Lessons Learned from the CISA Red Team Hack 

Dmitri’s fingers flew over the keyboard as he searched for an access window to the network at Metropolitan Utilities: the biggest electricity service provider in the tri-state area. Using a password he’d retrieved from the dark web, he connected to an employee computer, then moved silently through the network, scanning for a computer with better privileges. Through this, he hoped to access the systems controlling the power grid. He called over his shoulder, “Natalya, mne nuzhno nebol’shaya pomosch’. Would you build me a fake login webpage that matches theirs? If I send it to all the company’s staff, I might trick an administrator into handing over their username and password.”  

His partner nodded and emailed a link to the entire IT department under the pretext that there was a failed login attempt that needed investigating. Jason, a junior-level administrator, took the bait. What followed was a chain of events culminating in the effective barring of all administrators from the power grid. 

 “Bingo,” said Dmitri under his breath.  

And at this point the exercise concluded. “Krasnaya komanda! Krasnaya komanda!” (red team) laughed Natalya as Dmitri contacted the blue team, a.k.a, the IT and cybersecurity department of Metropolitan Utilities.  

Here is your problem . . . 

Three weeks before, the department had contracted Dmitri and Natalya’s cyber company to run a red team test on the network. Red teaming is a simulated cyberattack conducted by a group of ethical “white-hat” hackers. They use real-world techniques to breach an organization and identify any vulnerabilities that might prevent it from detecting an actual threat. In this case, the red team’s victory was the result of several basic security mistakes.  

The US government has classified electrical, natural gas, water distribution and several other industries as “critical infrastructure”: infrastructure vital to the survival of the nation. Attacks on such industries can be particularly damaging. Recently, the United States Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment resembling the fictitious example above at the request of a real-world critical infrastructure organization. No details about this organization were disclosed except the type of infrastructure—a utility company 

The red team was able to breeze through the company computers at blinding speed. During the simulated attack, the organization did actually discover the presence of the red team but lacked essential layers of protection—what we call “Defense in Depth”—which would have allowed for a prompter response. Instead, they relied on fancy antivirus software that could not sense the network traffic. Furthermore, their staff lacked appropriate network-protection training. It should have been provided to each employee in small, frequent bites. The company had previously contracted third-party providers for red team exercises, and its leaders had been made aware of these vulnerabilities. But they had underestimated the risk. Nothing had been done. 

The company had previously contracted with third party providers for red team exercises. But the leadership at the organization deprioritized fixing the previously discovered vulnerabilities.  They miscalculated the potential impact and likelihood of those vulnerabilities being used against them one day.   

CISA had several key recommendations, which included regular software updates and cleanses, as well as the use of multi-factor authentication (MFA) and segmented networks. MFA just means requiring more than a password for login. Authenticator apps like Duo and Microsoft Authenticator are designed for this, but there are simpler and less secure methods—for instance, receiving a text or email code. Segmented networks are also fairly self-explanatory. Consider the way a house is partitioned with walls. A network engineer can do the same to your network using firewalls, switches and routers, or through software installed on each computer (which is how your Cochise County Cyber Guys do it).   

Lastly, CISA recommended a shift from legacy system and network architecture to a modern Zero-Trust architecture. Zero-Trust, in the context of computers and networks, is something akin to home security. Doors are locked by default, and only close friends and family are allowed in. This is called, “Deny by Default, Allow by Exception.” 

If you’re a business owner and want to understand how to implement Zero-Trust in your organization, contact the Cyber Guys below. The threat is real, and it is growing. Fortunately, it is also preventable. In the case of Metropolitan Utilities, its first “attackers” had no malicious intent. Provided the blue team heeds Dmitri’s advice, they’ll be prepared in the event that a true black-hat team tries to take down the grid. Are our local utility companies up for the challenge?