Cyber Security: Inside an Incident

Robynn Andracsek, P.E., Burns & McDonnell and contributing editor

The FBI considers the energy sector to be at risk for attacks. If a cyber-attack occurs at a utility, the incident is likely not an isolated event. When companies communicate these episodes to the FBI, trained agents can see patterns, predict reoccurrences, and back track the offenders.

In this, the third in a series of columns on cyber security, FBI Supervisory Special Agent (SSA) Bruce Barron, an expert on this matter at FBI headquarters, spoke with me about cyber security in the utility industry. SSA Barron began working cyber investigations in 1998 as an investigator before joining the ranks of management in 2008 as a Cyber SSA, serving in the role of Unit Chief. In 2016, SSA Barron transferred to a specialized outreach unit for energy private sector engagement.

FBI organization

The FBI is a field-based organization; cases are handled in the field with headquarters providing coordination. Field offices seek good working relationships with utilities to engage with all aspects of the energy sector, from pipelines to generation to transmission. Headquarters assigns specialized cyber security offices to make regular outreach to the targeted community, with an emphasis on pre-incident contact. Several different FBI subgroups work with the utility, and other industries, to investigate and prevent cyber-attacks.

“Reach out if you are unsure if a report is warrented. Talk to us and let us decide.”

– Bruce Barron, FBI
Supervisory Special Agent

Before an Attack

In advance of an attack, utilities should reach out through their local field office and establish a relationship. When developing response plans, focus on recovering from the attack but include when to reach out to law enforcement and the preestablished agency names and contact information.

Cyber-security agents want relationships with the energy sector. If a utility doesn’t know how to initiate contact, they can reach out to the cyber division watch center (cwatch@fbi.gov). This group will do the initial information intake, send the data to the proper local unit, and make sure that a connection happens.

Field officers will regularly conduct outreach directly to utilities using FLASH (FBI liaison alert system) notifications and PINs (Private Industry Notification). Some of these alerts are sent out to only select companies depending on the nature of the information.

During an Attack

According to SSA Barron, if a utility sees a cyber-attack occurring, they should do what is needed to protect their network and get services back up. As soon as practical, the utility should reach out to the FBI if the event was significant. For example, a few phishing emails might not warrant reporting; however, a loss of data, an attack that reaches the operating network, touches an industrial control system, or anything that impacts service should be reported. Keep system and security logs so that the intruders’ actions can be identified. The FBI’s goal is to investigate while minimizing any disruptions to the victim networks. Recovery comes first.

After an Attack

After an attack, the FBI has the legal and technology tools to find and dismantle the threat and collect intelligence, while minimizing the impact in of the investigation on the utility. Threat response includes investigating to find out the perpetrators use of tactics, techniques, and procedures (TTPs) which are sent to the specialized cyber-security offices. The Department of Homeland Security also provides specialized services for asset recovery and works with utilities on mitigation of the attacks effects.

I asked SSA Barron what he wants utilities to know. “Reach out if you are unsure if a report is warranted. Talk to us and let us decide. For example, a single but sophisticated phish sent to a system administrator or executive can be a significant threat. We’ll look for commonalities such as failure of network segmentation, stolen passwords, or unpatched software with known vulnerabilities.”

What can Average Joe (someone not a Chief Information Officer) do? SSA Barron says that everyone is part of awareness. Look for anomalies and loss of control. Participate in FBI grid exercises, practice incident response, and know how to reach out to FBI. “Most importantly, figure out who in the company can give consent to allow the FBI to collect digital evidence from the victim networks. Cyber investigations depend on electronic evidence that can quickly be lost if not collected soon after an incident.”

The FBI can only do their job if they can look at the evidence.