types of attacks will cause everyday individuals to face a disruption in their everyday lives, but it differs from a cyber-terrorist attack. An example of a mass disruption would be to shut down traffic lights at an intersection. Hackers are not the only ones that can do something like that. Traffic lights at an intersection can go out because of a storm or if a tree branch blew up the transformer for that area. Disruptions should not be a cause for concern. Local authorities should be the ones to help with these kinds of attacks.

23

They will be the ones that can respond the quickest, and for example, they would be the ones that direct traffic after the disruption occurred.

TYPES OF ATTACKS

Malware Malware is the most common type of attack in the cyber realm. Malware includes names of common types of attacks such as viruses, Trojan Horses, and worms (Lemonnier, 2015). Malware is malicious code that is meant to allow the attacker to gain access to specific files on a computer, make it a zombie (Botnets), destroy specific files or allow the user to spectate what the computer is doing in real time (Spyware) (National Initiative for Cybersecurity Careers and Studies, 2017). Stuxnet is an example of malware. Stuxnet was capable of shutting down an entire nuclear enrichment facility. However, not all types of malware are as “sophisticated” and unique as Stuxnet (McMillan, 2010; Zetter, 2014a). Malware can be easily spread through downloads on the internet (-downloading a file which is advertised as something else but is malware or includes malicious code), emails, or on a removable media devices like USB (Terdiman, 2012). Within both the private sector and government, those responsible for the SCADA systems need to be concerned about these modes of attack.

DDoS A DDoS attack, allows the user to attack a server using multiple computers (National Initiative for Cybersecurity Careers and Studies, 2017). The attacker will send thousands if not tens of thousands of emails or other traffic to the server that will overload it and either shut it down or make it difficult for others to connect. These types of attack fit under cyber- disruption weapons. They are usually caused by hacktivists groups like LulzSec or Anonymous or hackers for hire to bring down a website for a certain amount of time. Unless the facility using SCADA allows users to connect from an internet connection, DDoS attacks will not easily affect SCADA systems. Outside of SCADA, these attacks will generate much interest from the media, but they are usually harmful primarily because of the lack of service and potential economic impact such as to the financial, investment, or medical sectors.

24

Botnets Botnets, which were discussed under malware as “zombies,” are a group of computers that have been infected with malware that are awaiting orders to attack (National Initiative for Cybersecurity Careers and Studies, 2017). When malware spreads to various computers, many of them become part of an army called Botnets. These botnets are used to carry out such attacks as DDoS. After the computer becomes infected and is a zombie, it waits to receive orders from the primary source of the distributor of the malware. An order might be to go to a website such as Gmail. The Gmail server can sustain a high amount of traffic at a time, but when a Botnet is used, thousands if not hundreds of thousands of computers are requesting permission to access the site, which can flood the server and shut it down entirely or make it run very slowly. Unless a botnet attacks the website used to monitor SCADA at a certain facility, then the CI facility does not need to specifically worry about botnets in the general way in which they are deployed.

Phishing and Spear-Phishing A phishing attack is an attempt to gain personal information from a user through email (National Initiative for Cybersecurity Careers and Studies, 2017). An example of a phishing attack today would go like this: an individual receives an email from their “bank” (Wells Fargo). The emails states they believe their account has been hacked and they need to change their password with the link provided in the email. The user clicks on the link and logs into his bank. However, the link took the individual to a website that was made by the hacker. Because the user entered their login info on the fake website, the hacker has their username and password and can now access their bank account. Many of these sites that the users are taken to can be spotted as being fake. The URL of the website is often used to tell if the website is fake. An example: Youtube.com is safe whereas You1ube.com is not. Websites that start with https:// are usually safe to use whereas many fake websites will usually have http:// in the beginning. Finally, many fake websites will read right to left. An example would be; https://amazon.com/login – this website is safe whereas; http://login/amaz0n.com/hackerunite/messageboard – is not safe. Phishing attacks could be very dangerous to SCADA. Some facilities allow users to sign in to observe their SCADA

25 homepage through the internet. Employees not trained correctly could give up their username and password, which could lead to an attack. Spear-phishing is a precise phishing attack that targets a specific individual(s). Phishing attacks can be described as throwing a net into the water and seeing what was caught. Spear-phishing attacks are when an individual wants to try and catch a specific individual. Many spear-phishing attacks come from an email address that looks familiar or seems safe. They often include a file attached to the document which contains malware. Once the document is downloaded the “phisher” can do many things like gaining access to an email address, installing a keylogger that will allow them to see everything that is typed, accessing a webcam freely, and many other exploits. The following example scenario shows how such an attack might be done involving SCADA systems: an employee at a water treatment facility (CI) receives an email from what looks like his boss’s email address. The subject of the email reads, “New water levels for the next three months.” The email comes with an attachment to download, but after downloading the file and opening it, it is empty. Further observation of the senders email reveals that the email reads, [email protected] and not [email protected]. The email addresses might look the same, but the only difference between the two is that the “L” in facility is a “1.” Now the malware is on a critical computer at the facility and can do some things listed above. Not only can this provide users the unauthorized access to these facilities, but they can turn around and sell the information online for others to cause harm or cyber- disruption to the facility. Phishing and spear-phishing are two ways that make SCADA vulnerable to an attack. However, there is one easy solution to fix the problem, which will be discussed later in Chapter 6.

ZERO-DAY VULNERABILITIES Zero-day vulnerabilities are critical to mention before moving on to Chapter 6, which will discuss zero-day vulnerabilities further. As mentioned before with Stuxnet, a zero-day vulnerability was how Stuxnet was successful in shutting down Iran’s nuclear facilities. Zero days are not a type of attack but are used to distribute malware and are extremely important when trying to stay secure the world of SCADA. A zero-day is an exploit in a specific software that can be used to the hacker’s advantage. The reason it is called a zero-day is that

26 once the exploit is known to others, it allows the creator of the software (Microsoft, Adobe, Apple, etc.) zero days to patch it (Symantec, n.d.). Zero-day vulnerabilities pose the number- one threat to SCADA. Zero days have become such a threat to software companies that they are creating bug bounties. This means that the company will offer rewards to individuals that find the vulnerabilities or zero days in the software and pay them if they tell them. Even though the creation of bug bounties allows more eyes to look for vulnerabilities, it can mean that those same vulnerabilities are sold to the wrong people. Some companies may offer $500-$20,000 for the vulnerability, while others who want to exploit the vulnerability can pay more than the company hoping to capitalize on the vulnerabilities (Spring, 2016).

Ransomware Ransomware falls under Cyber Crime in the Cyber Framework. Ransomware is a commonly used attack in today’s society. It is a specific type of malware that encrypts the files on a computer and will unlock the files usually after a demand has been met/paid (Ransom) (Mathews, 2017). Most ransomware can spread through phishing and spear- phishing emails. Hospitals are one of the best-known and vulnerable targets of ransomware (Glaser, 2017). Once the malware has been activated, and the ransomware is in place, the user will lose access to their files and will see a screen usually created by the individual who activated the ransomware. The screen will usually say a couple of things like; “your computer has been hacked,” “you will need to pay me/us to gain access to the files again,” and “if you do not comply within an X amount of time, all of your files will be deleted” (Figure 4). The main way ransomware is usually paid is through crypto-currency such as Bitcoin. Crypto-currency allows the individual to mostly stay out of harm’s way because there is no need for a physical interaction for the money to be exchanged and sometimes the money is untraceable (Palmer, 2017). Because many CI use computers and SCADA daily, it is vital that there is a plan in place to prevent ransomware.

27

Figure 4. Screenshot of a computer with the “WannaCry” Ransomware activated. The instructions within need to be followed or the encrypted files will be deleted. Source: (Atherton, 2017).

28

CHAPTER 5

NUCLEAR POWER PLANTS

The primary purpose of nuclear power plants is to produce electricity for homes and businesses (General Electric [GE], 2018b). Most facilities use Uranium 235 during the fission process (Matson, 2011). During this process, the atoms in the Uranium (Enriched) are split, which creates heat. That heat is then used to, “boil water, drive steam turbines and thereby generate electricity” (Keizer, 2010). Protecting nuclear power plants, which nearly all use SCADA or similar control systems, and which could have profoundly destructive impacts if the systems failed are one of the main reasons why protecting the Cybersecurity of SCADA systems is so important. The best example of hacking nuclear facilities is the Stuxnet episode in Iran. The United States and Israel are the two alleged suspects for creating the Stuxnet worm (Anderson, 2012). Stuxnet has been regarded as the “best, groundbreaking, and sophisticated” malware to ever be created (Keizer, 2010). When Symantec started to dissect the Stuxnet code, the company had three “top analysts” research it every day (Zetter, 2014a). Stuxnet was able to show the world the dangers of zero-day vulnerabilities and how they can affect SCADA systems. A cyber-attack on a nuclear facility in the United States could leave parts of the country without power while showing the rest of the world the vulnerabilities of cybersecurity for CI and SCADA systems (GE, 2018b). How the US infrastructure could be protected from the US and other Intelligence Communities becomes a far more difficult question than most SCADA users can address, as most SCADA workers are in the private sector focused on their piece of critical infrastructure owned by their company or organization. Clearly deep knowledge of SCADA is present within the US and other nation’s Intelligence Communities, but this knowledge is generally not shared with SCADA practitioners. Similarly, many SCADA practitioners actually probably know more about the details of how such systems work from decades of interaction with them rather than

29 computer hackers working for the US or other governments. Different “solutions” are then needed for different groups to protect or attack SCADA systems in the US or elsewhere in the world. Before Uranium 235 can be used during the fission process, it must be enriched. The enrichment process usually happens at enrichment facilities like the one in Natanz (Nuclear Threat Initiative, 2017). At these facilities, the uranium is cooled by using centrifuges just like the ones the Stuxnet worm attacked (Mills, 2010). As discussed earlier, Stuxnet was successful because of the four zero-day vulnerabilities it used, and it was able to record previous data (from a PLC) and display it while it destroyed the centrifuges (Zetter, 2014a). Nuclear facilities could be targeted in the United States for two major reasons. The first would be to gather intelligence either on the security of the facility (cyber/physical) and use it for future attacks or sell it for a profit. The second would be to actually destroy the facility like what was seen with Stuxnet. One of the concerns would be having a nuclear power plant overheat. Because the Stuxnet worm was able to record old data and show it while it disrupted and destroyed the centrifuges, that same process could be used to show false temperatures of a facility while in fact, it was overheating. The Fukushima and Chernobyl accidents show just how dangerous it would be if radiation were released into the atmosphere, the water, and the soil (Stouffer et al., 2015; World Nuclear Association, 2016, 2017). The many layered protection systems and safety systems in nuclear power plants are not the subject of this thesis, but the sensors and software that are part of the SCADA system in them are. How the systems are internally protected is very privately held insight for obvious reasons, much like the combination to the safe at a bank. Having the protective systems owned by the private sector has both good and perhaps bad aspects in how well they are protected, how many people know the details, and how well they are able to respond if something occurs.

ELECTRIC GRID An electric grid seeks to provide homes and businesses with electricity 24/7. Many if not all power (electric) grids use SCADA systems to monitor the process of providing electricity from the producer to the consumer (Electrical Technology, 2015). As a result, electric grids are a prime target for many to attack through means of cyber. However, power

30 grids in the United States are very complex and not easy to hack (“Complex networks,” 2013; Environmental Protection Agency, 2017; Szoldra, 2016b). The long-known dangers of cyber-attacks on the grid have been seriously addressed by many professional organizations and partnerships within the electrical community. As an example, many electrical utilities have major cyber capabilities, but they also generally keep these capabilities closely held for both security and economic and litigation reasons. Figure 5 shows that eight different power grids provide electricity to the United States. Movies like Live Free or Die Hard have plots that revolve around hacking a power grid. In the movie, the villain threatens to hack only one power grid, which will cut power to all of the East Coast of the United States. However, that is realistically almost impossible. Figure 5 shows that there are four different power grids that provide electricity to the East Coast. Many of the girds are owned by different private companies making it even more difficult for a hack to occur (Caltagirone & Lee, 2017). In fact, components of the environment, such as trees, are more significant concerns for power grids rather than hackers. In 2003, 50 million Americans were without power for two days after tree branches in Ohio damaged four power lines (Minkel, 2008; Stouffer et al., 2015). During the summer of 2003, more electricity was consumed than usual, which caused the lines to droop lower than normal. After one line had touched a branch, it shut down. Three other lines were then used to carry the electricity the dead line was supposed to use. After being overworked, they also started to droop and shut down after touching branches as well (Minkel, 2008). Once the lines had been shut down, 50 million Americans in the RFC power grid section (Figure 5) were without power. As a result of the 2003 blackout, 11 people were killed and damages exceeded $6 billion (Minkel, 2008). A 2004 report conducted by the Power System Outage Task Force stated that the alarm system failed in Ohio where the blackout originated (Minkel, 2008). The report also provided 46 different recommendations to lower the risk of another blackout from reaching 2003 levels along with insight into the human error that contributed to the blackout (Minkel, 2008). In 2005, Congress enacted the Energy Policy Act of 2005, which granted the Federal Energy Regulatory Commission (FERC) more authority to oversee and supervise electric grids around the United States (Minkel, 2008).

31

Figure 5. Map of the eight different power grids in the United States. Source: (A. Gilbert, 2016).

Researchers at Carnegie Mellon University conducted a study one year after the 2005 Energy Policy Act was passed. The results of the study showed that blackouts occurred at the same percentage between 1984 and 2006 even after the FERC was granted more authority in the 2005 law (Minkel, 2008). How the law was translated into Federal Regulations and when the time of compliance was set are both factors that make this study suggestive, but not definitive for its impact on the electrical industry. The speed at which the private sector can respond to new government regulations is obviously important, as having a new law and seeing impacts in the industry likely takes more time than one year. Doing a similar study now more than a decade later would be insightful to see how much impact the new regulations had on the SCADA world.

32

Because power grids use SCADA and provide electricity for most of America, they are a top priority for both private-sector and government officials concerned with the cyber safety of the nation’s and world’s infrastructure. They are also obviously of great interest to people and nation states wanting to harm or takeover this infrastructure for their own political terrorist, or other motivations. A specific example of this is the attacks on Ukraine’s power grid, where several groups including likely the Russian government sought to take down the Ukraine power grid. Efforts to provide support and education to companies, government, political leaders, financial groups, insurance groups, and people in general are important as the nation, its organizations, and its people seek to protect America’s power grids and the services that they enable (Sebenius, 2017).

WATER TREATMENT FACILITIES Water treatment facilities seek to provide clean drinking water and dispose of wastewater to and from businesses, homes, and public facilities in the United States (English, 2016). Many facilities use SCADA for transportation, distribution, and treatment of the water and wastewater (Water World, 2018). Much like electric grids and nuclear power plants, water treatment facilities are a CI backbone of the United States and nearly every other country. Even though a significant hack against a water treatment facility has never been openly reported, it is still crucial to secure the facilities to prevent against one as such hacks could have massive impacts on people, organizations, and nations. As an indication of the potential motivation for major hacks of the water industry, in 2016 a minor hack almost turned into a major one. A Verizon security report released in 2016 stated that the Kemuri Water Company (a fictitious name made up by Verizon to protect the identity of the regional water group that was hacked) had been hacked four times within two months (Kovacs, 2016). After the water company noticed an issue with their system, they asked Verizon to conduct an investigation. Verizon noted that the company was using an “IBM A/S 400” computer system that was released in 1988, and used the same system for “financial, IT functions, and water district’s valve and flow control applications” (Kovacs, 2016). These same computer systems are still widely used because of their reliability, though often updated with new operating systems (Kerner, 2013). The hackers were able to use the company’s online website for payments to obtain the login credentials

33 through an exploit for the A/S 400. As a result, they were able to obtain the financial records of 2.5 million customers of the Kemuri Water Company and accessed the PLC’s (Programmable Logic Controllers, hardware on which the control software resides), which controlled the flow of the water to houses and business along with the chemicals used to treat the water (Kovacs, 2016). Verizon reported that the hackers thankfully did not wholly understand industrial control systems and thus were not able to cause more damage. If the Kemuri Water Company had been hacked by individuals with more knowledge of PLC’s, ICS, and SCADA, then the hack could have been more harmful. The hack could have resulted in tainted water being used by more than 2.5 million individuals or a halt in water reduction for a period. The intent of the people was to steal the financial information from the unknown water company, but the awareness that the vulnerability was far greater and because of old software helped raise the alarm of, “What if…?” Answering this question “What if...?” in the context of SCADA Cybersecurity is an enormous encouragement to both the private sector and government to bolster the security of such systems.

FIBER OPTIC CABLES Fiber-optic cables/networks are the backbones of communication in the United States and world. Fiber-optic cables use light to send signals to their destination, which can be across the ocean floor or anywhere in the United States or almost anywhere in the world (Mitchell, 2017). Not only do the cables allow for faster signals for telephone calls, but they also provide high-bandwidth internet connections and transmit television signals from the broadcast location to the TV’s location (Mitchell, 2017). Because many businesses rely on faster connections and communication with partners and customers around the world, fiber- optic cables/networks classify as critical infrastructure. However, just like other critical infrastructure, fiber-optic cables are at risk of being attacked. Fiber-optic cables can carry gigabytes of data in mere seconds, but it is the physical attacks that are the easiest to carry out rather than digital. A BlackHat Federal Briefing in 2003 by Mark Gross and Robert J. Bagnall showed just how simple it is to tap a fiber-optic cable. An individual can attach an Optic Clip-on Coupler to the fiber optic cable and intercept some of the data being transmitted (Gross & Bagnall, 2003). Insight into the use of this technique came ten years after the BlackHat report, when Edward Snowden leaked

34 hundreds of thousands classified NSA documents for the world to see. One of those documents provided details of “Operation Tempora” where the NSA and the United Kingdom’s Government Communications Headquarters (GCHQ) were using this method on their citizens (Zetter, 2013). Between 2008 and 2010 the GCHQ tapped over 200 fiber optic cables and provided the NSA with internet and phone records (Zetter, 2013). The NSA and GCHQ claim that they had over 750 analysts searching through the information for over 70,000 terms relating to national security (Zetter, 2013). Whether or not this method was ethical or moral in trying to find dangers to the two countries is not the issue here, as it seemed to being used in the name of protecting the citizens and government. The issue is what if someone or another country used this method to obtain information for a personal goal other than defense against attacks? The 2003 report by Gross and Bagnall broke down actors into five groups that could attack the fiber optic cables for personal gain; “Adversarial Nation States, International Espionage, Corporate Espionage, Rouge Groups, and Rouge Individuals” (p. 25):  International Espionage- China has already shown what they can do with a physical spy as it results in military inventions (Gertz, 2015). Being able to tap the cables allows China to intercept more information while taking less of a risk. If a tap was found on a cable that was suspected to come from China, they could deny the allegations rather than risk another spy into the United States to steal information. The United States and United Kingdom have certainly used the systems as well, so spying on individuals and corporations and organizations by these governments is also obviously a concern, including the sharing of data with each other as the UK spy agency shared data with the US from over 200 fiber- optic cables (Zetter, 2013).  Rogue Groups- Rouge groups like ISIS and Boko Haram could tap the cables to see if an attack is planned against them. Not only would it benefit them, but other nations could use these groups as Proxies and use them to steal information for them and pay them as a result. It also could be the same the other way around. Other nations could sell the intercepted information to the groups at a price. It is possible to find a map online of every international fiber optic cable and where they hit other nation’s shores (TeleGeography, 2018). Hacktivists could also benefit from the information being relayed in fiber optic cables and make a profit off of selling it.  Rouge Individuals- Hackers and individuals trying to be a nuisance could also target the cables. In 2015 an FBI report showed that 16 fiber optic cables that provided Internet coverage to Northern California had been cut (Hughes, 2015). Rather than tap the cables to steal the information, the perpetrators cut them. Not only does the attack prevent some from using the internet for a certain amount of

35 time, but it costs the owners of cables a substantial amount of money to fix it. Some of the 16 cables cut belonged to AT&T. After the 15th attack in 2015 on the cables, they offered a $250,000 reward for anyone with information regarding the attacks (Hughes, 2015). Disgruntled employees also pose a threat to the company they work for. Those employees could cause harm to the companies SCADA/ICS components with insider knowledge.

36

CHAPTER 6

NIST

The primary purpose of this thesis revolves around the recommendations made by the National Institute of Standards and Technology (NIST) towards facilities using SCADA/Industrial Control Systems. NIST is part of the Department of Commerce, and their mission is, “To promote United States innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” (NIST, 2017). In 2015, NIST released a revised report on SCADA/ICS titled Guide to Industrial Control Systems (ICS) Security (Stouffer et al., 2015). The report provides many recommendations (Recommendations and Suggestions) on how to protect SCADA/ICS facilities. The Recommendations and Suggestions section details the recommendations provided by NIST along with my cyber hygiene/social engineering suggestions on how to better protect SCADA/ICS.

RECOMMENDATIONS AND SUGGESTIONS  (NIST) Encryption- Encryption would allow the data being flowed through SCADA/ICS to be encoded. NIST recommends encrypting the data and providing the individuals who need access to the data a way to decode it (Stouffer, Falco, & Kent, 2006). NIST along with the American Gas Association are working on different types of software for CI facilities to use to encrypt and decrypt data.  (NIST) Intrusion Detection and Prevention Systems- Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) would allow the facilities to monitor all traffic that flows through their network. IDS is a standard system that only monitors the traffic while IPS will try and prevent any unwanted traffic when it is found (Stouffer et al., 2015). The NIST report states that IDS and IPS vendors are starting to create software specifically for SCADA/ICS usage. One example is “Snort.” Snort is an open-source IPS made for detecting and preventing unwanted traffic in ICS networks (Stouffer et al., 2015).  (NIST) Network Segmentation and Segregation- NIST recommends that facilities separate their corporate networks from their ICS networks. NIST believes that

37

“Network segmentation and segregation is one of the most effective architectural concepts that an organization can implement to protect ICS” (Stouffer et al., 2015). The purpose of network segmentation and segregation is to, “minimize access to sensitive information for those systems and people who don’t need it, while ensuring that the organization can continue to operate effectively” (Stouffer et al., 2015). Network segmentation will prevent attacks like the Kemuri Water Company from occurring. If a facility was to be hacked, separating the networks will prevent the hacker from gaining access to the ICS network.  (NIST) Firewalls- NIST also recommends employing firewalls to different networks to regulate the flow of traffic through the networks (Stouffer et al., 2015). Firewalls can be directly applied to ICS networks and/or between the corporate the ICS network. NIST recommends three different classes of firewalls. Inserting a firewall will provide SCADA/ICS facilities with a high level of security. o Packet Filtering Firewalls- Packet filtering firewalls are the most basic firewall. They “check basic information in each packet, such as IP addresses, against a set of criteria before forwarding the packet” (Stouffer et al., 2015). The firewall will then drop the packet or send it through to the network. o Stateful Inspection Firewalls- Stateful Inspection Firewalls provide an additional layer of security over packer filtering firewalls. They “keep track of active sessions and use the information to determine if packets should be forwarded or blocked” (Stouffer et al., 2015). o Application-Proxy Gateway Firewalls- Finally, Application-Proxy Gateway Firewalls provide an extremely high level of security. These firewalls “examine the packets at the application layer and filter the traffic based on specific application rules” (Stouffer et al., 2015). They determine whether to let the packets through based on what internet browser they are using or what type of application they are using.  (NIST) Audits- NIST believes that an audit conducted by an independent agency/group is critical for finding security vulnerabilities within a SCADA/ICS facility. Audits should be conducted regularly and fluently. NIST defines audits as: o “an examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures” (Stouffer et al., 2015).  (NIST) Business Continuity Planning- Business continuity plans are documented instructions on how to maintain or reestablish production in the event of an interruption (Stouffer et al., 2015). Whether the disaster is natural, man-made, or equipment failure, NIST believes that having a plan in place will allow facilities to continue to produce their resources (Stouffer et al., 2015).

38

Figure 6. Firewall diagram. Source: (Stouffer et al., 2015).

 (NIST) Identification and Authentication- This process determines whether a user is allowed or denied access to the network, applications, or services. There are three major ways in determining an individual’s identification (Stouffer et al., 2015). o Password- Passwords are the most simplistic way of introducing a layer of security into a system. Passwords can be any combination of letters and/or numbers. The major flaw of passwords is that they can be stolen and used by an individual who should not have access to a network without anyone knowing. o Physical Token Authentication- Physical Token Authentication is a small upgrade from passwords. They allow the individual to produce a secret code or key when required to log in to a system or network. Some forms of physical token authentication are; “Physical locks, security cards with smart chips or optical coding, dongles with secure encryption keys, and key fobs” (Stouffer et al., 2015). o Biometric Authentication- Biometric authentication is the most secure way of providing authorization through identification. Forms of biometric authentication are; “Finger print scanners, facial geometry, retinal and iris

39

scanners, voice patterns, typing patterns, and hand geometry” (Stouffer et al., 2015).  (NIST)- NIST released a report in 2006 titled Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security (Stouffer et al., 2006). NIST recommends that SCADA facilities create a comprehensive security program to help combat cyber-attacks. The purpose of the security program is to “address all aspects of security, ranging from identifying objectives to day-to-day operation and ongoing auditing for compliance and improvement” (Stouffer et al., 2006). The creation of a security program can be broken down into five steps. o #1. Senior Management Buy-In (Stouffer et al., 2006). NIST believes that senior officials and management need to fully invest in a security program for it to function at all levels. o #2. Build and Train a Cross-Functional Team (Stouffer et al., 2006). NIST recommends that the security team needs to encompass different aspects of the company. For a cross-functional team to exist one member needs to be from the IT staff, one control engineer (facility engineer), a security expert on ICS/SCADA, and a member from the management staff. Having the team consist of different members from different sectors will allow the team to evaluate and establish reports from different perspectives. o #3. Charter and Scope + ICS Policies and Procedures (Stouffer et al., 2006). NIST states that the cyber security team should document the “roles, responsibilities, and accountabilities of system owners and users” (Stouffer et al., 2006). The document created by the security team should also include the “objective of the security program, all the computer systems and networks involved in the business, the budges and resources required for the team to work, and divide responsibilities amongst the members” (Stouffer et al., 2006).The security team should also define the ICS security policies and procedures. The policies and procedures will help to establish the level of security protection needed and to help educate the workers of the facility. o #4. Perform Risk and Vulnerability Assessments (Stouffer et al., 2006). Risk and vulnerability assessments should regularly be conducted throughout the year at facilities using SCADA/ICS. The results of the assessments should be used to “prioritize the ICS systems based on the potential impact to each system” (Stouffer et al., 2006). Conducting internal risk assessments will allow facilities to better patch vulnerabilities in their system and allow independent security audits to run smoothly. o #5. Provide Training and Raise Security Awareness (Stouffer et al., 2006). The final step to creating a security program is to provide training to the facility workers on how to protect the systems. Social engineering recommendations can be provided at the training meetings to help better protect workers and the facility itself.

40

 (NIST)- The 2006 NIST report recommends that SCADA/ICS facilities create a partnership with the Department of Homeland Security’s Control Systems Security Program (CSSP) (Stouffer et al., 2006). The goal of the CSSP is to “coordinate efforts among federal, state, and local governments, as well as control system owners, operators, and vendors to improve control system security within and across all critical infrastructure sectors by reducing cyber security vulnerabilities and risk” (Stouffer et al., 2006). Privately owned CI facilities that partner with the CSSP receive “timely situational awareness training and threat reduction activities” (Stouffer et al., 2006) to help prepare workers for cyber- based attacks.  (NIST)- NIST also recommends that CI owners work with the National SCADA Test Bed (NSTB) (Stouffer et al., 2006). The NSTB was created by the Department of Energy’s Office of Electricity Delivery and Energy Reliability to “help equipment vendors, and asset owners assess vulnerabilities in control systems hardware and software verify security fixes using a full-scale infrastructure suite of facilities” (Department of Energy, n.d.). If CI facilities do not want to work with government agencies then privately owned companies specializing in SCADA/ICS security are another option (Indegy, 2018). Indegy is a privately owned company that provides expert industrial cyber security solutions to CI facilities. Indegy consists of cyber security experts and employees with hands-on experience with industrial control systems (Indegy, 2018). Indegy provides the facilities with expert cyber security recommendations while also providing training with the workers of the facilities to prevent social engineering attacks from occurring.  No Internet Access- This is the most valuable and accessible recommendation that can be issued to every single CI facility that is using SCADA/ICS. Many of these facilities are running 24/7, and because of that, they need workers to monitor the status of the facility. The best way to do this is to create a website where the workers can connect using a username and password. From there they will be able to monitor and make changes to SCADA from anywhere around the world. Monitoring SCADA from a website is an awful idea. The Shodan.io website allows anyone to look up any SCADA/ICS system that is connected to the internet. Figures 8, 9 and 10 (see Appendix) show a Verizon ICS system and how easy it is to connect to the log in screen. It is illegal to attempt to log in but, if someone were to log in the first combination of usernames and passwords they would use would be “admin” and “admin.” Some companies do not change the default username and password which can make an enormous difference between having a protected SCADA/ICS system and have a vulnerable one.  Air Gaps- Air gaps were mentioned earlier in Chapter 2. Air gaps are the physical measure that prevents secure networks from other unsecured networks. Air gaps will go hand in hand with no internet access which will make the CI and SCADA much more secure from a cyber-attack.  Ban on Removable Media- Stuxnet was successful because a USB was used to bypass the air gap in place at the Natanz Nuclear Facility (Crigger & Santhanam,

41

2015; Stouffer et al., 2015). CI facilities do not want to fall victim of allowing malware into their system via a USB. An alternative is to lock the PLC’s and computers behind a barrier where only the CEO has the key so USB’s and other devices cannot be plugged in without permission and documentation.  Mandatory Physical Updates- Many SCADA/ICS systems are not updated because it is a bother and could halt production from the facility. If an update had to occur, a plan would need to be put in place. One recommendation is that an engineer of the software being used at the CI facility come in person to update the system. An independent security contractor or CESER member should be at the facility during the installation for two reasons. The first is to make sure that no malicious software is being installed in the update. The second is that if any zero- day vulnerability were found that they could immediately fix the problem on site or ask for additional help to fix them. NIST believes that Configure Management plays a crucial role in SCADA/ICS security. Configure Management is the documentation of modifications to “hardware, firmware, and software” (Stouffer et al., 2015).  Phishing/Spear-Phishing- One major social engineering/cyber hygiene suggestion would be to provide employees of CI facilities the training to know what a phishing/spear-phishing email looks like and how to prevent the attempts from becoming successful.  Internet of Things- The Internet of Things (IoT) is a concept where devices that have an internet connection are always connected to the internet and/or other devices (Morgan, 2014). Gartner, a research company, released a report in 2013 that stated by 2020 26 billion devices will be a part of the IoT. The estimated 26 billion devices do not include PC’s, smartphones or tablets (Gartner, 2013). According to Libelium (2013), a company specializing in the IoT, a “smart world/smart city” could be created with devices that are part of the IoT. Figure 6 below shows what a smart city could look like in the future. The IoT would impact CI facilities in a major way. According to figure 6, nuclear power plants could use devices connected to the internet to monitor, “Radiation levels, Perimeter Access Controls, Air Pollution, Waste Management and Water Quality” (Libelium, 2013). Hospitals could make use of “Smart roads and traffic congestion” to monitor if emergency services are needed at a certain intersection or highway before a call to 911 is made. Water treatment facilities might use “Water Leakages and Water Quality devices” to monitor their facility with another device from a different location other than where the facility is located (Libelium, 2013). The IoT would allow CI facilities to run their operations with less adversity. However, the IoT would increase the CI’s susceptibility to being the victim of a cyber-based attack. Malwarebytes Labs reported that in 2015 a smart fridge was hacked and showed pornography images on its screen. In 2016 a baby monitor camera was hacked and used to eavesdrop on the family. Moreover, in a WikiLeaks report, the CIA has the capability of hacking into Smart TV’s to monitor individuals (Zamora, 2017). The technology already exists for CI facilities to monitor their operations over an internet connection. The IoT would

42

allow the facilities to obtain devices to monitor certain aspects of the operation while communicating with other devices without the use of an operator. Thankfully, safeguards are being enforced if a CI facility decides to opt into an IoT concept rather than a no internet access concept. In 2017, Virginia Senator Mark Warner introduced a bill into the 115th Congress tilted the Internet of Things (IoT) Cybersecurity Improvement Act of 2017. The act would require that all IoT devices are patchable and would allow the user to change the password on the device (Morgan, 2014). Unfortunately the act only covers IoT devices sold to the United States government rather than the private sector, but it is a step in the right direction towards protecting privately owned CI using the IoT (Morgan, 2014). Auto-updates and automatic patches would also further protect IoT devices. Allowing the devices to download updates and patches to their software at a monthly rate would increase the security of them. Those that are not able to auto- update or patch should come with a warning label.  Industrial Internet of Things (IIoT)- The Industrial Internet of Things (IIoT) is defined by GE as; “The network of a multitude of devices connected by communications technologies that result in systems that can monitor, collect, exchange, analyze, and deliver valuable new insights like never before” (GE, 2018a). The IIoT takes the IoT idea and applies it to CI facilities that use SCADA/ICS to help boost their effectiveness. GE (2018a) estimates that by 2020 the market for the IIoT will be around $225 billion. In 2017 the Department of Energy (2017b) released their Quadrennial Energy Review, which mentions the IIoT and how it will affect the power grid in the United States. Chapter 4 of the report goes in depth about smart grids. Smart grids would allow engineers to collect and analyze the data produced by the grids more efficiently and quickly (Department of Energy, 2017a). But, the Department of Energy notes that the implementation of smart grids would make the grids more susceptible to being hacked. The Department of Energy notes that automated smart meters, which are being used today, are a part of the IIoT and are vulnerable to being hacked. “Hackers targeting this technology could cause disrupted power flows, create erroneous signals, block information, cut off communication, and/or cause physical damage” (Department of Energy, 2017a, pp. 4-35). The IIoT will allow more technology to be used to process data at different facilities at a more efficient level then what is being used today. As of today, the new technology being implemented into these facilities makes them more vulnerable to a cyber- attack.  International Group- One unlikely suggestion to help protect SCADA/ICS companies around the globe, would be the creation of an International Group to assist members in collectively protecting CI. Hypothetically an International Group would bring together other nations and their agencies that protect SCADA/ICS and conduct meetings that would benefit each nation on how to better protect their facilities from cyber threats. One reason that an International Group would not likely be created would stem from the concerns of involving other nations such as; Russia, China, and North Korea. China has been accused of stealing military information from the United States to help create their J-20 jet

43

and Russia has been at the primary suspect in the hacking of the 2016 United States Presidential Election. Due to concerns with other nations, the flow of information and work that could be accomplished at International meetings would dwindle. As a result, the challenges of drawing together partner nations and organizations and excluding others becomes obviously complicated and challenging for multiple nations to agree and collaborate.  The ICS/SCADA Cyber Security Conference would be another reason why the International Group might not actually be needed, as this conference and its membership functionally perform this collaborative activity. The ICS Cyber Security Conference was created in 2002 to provide protection strategies and solutions for SCADA/ICS facilities. Industries that attend the conferences every year include; “defense, power generation, transmission and distribution, water utilities, chemicals, oil and gas, pipelines, data centers, and medical devices” (SecurityWeek, 2018). The 2018 International Conference is in Singapore and the US conference is in Atlanta and will bring together thousands of SCADA/ICS owners, operators, regulators, and providers (SecurityWeek, 2018).

Figure 7. Libelium smart world concept. Source: (Libelium, 2013).

44

REQUIREMENTS The recommendations provided by NIST are guidelines that CI facilities using SCADA/ICS should follow but are not required to, except that compliance to NIST standards is often a contractual stipulation for government contracts, funding, insurance, or public relations concerns. To protect the CI facilities within the United States, NIST recommendations along with my cyber hygiene/social engineering recommendations should be required as basic guidelines for keeping systems clean. Before companies can accept government contracts to conduct independent security audits on CI facilities, they should be required to meet NIST security standards. CI facilities that provide resources to the United States should also meet NIST security standards. Meeting the standards provided by NIST will ensure that facilities are protected by a standard that is provided by the Department of Commerce and NIST. The security standards provided by NIST along with my cyber hygiene recommendations will ensure that the physical and cyber aspects of the facility are protected while the employees are also educated on what to do in multiple situations that impact the security of the facility.

RELATIONSHIPS, RESOURCES, AND COLLABORATIONS After the September 11th attacks, cooperation and communication between intelligence agencies within the United States became a concern (Wright, 2006). The Central Intelligence Agency (CIA) has been criticized for not sharing information with the Federal Bureau of Investigation (FBI) regarding evidence leading to the 9/11 attacks (Johnston, 2003). The different responsibilities and legal authorities of the CIA and FBI actually put constraints on this sharing, but information about CI is likely completely appropriate for the two to share with each other. Relationships between different groups within the intelligence communities could allow information to flow efficiently between each other. It would also increase the chances of preventing an attack on the CI of interest to the United States, especially against CI using SCADA and Industrial Control systems.

CESER The creation of a national asset or consortium devoted to protecting SCADA systems within the United States could become a daunting, but helpful solution to the nation as the

45 vulnerability of CI to Cybersecurity seems to be ever increasing. In 2018, Secretary of Energy Rick Perry established an Office of Cybersecurity, Energy Security, and Emergency Response (CESER) within the Department of Energy (2018). Secretary Perry requested $96 million in funding for the 2019 fiscal year to create the office (Siegel, 2018). Secretary Perry stated that “The formation of this office better positions the department to address emerging threats and natural disasters and support the department’s expanded national security responsibilities” (Department of Energy, 2018). The proposal to create CESER was a result of the Russian Government’s alleged attempts to hack the United States energy sector since March 2016 (Wilts, 2018). The Russian hackers allegedly targeted, “energy, nuclear, commercial, water, aviation, and manufacturing facilities” (Siegel, 2018). CESER would allow the Department of Energy to work closely with CI facilities in the private sector to help prevent and provide solutions for cyber-based attacks.

Office of Intelligence and Counterintelligence The Department of Energy currently has an office devoted to information gathering. The Office of Intelligence and Counterintelligence is responsible for protecting vital information shared between the different offices of the Department of Energy. The office also provides “expertise to policymakers concerning homeland security, cyber security, intelligence, and energy security” (Office of the Director of National intelligence, n.d.). The Intelligence and Counterintelligence office is a member of the United States Intelligence Community, which consists of several dozen separate agencies such as the Defense Intelligence Agency (DIA), National Geospatial-Intelligence Agency (NGA), National Security Agency (NSA),and the Office of the Director of National Intelligence Agency (ODNI) (The United States Intelligence Community, 2018). These agencies working as part of the United States Intelligence Community allows them to share information and communicate with each other. Clear communication and information sharing would help the agencies to analyze threats and protect the United States from attacks. The announced creation of CESER would allow the office to work directly with their Intelligence and Counterintelligence department and other agencies part of the United States Intelligence Community to help respond to cyber-attacks on CI using SCADA and industrial control systems. Relationships already in place could create opportunities for CESER to work with

46 other agencies such as the FBI and their InfraGard program linking to the private-sector and public-private partnerships as the vast majority of CI is owned and operated by the private sector.

InfraGard InfraGard is a program created by the FBI that allows partnerships to exist between the FBI and the private sector. It provides “timely exchanges between the public and private sectors while promoting opportunities to protect CI” (InfraGard, 2018). InfraGard allows the 85% of privately owned CI facilities in the United States to voice concerns and opportunities to better protect them while allowing communication to flow effortlessly (GAO, 2006). InfraGard uses the Department of Homeland Security’s template to split CI facilities into 16 different sectors such as Chemical, Communications, Energy, Food and Agriculture, Information Technology, Healthcare, Nuclear, etc (InfraGard, 2016). Each sector is assigned a Sector Chief which serves as the Person-Of-Contact between their sector and the FBI (InfraGard, 2016). Sector Chiefs pass on concerns, opportunities, intelligence, resources, and information between the sector and InfraGard. Sector Chiefs also pursue relationships with “DHS Protective Cyber and Security Advisors” as well as fusion centers in the area of the facility (InfraGard, 2018). Before a sector chief is allowed to lead; they must sign a Non- Disclosure Agreement (NDA). NDA’s prevent them from providing information to individuals who are not authorized to receive information on that sector (InfraGard, 2018). The NDA’s would provide a sense of security for CI facilities using SCADA to sign on with InfraGard. The announced creation of CESER would assist the protection of CI using SCADA systems in the United States which is very parallel to the FBI InfraGard in many ways. A partnership between CESER and InfraGard would allow protection from multiple agencies on a national level. Cooperation with United States Northern Command (USNORTHCOM) and the Overseas Security Advisory Council (OSAC) would allow protection from international threats against CI.

USNORTHCOM The United States Northern Command [USNORTHCOM] is a combatant command which is a part of the United States military (USNORTHCOM, n.d.). Their mission is to

47

“conduct homeland defense, civil support and security cooperation to defend and secure the United States and its interests” (USNORTHCOM, n.d.). USNORTHCOM is part of the Department of Defense and acts as a military unit. Because of this, they are not allowed to conduct law enforcement operations on United States citizens due to the Posse Comitatus Act. United States Code Title 18 § 1385 (Posse Comitatus) denies the military the authorization to be used within the United States unless approved by the Constitution or an Act of Congress (Posse Comitatus Act, 1956). Due to the Posse Comitatus restriction, NORTHCOM conducts their operations internationally (with a focus on Canada and Mexico) and as Joint Task Forces as well as in the context of specific responsibilities like rogue airplanes that are not subject to the Posse Comitatus concerns. NORTHCOM is formally partnered with NORAD (North American Air Defense) so that it is generally known as NORAD/NORTHCOM and can respond to events like incoming missiles or rogue airplanes in near real time. The Joint Task Force North unit allows USNORTHCOM to “support our nation’s federal law enforcement agencies in the interdiction of suspected transnational threats… Transnational threats involve international terrorism, narco-trafficking, alien smuggling, and weapons of mass destruction” (USNORTHCOM, n.d.). Protecting CI that links Canada and the US as well as Mexico and the US such as electrical grids, oil and gas pipelines, airplanes, railroads, and other infrastructure is part of the responsibilities of NORAD/NORTHCOM just as they protect the US and Canada from missiles from countries like Russia and North Korea. Their Joint Task Force capabilities are directed at protecting borders, stopping narcotics smuggling, and responding to natural disasters like Hurricane Katrina, wildfires, floods, tornadoes, and other high-impact natural disasters. They also work closely with the new military command, CyberCom that is being morphed into a separate Combatant Command, but is still linked to other DoD groups (Clark, 2017). CESER could be able to partner with USNORTHCOM’s Joint Task Force team to help combat attacks against CI in the United States much as they work to prevent narcotic smuggling in the US. The partnership would allow USNORTHCOM to help the agency/office with national threats. NORAD/USNORTHCOM could also provide intelligence to CESER on threats that could occur from outside of the United States in the NORAD/NORTHCOM Area of Responsibility (AOR) that covers North America and part of Central America.

48

OSAC The State Department’s Overseas Security Advisory Council (OSAC) could also offer support from international attacks in collaboration with groups such as NORAD/NORTHCOM, the Department of Energy, NIST, and a host of others working on CI. OSAC (n.d.a) was formed in 1985 with the sole purpose to help American private-sector corporations around the globe. OSAC (n.d.b) provides the private sector with operational- security information from the State Department, clear communication from the State Department across the globe, security programs, and threat mitigation tactics. CESER would benefit to be able to work with OSAC and their Committee on Risk Information Sharing (RI). The RI committee “collects and disseminates information between the public and private sector on threats and other issues that will be used to secure United States interests abroad” (OSAC, n.d.b). CI facilities that use SCADA systems abroad should be advised to join OSAC for their protection. Facilities can apply online to join OSAC, such as San Diego State University (SDSU) that is a member, rather than individuals being members as SDSU works with the OSAC chapter in Tijuana, Mexico on US-Mexico challenges including CI (OSAC, n.d.b).

Fusion Centers Finally, CESER along with CI facilities would benefit from a relationship with local fusion centers. The FBI’s InfraGard program would offer support from a national level while NORAD/NORTHCOM and OSAC provide international support. Fusion centers would allow more local cooperation between the CI facility and local agencies. An example of a fusion center is the Orange County Intelligence Assessment Center (OCIAC, n.d.). OCIAC’s mission is to: Provide an integrated, multi-disciplined, information and intelligence sharing network to collect, analyze and disseminate information on all criminal risks and safety threats to law enforcement, fire, health, private sector and public-sector stakeholders in a timely manner in order to protect the residents, visitors and critical infrastructure while ensuring the civil rights and civil liberties of all persons are recognized. OCIAC specifically has a division devoted to critical infrastructure, the Critical Infrastructure Protection Unit (CIP). CI facilities can work with fusion centers like OCIAC to help find vulnerabilities in their system and report information to be analyzed. Many fusion centers

49 also work with federal agencies such as the FBI, which would allow networking between a local level and InfraGard to protect their facilities better (OCIAC, n.d.). As a primary purpose of this thesis, fusion centers and other companies that accept government contracts to perform security audits on CI facilities should be required to meet NIST security standards.

ICSJWG The Industrial Control Systems Joint Working Group (ICSJWG) was created by the ICS-CERT to “facilitate information sharing and reduce the risk to the nation’s industrial control systems” (Department of Homeland Security, 2018a). The ICSJWG’s main goal is to provide a line of communication between CI sectors and the federal government while also including private owners of the facilities. The ICSJWG holds two meetings every year. The meetings allow the owners and stakeholders of CI facilities to voice their concerns and discuss security-related issues with their facilities that use ICS. The ICSJWG works closely with NIST year-round to help produces reports and presentations on current security threats against SCADA/ICS facilities. The ICSJWG also provides the owners and stakeholders with information regarding social engineering (InfoSec Island, 2012). The information can be used to teach the employees at CI facilitates on how to avoid phishing and spear phishing attempts along with other social engineering attacks.

ISACs Finally, ISACs (Information Sharing and Analysis Centers) would be beneficial to CI facilities using SCADA/ICS. ISACs are non-profit organizations that are usually created by CI owners to provide their specific sector a way to voice their concerns and provide security tips (Department of Homeland Security, 2018b). Each sector would benefit from their own ISAC. For example, CI facilities dealing with energy would use the Electricity ISAC (E- ISAC), water treatment facilities would use a Water ISAC (WaterISAC), and oil and gas facilities would use the Oil & Natural Gas ISAC (ONG-ISAC) (National Council of ISACs, 2018). The Department of Homeland Security is partnered with the MS-ISAC (Multi-State Information Sharing and Analysis Center). The MS-ISAC provides support to cyber security facilities to “state, local, tribal, and territorial governments” (Center for Internet Security,

50

2018; Department of Homeland Security, 2018b.). Each ISAC could work with NIST to better implement the recommendations to requirements to help better fit each sector’s needs.

51

CHAPTER 7

FIBER OPTIC NETWORKS

Dr. Lance Larson’s Thesis, The Vulnerability of Fiber Optic Networks provides insight into the vulnerabilities of fiber optic networks in the downtown area of San Diego, California. Dr. Larson defines Fiber Optic Cables as “Information and Communication Technology (ICT) infrastructure,” and that they are “arguably the most important CI” for the United States (Larson, 2006). Dr. Larson and I both believe that physical attacks are the number one threat to fiber optic lines. Larson attributes these physical attacks to “Network Aggregation” (Larson, 2006, p. 14). Network Aggregation can be defined when companies build/lay their fiber optic cables close to other fiber optic cables which results in piling up ICT infrastructure next to one another which could be catastrophic if an attack were to occur in that spot (Larson, 2006). Many of the cables in Downtown San Diego are also installed under public areas and roads where many civilians are every day. As a result of Network Aggregation, Larson believes that an explosive attack (TNT) could be used against the public and destroy/break many fiber optic cables at once which would disrupt at crucial CI of the United States (Larson, 2006). The FBI report listed earlier stated that the 16 fiber optic cables that were cut in 2015 were a nuisance to many (Hughes, 2015). Cutting a cable does not cause as much mayhem vs. blowing one/many up in a populated area downtown. In regards to cutting a fiber optic cable, communication could be down for a short period (hours) while providers fixed the issue (Hughes, 2015). Blowing up many cables (Network Aggregation) could cause many issues; damage to sidewalks/roads, injury and/or death to civilians, and lack of communication from the cables for a more extended period since more were destroyed at once. In a best-case scenario, communication stays down for a short period before being fixed. Compare that to another nation or rouge group tapping the cables for information; then a long-term issue is created.

52

Espionage is conducted every day in every country (Knake, 2015). China has already shown what information is vulnerable to be stolen through means of cyber espionage (Gertz, 2015). If China, Russia, Iran, North Korea, and other nations were able to tap a critical fiber optic cable that relayed significant military information and were able to intercept it then there would be a more significant issue than just having to repair a cable(s). That information could be sold to other countries, sold to terrorist organizations, used against the United States to further their espionage, used to create military inventions, and could be used in a future war to their advantage.

ZERO DAYS Kim Zetter’s (2014a) book, Countdown to Zero Day, provides significant insight into the dangers of zero-day vulnerabilities and how they affect SCADA systems across the globe. The book focuses mainly on Stuxnet and shows how insecure many CI sites in the United States are as it results in cyber-attacks. As mentioned earlier, zero-days are a vulnerability in a particular type of software which can allow an individual to gain unauthorized access to a system. Stuxnet not only had a zero-day, but rather four (Zetter, 2014a). Zero-days are extremely valuable as it pertains to the cyber world. Because of this, there is a market for them (Horner, 2018; Spring, 2016). The market is also split into three different sections. The first is the black market. The zero-day black market is where cybercriminals sell zero days to other criminals. On the black market, a valuable zero-day can sell for as much as $50,000 (Zetter, 2014a, loc. 1662). Not only does the black market sell zero-days but, they also bundle the zero-day information along with tools that can be used to exploit them (Zetter, 2014a, loc. 1854). This allows criminals/criminal groups with very little information about cyber to purchase the zero-day and the tools to use it without having much if any knowledge about cyber itself. The second market is called the white market. The white market allows creators of software such as Microsoft, Adobe, Google, Apple, and other companies to post bounties for individuals to find zero days with their programs (Zetter, 2014a). When an individual finds an exploit with the software, they can notify the company, and in return, they will be paid. Most recently in 2017, Microsoft was offering bounties of up to $250,000 for exploits found

53 in their Windows 10 operating system (Warren, 2017). The $250,000 reward is for exploits that can cause a significant issue. Smaller exploits will net an individual up to $15,000 or less (Zetter, 2014a). Because there is a vast number of bounties posted by companies, the rewards for finding exploits start to decrease. Due to the decrease in the reward, individuals who find the exploits might turn to the black market to make a higher profit. However, not everyone wants to sell exploits to criminals, which could be used for an attack. This is where the third and final market comes into play. The grey market is composed of government agencies and defense contractors (Zetter, 2014a). The grey market gets its name because of the buyers. Many believe that selling zero days to government officials means that the “good guy” has the exploit and will fix it. However, that is not always the case. Zetter explains that governments could use these zero days for political advantages and personal gain (Zetter, 2014a, loc. 1870). After the San Bernardino shooting, the FBI turned to Apple to help them unlock the deceased shooters iPhone. After Apple declined to help, citing that it was an invasion of privacy, the government turned to the grey market to find exploits (zero days) in iPhone’s operating system, iOS (“Breakin down Apple’s,” 2016; D. Gilbert, 2017). The FBI was able to purchase a zero-day vulnerability that allowed them to unlock the deceased terrorist iPhone for $1 million (“Breakin down Apple’s,” 2016; D. Gilbert, 2017). In 2013, before the San Bernardino shooting, former NSA director General Keith Alexander was quoted at a Senate committee stating, “On a scale of one to ten measuring the preparedness of US CI to withstand a destructive cyber assault, one being the least prepared and ten being the most, the US is at a three” (Zetter, 2014a, loc. 2411).With zero days being sold and purchased every day in all three markets, it is vital that CI be protected at all times from a cyber-attack.

ATTRIBUTION As discussed earlier in Chapter 3, attribution is a primary concern as it relates to the security and investigations of SCADA/ICS facilities. Jeffery Carr’s (2012) Inside Cyber Warfare discusses the difficulties of attribution as it relates to SCADA. With the use of VPN’s, proxy servers, and botnets it is difficult to find out who was behind a cyber-attack.

54

However, with the use of open source tools and other methods, it is occasionally possible to find out where an attack originated (Carr, 2012). In 2009, a report from Team Cymru stated that many ports that belong to SCADA were being targeted at a high volume (Carr, 2012). After determining the IP addresses which were conducting the malicious port scans for SCADA systems, they found that the majority of the systems were from; “Houston, Miami, UK, Spain, London, France, Moscow, St. Petersburg, Romania, Ukraine, Hong Kong, Thailand, Korea, Japan, and many other locations” (Carr, 2012, p. 138). They also found that the scans were being conducted by infected computers (botnets). Since botnets were executing the scans, the individuals conducting the scans could hide their location. For example, the suspect looking for SCADA ports could be in Ireland, while using an infected computer in Texas that is using a proxy server that is located in Toronto.

55

CHAPTER 8

FINAL STATEMENT/CONCLUSION

Critical infrastructure facilities that use SCADA/ICS are the backbone of many countries around the world. They provide access to electricity, oil and gas, food, water, transportation, and communication. SCADA/ICS allow the countries and the citizens living in them the access to the resources 24/7. Disruption of the resources to the individuals using them could cause panic and inconvenience, but a total halt in the production could cause potentially harmful outcomes. Protecting the facilities that use SCADA/ICS should be a top priority for countries and the private owners of the facilities. Owners of the private facilities should be willing to improve the security not only on a physical level but a cyber level as well. Increasing cyber security for the facilities starts with the everyday workers of the facilities. Educating the workers on social engineering attacks and cyber hygiene will prevent attacks from occurring. Simple tasks such as password management, how to stop phishing and spear-phishing attempts, and knowing what devices are allowed on each network will bolster the cyber security from the ground up. The owners of the facilities, as well as the managers, need to be willing to implement security programs to help with the vulnerabilities they face. Finally, the recommendations offered by NIST to protect SCADA/ICS facilities from cyber-based attacks should be required for the privately-owned facilities to operate. The privately-owned facilities that meet NIST recommendations for cyber security will benefit from the extra protection they offer. Not only should the facilities meet the recommendations as requirements, but the independent agencies that perform security audits on the facilities through government contracts should follow the recommendations offered by NIST as minimum standards for the facilities to follow. The recommendations offered by NIST along with my recommendations on cyber hygiene as well as social engineering would increase the security of CI facilities and educate their workers on how to prevent attacks from occurring.

56

REFERENCES

Anderson, N. (2012, June 1). Confirmed: US and Israel created Stuxnet, lost control of it. ArsTechnica. Retrieved from https://arstechnica.com/tech-policy/2012/06/confirmed- us-israel-created-stuxnet-lost-control-of-it/ Armerding, T. (2016, November 16). Is critical infrastructure the next DDoS target? CSO from IDG. Retrieved from https://www.csoonline.com/article/3141601/critical- infrastructure/is-critical-infrastructure-the-next-ddos-target.html Arthur, C. (2013, May 16). LulzSec: What they did, who they were and how they were caught. . Retrieved from https://www.theguardian.com/ technology/2013/may/16/lulzsec-hacking-fbi-jail Atherton, K. D. (2017). 5 things we learned from WanaCryptor, the biggest ransomware attack in internet history. Popular Science. Retrieved from https://www.popsci.com/ time-to-start-thinking-about-how-to-survive-next-ransomware-attack British Broadcasting Corporation [BBC]. (2010, October 2). More than 100 arrests, as FBI uncovers cyber crime ring. BBC News. Retrieved from http://www.bbc.com/news/ world-us-canada-11457611 British Broadcasting Corporation [BBC]. (2014, December 22). Sony hack: North Korea threatens US as row deepens. BBC. Retrieved from http://www.bbc.com/news/world- asia-30573040 British Broadcasting Corporation [BBC]. (2016, September 15). What we know about Fancy Bears hack team. BBC Newsbeat. Retrieved from http://www.bbc.co.uk/newsbeat/ article/37374053/what-we-know-about-fancy-bears-hack-team Bisson, D. (2015, April 22). Sony hackers used phishing emails to breach company networks. Tripwire. Retrieved from https://www.tripwire.com/state-of-security/latest-security- news/sony-hackers-used-phishing-emails-to-breach-company-networks/ Brandom, R. (2016, December 13). Podesta's email hack hinged on a very unfortunate typo. The Verge. Retrieved from https://www.theverge.com/2016/12/13/13940514/dnc- email-hack-typo-john-podesta-clinton-russia Breaking down Apple's iPhone fight with the U.S. government. (2016, March 21). New York Times. Retrieved from https://www.nytimes.com/interactive/2016/03/03/technology/ apple-iphone-fbi-fight-explained.html Bright, P. (2012, March 10). With arrests, HBGary hack saga finally ends. Ars Technica. Retrieved from https://arstechnica.com/tech-policy/2012/03/the-hbgary-saga-nears- its-end/

57

Bureau of Justice Statistics. (2006). Cybercrime. Retrieved from https://www.bjs.gov/ index.cfm?ty=tp&tid=41#data_collections Caltagirone, S., & Lee, R. M. (2017, September 11). Hackers got into America's power grid. But don't freak out. Fortune. Retrieved from http://fortune.com/2017/09/11/ dragonfly-2-0-symantec-hackers-power-grid/ Cannell, J. (2016). Tools of the trade: Exploit kits. Retrieved from https://blog.malwarebytes.com/cybercrime/2013/02/tools-of-the-trade-exploit-kits/ Carr, J. (2012). Inside cyber warfare: Mapping the cyber underworld (2nd ed., Kindle ed.). Sebastapol, CA: O’Reilly. Center for Internet Security. (2018). Multi-state information sharing & analysis center. Retrieved from https://www.cisecurity.org/ms-isac/ Clark, C. (2017, August 18). CYBERCOM: Finally a real command, but still dual hatted. Breaking Defense. Retrieved from https://breakingdefense.com/2017/08/cybercom- finally-a-real-command-but-still-dual-hatted/ Complex networks make up U.S. power grid. (2013, August 14). NPR. Retrieved from https://www.npr.org/2013/08/14/211890365/u-s-power-grid-made-up-of-complex- networks Crigger, M., & Santhanam, L. (2015, May 24). How many Americans have died in U.S. wars? PBS. Retrieved from https://www.pbs.org/newshour/nation/many-americans- died-u-s-wars Deibert, R. (2012). The growing dark side of cyberspace (...and what to do about it). Pennsylvania State Journal of Law and International Affairs, 1(2), 260-274. Retrieved from https://elibrary.law.psu.edu/cgi/viewcontent.cgi?article= 1012&context=jlia Denning, D. E. (2000). Cyberterrorism. Retrieved from http://palmer.wellesley.edu/~ivolic/ pdf/Classes/Handouts/NumberTheoryHandouts/Cyberterror-Denning.pdf Department of Energy. (n.d.). National SCADA test bed fact sheet. Retrieved from https://www.energy.gov/sites/prod/files/oeprod/DocumentsandMedia/NSTB_Fact_Sh eet_FINAL_09-16-09.pdf Department of Energy. (2017a). Ensuring electricity system reliability, security, and resilience. In Quadrennial energy review: Transforming the nation’s electricity system: The second installment of the QER (pp. 4-1-4-59). Washington, DC: Author. Department of Energy. (2017b). Quadrennial energy review: Transforming the nation’s electricity system: The second installment of the QER. Washington, DC: Author. Department of Energy. (2018). Secretary of Energy Rick Perry forms new Office of Cybersecurity, Energy Security, and Emergency Response. Retrieved from https://www.energy.gov/articles/secretary-energy-rick-perry-forms-new-office- cybersecurity-energy-security-and-emergency Department of Homeland Security. (n.d.). Critical infrastructure sectors. Retrieved from https://www.dhs.gov/critical-infrastructure-sectors

58

Department of Homeland Security. (2018a). Industrial control systems joint working group (ICSJWG). Retrieved from https://ics-cert.us-cert.gov/Industrial-Control-Systems- Joint-Working-Group-ICSJWG Department of Homeland Security. (2018b). Information sharing. Retrieved from https://www.dhs.gov/topic/cybersecurity-information-sharing Department of Justice. (2014). U.S. charges five chinese military hackers for cyber espionage against U.S. corporations and a labor organization for commercial advantage. Retrieved from https://www.justice.gov/opa/pr/us-charges-five-chinese-military- hackers-cyber-espionage-against-us-corporations-and-labor Eddy, M. (2018). How to hide your IP address. Retrieved from https://www.pcmag.com/ article/343394/how-to-hide-your-ip-address Electrical Technology. (2015, September 14). SCADA systems for electrical distribution. Electrical Technology. Retrieved from https://www.electricaltechnology.org/ 2015/09/scada-systems-for-electrical-distribution.html English, T. (2016, June 29). Dirty to clean: How a water treatment plant works. Retrieved from https://interestingengineering.com/dirty-clean-how-water-treatment-plant-works Entous, A., Miller, G., & Nakashima, E. (2016). Secret CIA assessment says Russia was trying to help Trump win White House. Washington Post. Retrieved from https://www.washingtonpost.com/world/national-security/obama-orders-review-of- russian-hacking-during-presidential-campaign/2016/12/09/31d6b300-be2a-11e6- 94ac-3d324840106c_story.html?utm_term=.e18aec8a1651 Environmental Protection Agency. (2017). U.S. electricity grid & markets. Retrieved from https://www.epa.gov/greenpower/us-electricity-grid-markets Gartner. (2013). Gartner says the internet of things installed base will grow to 26 billion units by 2020. Retrieved from https://www.gartner.com/newsroom/id/2636073 General Electric [GE]. (2018a). Everything you need to know about the industrial internet of things (IIoT). Retrieved from https://www.ge.com/digital/blog/everything-you-need- know-about-industrial-internet-things General Electric [GE]. (2018b). What is nuclear power and energy? Retrieved from https://nuclear.gepower.com/company-info/nuclear-power-basics Gertz, B. (2015, January 22). NSA details chinese cyber theft of F-35, military secrets. Washington Free Beacon. Retrieved from http://freebeacon.com/national- security/nsa-details-chinese-cyber-theft-of-f-35-military-secrets/ Gilbert, A. (2016). The U.S. electricity system in 15 maps. Retrieved from http://www.theenergycollective.com/aqgilbert/2322195/us-electricity-system-15- maps Gilbert, D. (2017, March 26). The U.S. government is stockpiling lists of ‘zero day’ software bugs that let it hack into iPhones. Vice. Retrieved from https://news.vice.com/ en_us/article/8xmjyp/the-u-s-government-is-stockpiling-lists-of-zero-day-software- bugs-that-let-it-hack-into-iphones

59

Gillespie, E. M. (2008, March 6). Luxury homes burn in apparent eco-attack. . Retrieved from http://wayback.archive.org/web/20080306184703/ ap.google.com/article/ALeqM5hQlKz_UjBgvhm8rfGiTaQYS82a5gD8V66KUG0 Glaser, A. (2017, June 27). U.S. hospitals have been hit by the global ransomware attack. Recode. Retrieved from https://www.recode.net/2017/6/27/15881666/global-eu- cyber-attack-us-hackers-nsa-hospitals Government Accountability Office [GAO]. (2006). Critical infrastructure protection: Progress coordinating government and private sector efforts varies by sectors’ characteristics. Washington, DC: Author. Gorman, S., Cole, A., & Dreazen, Y. (2009, April 21). Computer spies breach fighter-jet project. Wall Street Journal. Retrieved from https://www.wsj.com/articles/ SB124027491029837401 Green, J. (2002). The myth of cyberterrorism. Retrieved from werzit.com/intel/regions/ cyber/articles/archives/Myth%20of%20Cyberterrorism.pdf Greenberg, A. (2017, July 6). Hack brief: Hackers targeted a US nuclear plant (but don't panic yet). Wired. Retrieved from https://www.wired.com/story/hack-brief-us- nuclear-power-breach/ Grisham, L. (2014, December 18). Timeline: North Korea and the . USA Today. Retrieved from https://www.usatoday.com/story/news/nation-now/ 2014/12/18/sony-hack-timeline-interview-north-korea/20601645/ Gross, M., & Bagnall, R. J. (2003, October 1). Threats to fiber-optic infrastructures. Retrieved from https://www.blackhat.com/presentations/bh-federal-03/bh-fed-03- gross-up.pdf Harball, E. (2018, March 14). The trans-Alaska pipeline fights off 22 million cyber attacks. Daily. Alaska Public Media. Retrieved from https://www.alaskapublic.org/ 2018/03/14/the-trans-alaska-pipeline-fights-off-22-million-cyber-attacks-daily/ Horner, M. (2018, April). SCADA fusion with commercial fission. Homeland Security Affairs, 14(4), 1-17. Retrieved from https://www.hsaj.org/articles/14317 Huang, K., & Lee, A. D. (2016, December 14). A combination image shows the US Lockheed Martin F-35 Lighting II, left, and the Chinese J-20 [Photograph]. Retrieved from http://www.scmp.com/news/china/diplomacy-defence/article/2054492/americas-f-35- fighter-jet-vs-chinas-j-20-which-better Hughes, T. (2015, September 16). Attacks show fiber optic internet cables vulnerable. USA Today. Retrieved from https://www.usatoday.com/story/news/2015/09/16/attacks- show-fiber-optic-internet-cables-vulnerable/32502785/ Indegy. (2018). Company. Retrieved from https://www.indegy.com/company/ Inductive Automation. (n.d.). What is SCADA? Supervisory control and data acquisition. Retrieved from https://inductiveautomation.com/what-is-scada InfraGard. (2016). InfraGard national sector chief program (INSCP) goals and guide. Washington, DC: Author.

60

InfraGard. (2018). InfraGard: Partnership for protection. Retrieved from https://www.infragard.org/ InfoSec Island. (2012, April 24). ICS-CERT: Social engineering and SCADA security. Retrieved from http://www.infosecisland.com/blogview/21097-ICS-CERT-Social- Engineering-and-SCADA-Security.html Internet of Things (IOT) Cybersecurity Improvement Act of 2017, S. 1691, 115th Cong. (2017). Johns Hopkins School of Advanced International Studies. (n.d.). Johns Hopkins SAIS names cybersecurity expert Thomas Rid as professor of strategic studies. Retrieved from https://www.sais-jhu.edu/content/johns-hopkins-sais-names-cybersecurity-expert- thomas-rid-professor-strategic-studies Johnston, D. (2003, July 24). 9/11 Congressional report faults F.B.I.-C.I.A. lapses. New York Times. Retrieved from https://www.nytimes.com/2003/07/24/us/9-11-congressional- report-faults-fbi-cia-lapses.html Jones, J. H., & Rowe, P. (2017, October 31). Searing lessons: How the 2007 wildfires changed San Diego County. San Diego Union Tribune. Retrieved from http://www.sandiegouniontribune.com/news/wildfire/sd-me-witch-creek-20171010- story.html Keizer, G. (2010, September 16). Is Stuxnet the 'best' malware ever? Computer World. Retrieved from https://www.computerworld.com/article/2515757/malware- vulnerabilities/is-stuxnet-the--best--malware-ever-.html Kelly Warner Law. (n.d.). Cybercrime laws in the United States. Retrieved from http://www.aaronkellylaw.com/cybercrime-laws-united-states/ Kerner, S. M. (2013). IBM AS/400 turns 25: Will it last another 25 years? Retrieved from https://www.serverwatch.com/server-trends/ibm-as400-turns-25-will-it-last-another- 25-yrs.html Knake, R. K. (2015, June 18). Countries are supposed to spy on each other-that’s why the US won’t blame China for hacking federal files. QZ. Retrieved from https://qz.com/ 429442/countries-are-supposed-to-spy-on-each-other-thats-why-the-us-wont-blame- china-for-hacking-federal-files/ Kovacs, E. (2016, March 22). Attackers alter water treatment systems in utility hack. Security Week. Retrieved from http://www.securityweek.com/attackers-alter-water-treatment- systems-utility-hack-report Larsen, G. N., & Wheeler, D. A. (2003). Techniques for cyber attack attribution. Alexandria, VA: Institute for Defense Analyses. Larson, L. W. (2006). The vulnerability of fiber optic networks: A CARVER + shock threat assessment for the information and communication technology systems infrastructure of downtown San Diego, California. Charleston, SC: BookSurge.

61

Lawrence, D. (2015, June 18). The hunt for the financial industry's most-wanted hacker. Bloomberg. Retrieved from https://www.bloomberg.com/news/features/2015-06- 18/the-hunt-for-the-financial-industry-s-most-wanted-hacker Lee, A. (2012). Cyberwar: Reality, or a weapon of mass distraction. Retrieved from https://cdn1.esetstatic.com/eset/US/resources/docs/white-papers/whitepapers- cyberwar-reality-or-weapon-of-mass-distraction.pdf Lemonnier, J. (2015). What is malware? How malware works & how to remove it. Retrieved from https://www.avg.com/en/signal/what-is-malware Lewis, J. A. (2011). Cybersecurity two years later: A report of the CSIS commission on cybersecurity for the 44th presidency. Washington, DC: Center for Strategic and International Studies. Libelium. (2013). Libelium smart world infographic–sensors for smart cities, internet of things and beyond. Retrieved from http://www.libelium.com/libelium-smart-world- infographic-smart-cities-internet-of-things/ Marsh, R. T. (1997). Critical foundations: Protecting America’s infrastructures. Washington, DC: President’s Commission on Critical Infrastructure Protection. Mathews, L. (2017, February 7). 2016 saw an insane rise in the number of ransomware attacks. Forbes. Retrieved from https://www.forbes.com/sites/leemathews/ 2017/02/07/2016-saw-an-insane-rise-in-the-number-of-ransomware- attacks/#6bc60dc658dc Matsakis, L. (2018, January 10). Hack brief: Russian hackers release apparent IOC emails in wake of olympics ban. Wired. Retrieved from https://www.wired.com/story/russian- fancy-bears-hackers-release-apparent-ioc-emails/ Matson, J. (2011, March 15). What happens during a nuclear meltdown? Scientific American. Retrieved from https://www.scientificamerican.com/article/nuclear-energy-primer/ McAfee. (2013). What is a keylogger? Retrieved from https://securingtomorrow.mcafee.com/ consumer/family-safety/what-is-a-keylogger/ McKelvey, T. (2013, October 25). US goes nuclear in spy wars. BBC. Retrieved from http://www.bbc.com/news/magazine-24627187 McMillan, R. (2010, September 14). Siemens: Stuxnet worm hit industrial systems. Computer World. Retrieved from https://www.computerworld.com/article/2515570/ network-security/siemens--stuxnet-worm-hit-industrial-systems.html Melman, Y. (2016, February 16). Israel's rash behavior blew operation to sabotage Iran's computers. Jerusalem Post. Retrieved from http://www.jpost.com/Middle- East/Iran/Israels-rash-behavior-blew-operation-to-sabotage-Irans-computers-US- officials-say-444970 Meyers, A. (2016). Danger close: Fancy bear tracking of Ukrainian field artillery units. Retrieved from https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking- ukrainian-field-artillery-units/

62

Mills, E. (2010, November 15). Symantec: Stuxnet clues point to uranium enrichment target. CNET. Retrieved from https://www.cnet.com/news/symantec-stuxnet-clues-point-to- uranium-enrichment-target/ Minkel, J. R. (2008, August 13). The 2003 northeast blackout-five years later. Scientfic American. Retrieved from https://www.scientificamerican.com/article/2003-blackout- five-years-later/ Mitchell, B. (2017). Is fiber faster than traditional cables? Learn all about fiber optics. Retrieved from https://www.lifewire.com/fiber-optic-cable-817874 Morgan, J. (2014, May 13). A simple explanation of 'the internet of things'. Forbes. Retrieved from https://www.forbes.com/sites/jacobmorgan/2014/05/13/simple- explanation-internet-things-that-anyone-can-understand/#1d807c2d1d09 Nakashima, E. (2013, February 10). U.S. said to be target of massive cyber-espionage campaign. Washington Post. Retrieved from https://www.washingtonpost.com/ world/national-security/us-said-to-be-target-of-massive-cyber-espionage- campaign/2013/02/10/7b4687d8-6fc1-11e2-aa58-243de81040ba_story.html? utm_term=.720402356221 National Council of ISACs. (2018). Member ISACS. Retrieved from https://www.nationalisacs.org/member-isacs National Cybersecurity and Communications Integration Center. (2017). Intrusions affecting multiple victims across multiple sectors. Washington, DC: Department of Homeland Security. National Initiative for Cybersecurity Careers and Studies. (2017). Glossary. Retrieved from https://niccs.us-cert.gov/glossary#D National Institute of Standards and Technology [NIST]. (2017). NIST mission, vision, core competencies, and core values. Retrieved from https://www.nist.gov/about-nist/our- organization/mission-vision-values Newman, L. H. (2016, December 24). Why is it so hard to prove russia hacked the DNC? Wired. Retrieved from https://www.wired.com/2016/12/hacker-lexicon-attribution- problem/ Nuclear Threat Initiative. (2017). Natanz enrichment complex. Retrieved from http://www.nti.org/learn/facilities/170/ Office of the Director of National Intelligence. (n.d.). Department of Energy Office of Intelligence and Counterintelligence. Retrieved from https://www.intelligence.gov/ how-the-ic-works/our-organizations/419-doe-office-of-intelligence-and- counterintelligence Office of the Director of National Intelligence. (2017). Background to "assessing russian activities and intentions in recent us elections": The analytic process and cyber incident attribution. Retrieved from https://www.documentcloud.org/ documents/3254239-Russia-Hacking-report.html

63

Orange County Intelligence Assessment Center [OCIAC]. (n.d.). About Orange County intelligence assessment center. Retrieved from http://ociac.org/default.aspx/ MenuItemID/218/MenuGroup/HomeRight.htm Overseas Security Advisory Council [OSAC]. (n.d.a). About OSAC. Retrieved from https://www.osac.gov/pages/AboutUs.aspx Overseas Security Advisory Council [OSAC]. (n.d.b). How to join. Retrieved from https://www.osac.gov/pages/Login.aspx Pagliery, J. (2015, March 16). Ex-NSA director: China has hacked 'every major corporation' in U.S. CNN. Retrieved from http://money.cnn.com/2015/03/13/technology/security/ chinese-hack-us/ Palmer, D. (2017, May 12). How Bitcoin helped fuel an explosion in ransomware attacks. ZDNet. Retrieved from http://www.zdnet.com/article/how-bitcoin-helped-fuel-an- explosion-in-ransomware-attacks/ Perez, E., Brown, P., Prokupecz, S., & Bradner, E. (2017, April 21). Sources: US prepares charges against WikiLeaks' Assange. CNN. Retrieved from https://www.cnn.com/ 2017/04/20/politics/julian-assange--us-charges/index.html Peterson, A. (2014, December 18). The Sony Pictures hack, explained. Washington Post. Retrieved from https://www.washingtonpost.com/news/the-switch/wp/ 2014/12/18/the-sony-pictures-hack-explained/?utm_term=.26a9388a6973 Peterson, A. (2016, July 22). WikiLeaks posts nearly 20,000 hacked DNC emails online. Washington Post. Retrieved from https://www.washingtonpost.com/news/the- switch/wp/2016/07/22/wikileaks-posts-nearly-20000-hacked-dnc-emails- online/?utm_term=.d213cb65b077 Posse Comitatus Act, 18 U.S.C. § 1385 (1956). Ragan, S. (2014, December 9). FBI says there's nothing linking North Korea to Sony hack. CSO Online. Retrieved from http://www.csoonline.com/article/2857455/business- continuity/fbi-says-theres-nothing-linking-north-korea-to-sony-hack.html?utm_ source=twitterfeed&utm_medium= Ragan, S. (2016, March 7). Three more firms hit by targeted Phishing attacks seeking W2 data. CSO Online. Retrieved from http://www.csoonline.com/article/3040626/ security/three-more-firms-hit-by-targeted-phishing-attacks-seeking-w2-data.html Reuters. (2017, May 21). North Korea's special cyber warfare cell behind the Sony hack is masterminding other attacks on the West. Newsweek. Retrieved from http://www.newsweek.com/north-korea-cyber-warfare-sony-hack-612997 Reuters Staff. (2016, December 16). Putin turned Russia election hacks in Trump's favor: U.S. officials. Reuters. Retrieved from https://www.reuters.com/article/us-usa-trump- cyber/putin-turned-russia-election-hacks-in-trumps-favor-u-s-officials- idUSKBN1441RS

64

Rid, T. (2013). Why a cyberwar won’t happen. Retrieved from https://www.newscientist.com/article/mg21929334-800-why-a-cyberwar-wont- happen/ Rogers, J. (2017, April 3). International athletics body IAAF hacked, warns that athletes' data may be compromised. Fox News. Retrieved from http://www.foxnews.com/ tech/2017/04/03/international-athletics-body-iaaf-hacked-warns-that-athletes-data- may-be-compromised.html Sands, G. (2016, March 19). What to know about the worldwide ‘anonymous’. ABC News. Retrieved from http://abcnews.go.com/US/worldwide-hacker-group- anonymous/story?id=37761302 Sanger, D. E. (2012, June 1). Obama ordered wave of cyberattacks against Iran. New York Times. Retrieved from http://www.nytimes.com/2012/06/01/world/middleeast/obama- ordered-wave-of-cyberattacks-against-iran.html Sanger, D. E., & Corasaniti, N. (2016, June 14). D.N.C. says Russian hackers penetrated its files, including dossier on Donald Trump. New York Times. Retrieved from https://www.nytimes.com/2016/06/15/us/politics/russian-hackers-dnc-trump.html Sebenius, A. (2017, December 13). Will Ukraine be hit by yet another holiday power-grid hack? Atlantic. Retrieved from https://www.theatlantic.com/technology/archive/ 2017/12/ukraine-power-grid-hack/548285/ SecurityWeek. (2018). About the Industrial Control Systems (ICS) cyber security conference. Retrieved from https://www.icscybersecurityconference.com/about/ Shearer, J. (2017). W32.Stuxnet. Retrieved from https://www.symantec.com/ security_response/writeup.jsp?docid=2010-071400-3123-99 Shodan. (2017). Shodan. Retrieved from https://www.shodan.io/ Siegel, J. (2018, March 20). Rick Perry boasts new cybersecurity office can handle Russian targeting of US grid. Washington Examiner. Retrieved from https://www.washingtonexaminer.com/policy/energy/rick-perry-boasts-new- cybersecurity-office-can-handle-russian-targeting-of-us-grid Singel, R. (2008, January 23). War breaks out between hackers and Scientology-there can be only one. Wired. Retrieved from https://www.wired.com/2008/01/anonymous-attac/ Spring, T. (2016, May 31). Windows zero day selling for $90,000. Threatpost. Retrieved from https://threatpost.com/windows-zero-day-selling-for-90000/118380/ Stouffer, K., Falco, J., & Kent, K. (2006). Guide to supervisory control and data acquisition (SCADA) and industrial control systems security. Washington, DC: Department of Commerce. Stouffer, K., Pillitteri, V., Lightman, S. Abrams, M., & Hahn, A. (2015). Guide to Industrial Control Systems (ICS) Security. Retrieved from https://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-82r2.pdf Stone, J. (2016, June 15). Meet fancy bear and , Russian groups blamed for DNC hack. Christian Science Monitor. Retrieved from https://www.csmonitor.com/

65

World/Passcode/2016/0615/Meet-Fancy-Bear-and-Cozy-Bear-Russian-groups- blamed-for-DNC-hack Symantec. (n.d.). How do zero-day vulnerabilities work. Retrieved from https://us.norton.com/internetsecurity-emerging-threats-how-do-zero-day- vulnerabilities-work-30sectech.html Szoldra, P. (2016a, June 10). A hacker explains why you shouldn't believe North Korea was behind the massive Sony hack. . Retrieved from http://www.businessinsider.com/north-korea-sony-hack-2016-6 Szoldra, P. (2016b, June 9). A hacker told us a that shuts down the power grid is ‘highly unlikely,’ but there's a much scarier way to pull it off. Business Insider. Retrieved from http://www.businessinsider.com/power-grid-hacking-ukraine-2016-6 TeleGeography. (2018). Submarine cable map. Retrieved from https://www.submarinecablemap.com/ Terdiman, D. (2012, April 12). Stuxnet delivered to Iranian nuclear plant on thumb drive. CNET. Retrieved from https://www.cnet.com/news/stuxnet-delivered-to-iranian- nuclear-plant-on-thumb-drive/ The threat of eco-terrorism: Hearings before the House Resources Committee, Subcommittee on Forests and Forest Health, 107th Cong. (2002) (testimony of James Jarboe). Trend Micro. (2015). Hacktivism 101: A brief history and timeline of notable incidents. Retrieved from https://www.trendmicro.com/vinfo/us/security/news/cyber- attacks/hacktivism-101-a-brief-history-of-notable-incidents Trend Micro. (2018). Exploit kit definition. Retrieved from https://www.trendmicro.com/ vinfo/us/security/definition/exploit-kit The United States Intelligence Community. (2018). Intelligence Careers. Retrieved from https://www.intelligencecareers.gov/ United States Northern Command [USNORTHCOM]. (n.d.). About USNORTHCOM. Retrieved from http://www.northcom.mil/About-USNORTHCOM/ United States Computer Emergency Readiness Team. (2018). Russian government cyber activity targeting energy and other critical infrastructure sectors. Retrieved from https://www.us-cert.gov/ncas/alerts/TA18-074A Warren, T. (2017). Microsoft will now pay up to $250,000 for Windows 10 security bugs. Retrieved from https://www.theverge.com/2017/7/26/16044842/microsoft-windows- bug-bounty-security-flaws-bugs-250k Water World. (2018). SCADA system monitors water transport, distribution, treatment. Retrieved from http://www.waterworld.com/articles/print/volume-27/issue- 8/departments/automation-technology/scada-system-monitors-water-transport- distribution-treatment.html Weimann, G. (2004). Cyberterrorism: How real is the threat? Washington, DC: United States Institute of Peace.

66

WikiLeaks. (2016). What is WikiLeaks. Retrieved from https://wikileaks.org/What-is- Wikileaks.html Wilts, A. (2018, March 15). Trump administration accuses Russia of attacking US power grid. Independent. Retrieved from https://www.independent.co.uk/news/world/ americas/us-politics/trump-russia-cyber-attack-power-grid-nuclear-infrastructure- government-a8258396.html World Nuclear Association. (2016). Chernobyl. Retrieved from http://www.world- nuclear.org/information-library/safety-and-security/safety-of-plants/chernobyl- accident.aspx World Nuclear Association. (2017). Fukushima accident. Retrieved from http://www.world- nuclear.org/information-library/safety-and-security/safety-of-plants/fukushima- accident.aspx Wright, L. (2006). The looming tower: Al-Qaeda and the road to 9/11. New York City, NY: Vintage Books. Zamora, W. (2017). Internet of Things (IoT) security: What is and what should never be. Retrieved from https://blog.malwarebytes.com/101/2017/12/internet-things-iot- security-never/ Zetter, K. (2013, June 21). U.K. spy agency secretly taps over 200 fiber-optic cables, shares data with the NSA. Wired. Retrieved from https://www.wired.com/2013/06/gchq- tapped-200-cables/ Zetter, K. (2014a). Countdown to zero day: Stuxnet and the launch of the world's first digital weapon (Kindle ed.). New York, NY: Crown. Zetter, K. (2014b, December 3). Sony got hacked hard: What we know and don’t know so far. Wired. Retrieved from https://www.wired.com/2014/12/sony-hack-what-we- know/ Zittrain, J., & Sauter, M. (2010). Everything you need to know about WikiLeaks. Retrieved from https://www.technologyreview.com/s/421949/everything-you-need-to-know- about-wikileaks/

67

APPENDIX

SUPPLEMENTARY FIGURES

Figure 8. Screenshot from Shodan.io which provides the user with information about a Verizon Wireless page for CI. Source: (Shodan, 2017).

Figure 9. Screenshot showing the “http” which will allow anyone to connect to the login page for Verizon. Source: (Zetter, 2014a).

68

Figure 10. Screenshot of the login page to access crucial CI information. Source: (Zetter, 2014a).