Axios Codebook

A master lock with ones and zeroes instead of the regular numbers.

April 18, 2019

Welcome to Codebook, a brief Mueller-free respite for what's going to be a long weekend.

1 big thing: Industry puts cybersecurity pros in charge

Factory Workers Assembling Car on Line

Factory workers assembling a car. Photo: Jerry Cooke/Corbis via Getty Images

After years of dire warnings about hackers wreaking havoc in computers that run physical processes in factories and infrastructure, you’d think industrial firms would already have their top cybersecurity officers running cybersecurity at their plants. Today, that’s the case for only 35% of big facilities — but the situation is finally changing.

Why it matters: The two most important things to an industrial business are uptime and efficiency. Where plant owners once worried that cybersecurity pros would meddle with industrial processes they didn't understand, the very real impacts of two global cyberattacks in 2016 proved their skills were sorely needed.

The big picture: According to a 2018 Gartner report, only 35% of firms had the chief information security officer's (CISO) department or an equivalent in charge of its industrial networks — often referred to as operational technology (OT) as opposed to business systems, the traditional IT. But it projected that number to double by 2021.

  • “It's a huge trend in just the last 18 months,” said Amit Yoran, CEO of Tenable and the former director of Homeland Security’s United States Computer Emergency Readiness Team.
  • “If you go back a couple of years, the OT people were saying, ‘Those guys don't know anything about OT. We're separate, we're standalone, get out of our space. Now they recognize their networks are completely raided by IT systems.”

The key term to know is “IT/OT convergence.” OT and IT used to be church and state, separated by custom and bureaucratic boundaries. But companies are realizing the dangers of ignoring how quickly OT networks are beginning to look like IT networks.

  • "At first, it made sense to trust those systems to plant managers who may have been there 30-plus years with unblemished records and understood the language," said Ryan Brichant, chief technology officer for OT at the security firm Forescout.

Yes, but: Cybersecurity is increasingly seen as a boon to uptime, rather than an obstacle.

  • As plants invest in connected devices to boost efficiency, they also increase the number of systems vulnerable to attack.
  • Industrial systems are increasingly victims of targeted ransomware, where hackers identify big ticket companies to take hostage.

Why now? The trend of CISOs getting full control of plant cybersecurity predates the growth of targeted ransomware attacks and came years after the first industry warnings that increased connectivity could cause industrial disasters.

  • What really spurred the change appears to be two massive cyberattacks in 2016.
  • "When I talk to CISOs, they say the change in thinking took place around two years ago, after WannaCry and NotPetya," said Brichant.
  • While there's some debate if WannyCry and NotPetya were ransomware or destructive malware meant to look like ransomware, major closures in everything from chip manufacturers to U.S. ports to automotive plants demonstrated the danger.

The expansion of CISO duties has led to a change in how many security firms do business.

  • Several companies have recently consolidated IT and OT products into single platforms to offer a consistent experience on any network. Tenable and Forescout are among them.
  • "CISOs have a pretty large plate and want to be looking at as few screens as possible," said Brichant.

2. Hackers use web routing system in an espionage campaign

Cisco Talos reports a new attack group used the domain name system to spy on 40 organizations in 13 primarily Middle Eastern and North African nations.

DNS hijacking? Though you probably think of websites in terms of domain names like, the web works on numeric internet addresses. The domain name system converts the domain names to internet addresses.

  • Hackers who change domain records, as they did in this case, can rout a person trying to get to one website to an intermediary site that connects to the real site and monitors all communications in between. That gives hackers access to account credentials.

Details: Talos is calling the group Sea Turtle.

  • Sea Turtle's targets included ministries of foreign affairs, military targets, intelligence agencies and "prominent energy organizations" as well as companies they could leverage to gain more access to targets, like telecommunications firms and internet service providers.
  • The operation, still ongoing, may date back as far as January 2017.

Sea Turtle is separate from a DNS hijacking campaign Talos identified in January and gave the catchy name DNSpionage.

Why it matters: All espionage matters, but successful campaigns often inspire imitators. It's a good time to check your DNS security.

3. Iranian hacking tools dumped online

An oil rig

Photo: Oleg Pereverzev/Pacific Press/LightRocket via Getty Images

Researchers at Chronicle discovered that the source code for hacking tools used by the Iran-linked group APT34, also called Oil Rig, had been leaked on Telegram's group messaging platform.

Why it matters: While this isn't as grim as the ShadowBrokers leaks, where far more potent NSA tools were leaked and eventually used by North Korea and Russia in destructive attacks, the Oil Rig leaks nonetheless offer new attackers a successful toolkit to use in their own attacks.

Codebook is going to call it Oil Spill. Fight me.

4. The FBI wants to train you for a Mastercard career

A new program will use two-year shifts at government agencies to train potential employees for corporate cybersecurity jobs at Mastercard, Microsoft and Workday.

Our thought bubble: We cover a lot of different programs aimed to address workforce shortages in the public or private sector. This plan, the Cybersecurity Talent Initiative, is far and away the most sustainable.

Details: The Initiative will place recent college grads with a host of participating government agencies, ranging from the CIA, FBI and Department of Defense to the Department of Veterans Affairs, EPA and Federal Election Commission.

  • The recent grads will work for the agencies for two years as full time employees on a government salary, after which time one of the three private sector firms will pay off up to $75,000 in student debt.
  • At the end of the two years, students will take their trial-by-fire training with the feds to a job at the company that paid off their debt.

Between the lines: There's a well-discussed cybersecurity staffing shortage coming that will impact both the private sector and public sector.

  • While there are a number of great programs designed to either fund training or motivation for students looking to enter cybersecurity, most of them are done out of the goodness of a company's heart.
  • But altruism isn't traditionally the best motivator for businesses to keep such programs in place.
  • This program provides clear benefits to the students, to the government — who must face staffing shortages without benefit of offering high salaries — and to the companies.
  • "Right now, we can spend as much as two years trying to fill a job, and another six months to a year training someone for it," said Mastercard Chief Security Officer Ron Green, who said the $75,000 isn't that much different than the cost to train internally.

What they're saying: Green, formally of the Secret Service, said he hopes that the experience working for the government will encourage students to forgo the private sector job at the other end.

  • The thing that traditionally is supposed to compensate for lower salary in federal jobs is a sense of mission. But many people don't understand that sense of mission until experiencing government work, Green said. "There are people who come from different walks of life and learn there is something more than me."

Editor's note: The timeline of reimbursement has been corrected; student loans will be repaid after (not during) government service.

5. In case you missed last week

1. Microsoft email breach: Hackers that compromised a Microsoft customer service representative's credentials had access to data from non-corporate users' Hotmail, MSN and Outlook accounts between January and the end of March.

2. Hacker guides are cheap, plentiful and often out of date: Hacking guides for sale on criminal markets are cheap, plentiful and often only a decade out of date, according to a new report from intelligence firm Terbium Labs.

  • The big picture: The guides, often sold as giant caches of manuals, are often padded with irrelevant material (one included ''Cabinetry for Dummies," said Terbium VP of Research Emily Wilson), and plagiarism runs rampant. But if you power through the scams and thievery by the vendors, there's plenty of good information on scams and thievery for would-be hackers.
  • By the numbers: Only 5% of the 44,000 individual documents Terbium purchased came from 2018 or later. More than 25% were a decade old, and less than a quarter of the files for sale were unique.
  • But at an average cost of $0.01 cent per file, nascent fraudsters could afford to be taken for a few rides as long as they find an occasional gem.
  • "When the guides were current, the techniques would be effective," said Wilson.

3. Assange fallout begins to set in: We mentioned last week that Julian Assange's arrest for helping hack the U.S. government appeared to be specifically engineered to sidestep concerns about the issue of press freedom.

  • A charge striking to the heart of press freedom would have been something more akin to distributing classified information or espionage.
  • That doesn't mean there aren't valid reasons press groups are concerned. The indictment mentions some fairly standard journalistic practices, like helping conceal the identity of a source, as part of the conspiracy, even if cracking the password is the backbone of the hearing.

6. Odds and ends

Codebook will return Thursday of next week.