The Defense Intelligence Agency warned this month that Russian government hackers could penetrate U.S. industrial control networks using commercial security software.
The agency stated in a recent notice circulated within the Pentagon that security software being developed by Kaspersky Lab, a Russian-origin company, will create vulnerabilities for U.S. industrial control systems and so-called supervisory control and data acquisition software, or SCADA, systems, if purchased and deployed by American utilities.
A DIA spokesman declined to comment on the report.
Kaspersky Lab, in a statement, denied its security products could be used against U.S. infrastructure.
In a related development, two U.S. military commanders urged Defense Secretary Ash Carter earlier this month to do more to defend critical infrastructure from cyber attacks against industrial control systems.
“We respectfully request your assistance in providing focus and visibility on an emerging threat that we believe will have serious consequences on our ability to execute assigned missions if not addressed – cyber security of [Defense Department] critical infrastructure Industrial Control Systems,” Northern Command’s Adm. William Gortney and Pacific Command’s Adm. Harry Harris stated in a Feb. 11 letter to Carter.
On the potential Russian government exploitation of security software, defense officials familiar with the DIA report said the agency fears U.S. electrical and water utilities, as well as other critical industrial sectors, will purchase and use the Kaspersky security software.
The agency said the software could permit Russian government hackers, considered among the most advanced nation-state cyber spies, to gain access to industrial control software, specifically remote-controlled SCADA programs that run the electrical grid, oil and gas networks, water pipelines and dams, and wastewater systems.
U.S. officials have said hackers from both Russia and China have been detected conducting cyber reconnaissance of industrial control networks in apparent preparation for future cyber attacks during a conflict.
Kaspersky Lab strongly rejected the DIA claims.
“The alleged claims are meritless as Kaspersky Lab’s products and solutions are designed to protect against cybercriminals and malicious threat actors, not enable attacks against any organization or entity,” the statement said.
“We are not developing any offensive techniques and have never helped, or will help, any government in the world in their offensive efforts in cyberspace.”
Kaspersky Lab plans to release what it describes as “a complete security solution” later this year designed to help protect industrial control systems and networks around the world from cyber attacks.
“The systems controlling important operations involving electricity, water and manufacturing have been widely publicized as being extremely vulnerable to cyber threats, and our solution will help manufacturers and critical infrastructure operators, including those in the U.S, to prevent a crippling cyber attack against these sensitive systems that we rely upon every day,” the statement said.
The company said it is “proud to work with governments around the world to protect their infrastructure and networks, and also to collaborate with the authorities of many countries and international law enforcement agencies in fighting cybercrime.”
The statement said Kaspersky Lab “has no political ties to any government.”
Gortney and Harris, the military commanders, stated in their letter that the threat to U.S. industrial control systems is serious and should be included on the Pentagon’s automated cyber “scorecard”—an electronic system being developed to outline key vulnerabilities of defense computer networks to cyber attack.
“We must establish clear ownership policies at all levels of the department, and invest in detection tools and processes to baseline normal network behavior from abnormal behavior,” the four-star admirals said.
Once that is accomplished, “we should be able to track progress for establishing acceptable cyber security for our infrastructure [industrial control systems,” they added.
The letter said the Department of Homeland Security had detected a seven-fold increase in cyber attacks between 2010 and 2015 on critical infrastructure. The attacks were carried out against what the Pentagon calls “platform information technology”—critical national security hardware and software, including industrial controls and SCADA.
“Many nefarious cyber payloads, e.g., Shamoon, Shodan, Havex and BlackEnergy, and emerging ones, have the potential to debilitate our installations’ mission critical infrastructure,” the admirals said.
“As geographic combatant commanders with homeland defense responsibilities and much at stake in this new cyber connected world, we request your support,” they added. The letter was first disclosed by FCW.com on Feb. 25.
BlackEnergy is malware that researchers have linked to Russian government hacking. BlackEnergy malware was detected during investigations of recent cyber attacks against Ukraine’s electrical grid that were believed to be carried out by Russian hackers.
Shamoon was linked to the 2012 cyber attack against the state-run Saudi Aramco oil company that damaged 30,000 computers and was believed to have been carried out by Iran.
Havex malware has been linked to cyber attacks on industrial control systems, and Shodan is a search engine that is believed to have helped foreign hackers map remote industrial control networks for possible attacks.
Asked about the letter, a Northcom spokeswoman said in a statement that the Pentagon’s Industrial Control Systems, or ICS, cyber security “is vital to command preparedness and our ability to execute assigned missions.”
“The eight-star letter from Adms. Harris and Gortney demonstrates our combatant commands’ commitment to defend against emerging threats against DoD critical infrastructure ICS,” said a joint statement from the two commands.
“We recognize the risks associated with attacks on critical infrastructure [industrial control systems] and we are engaging with the secretary of defense to actively combat these risks,” the statement added.
Russia was linked to SCADA attacks by Director of National Intelligence James Clapper in congressional testimony last September.
Clapper disclosed that Russian cyber warfare specialists are developing the capability to remotely access industrial control systems used in managing critical infrastructure.
“Unknown Russian actors successfully compromised the product supply chains of at least three [industrial control system] vendors so that customers downloaded malicious software designed to facilitate exploitation directly from the vendors’ websites along with legitimate software updates,” Clapper stated in Sept. 10 testimony before the House Permanent Select Committee on Intelligence.
The Washington Free Beacon disclosed in 2014 that Russian hackers were suspected of using malware, including BlackEnergy, to map U.S. industrial control systems since 2011.
A former intelligence official said threats to industrial control systems from Kaspersky software has been an “NSA myth” for years.
“Kaspersky wanted to do it and still is developing something but it’s never going to be public and they know that,” the former official said, adding that NSA has overreacted to the threat.
However, the former official said that industrial control systems remain vulnerable to cyber attacks because the architecture of the systems allow intruders to gain access to multiple devices once inside a network.
“There are some serious vulnerabilities,” the former official said, including remote access capabilities. “You have to watch those because in an ICS once you gain access, you have everything, there is no ‘root’ on the [programmable logic controller], you have it by default.”
“The biggest problem is that most of the software is made insecure by default. That's what we have to address.”
Securing industrial control networks will require producing more secure hardware and software and increasing the monitoring of current networks, many of which run Windows operating software.
“We need to patch the Windows infrastructure because it's defendable but we shouldn't waste resources patching systems internal to the ICS that aren't remotely accessible because it's very, very costly in an operational environment with very little return on investment,” the former official said.
Kaspersky Lab founder Eugene Kaspersky was asked earlier this month what involvement, if any, he and his company have with the Russian government and security services.
“We are working with governments in many nations – in Europe, in Asia, in the Middle East, in Russia,” he said in an interview with the Dubai-based GulfBusiness.com.
“We are very good friends with the cyber police and the agencies responsible for cyber security,” he said. “But we stay away from the intelligence services and the espionage agencies; we keep our distance from them and from the politicians. We are a security company so we must stay independent and neutral. It is not possible to be linked to any political party, for instance. It would be a conflict of interest.
National Public Radio reported in August that Kaspersky worked for a few years in a Soviet military research institute but left for the private sector in 1991.
Kaspersky has cooperated with Russian security services in seeking out cyber criminals, NPR said. Critics have pointed out that while Kaspersky Lab has exposed malware from Western governments, it has not pursued Russian government hacking efforts with the same vigor.