On October 29, 2014, Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (“ICS-CERT”) published an important alert regarding a particularly destructive advanced persistent threat (“APT”) malware called BlackEnergy that can be used to damage, modify, or disrupt industrial control systems (https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01A). BlackEnergy is a malware that has been exploiting vulnerabilities in Linux- and Windows-based software since as early as January 2012. BlackEnergy specifically targets human machine interface (“HMI”) software, which enables users to monitor and interact with industrial control systems such as heating, ventilation, and air conditioning systems through a dashboard or other type of graphical interface. HMI software is typically running 24/7, can be remotely accessed, and is rarely updated, thus making it a favorite target for opportunistic hackers. ICS-CERT has identified a number of specific products that are vulnerable, only some of which have patches available that eliminate the vulnerability, and is actively seeking cooperation and assistance from affected organizations.
BlackEnergy is a sophisticated APT because it is a modular malware capable of retrieving plugins to expand its functionality, and can move laterally through network file shares and onto removable storage media. Making matters more complicated for BlackEnergy investigations, researchers have identified a plugin module that can irretrievably wipe hard disks, and believe that the attackers push the module once they are discovered in order to hide their presence. Researchers have further indicated that the group believed to be responsible for BlackEnergy has political affiliations, and is targeting industrial control systems in the energy sector in at least 20 different countries. ICS-CERT has provided a signature that organizations can use to scan their systems for BlackEnergy and, if detected, ICS-CERT asks that organizations contact them immediately.
Because BlackEnergy targets critical infrastructure, the resulting security breaches present different and more sensitive cooperation and communications issues compared to a breach of PII or financial information. The decision-making matrix is fundamentally different because there may not be any mandatory reporting obligation in these situations, giving the affected organization more control over the decision to disclose or not. As a result, organizations must weigh the potentially significant benefits from sharing threat and other cyber intelligence with federal agencies against their desire to maintain confidentiality, avoid disclosing the breach, or tipping of attackers.
Organizations that do not want to disclose the breach, but still want to cooperate with ICS-CERT, can invoke the confidentiality protections of the Protected Critical Infrastructure Information (“PCII”) Program to share information with the government. Incorporated into the Critical Infrastructure Act of 2002 (“CIA 2002”), the PCII program is an information-protection program that enhances voluntary information sharing between private industry and government agencies such as ICS-CERT. Information deemed to satisfy CIA 2002 requirements can be shared with government agencies without the risk of disclosure under Freedom of Information, state, and local disclosure laws. Qualification under CIA 2002 can also prevent use of the information in regulatory actions and civil litigation. Accordingly, these protections should be considered as organizations determine whether to disclose the breach, cooperate with law enforcement, and develop a well-rounded communications strategy.