Lots of buzz about Symantec's Dragonfly 2.0 so I'd like to add some first impression thoughts in this thread. (1/X)

The public links in the Symantec report of this activity to Dragonfly are a bit weak but Symantec has historically done awesome work

So there are likely non-public details helping the link. Malware or malware uniqueness though isn't enough.

However, Symantec has said over 100 sites have been compromised including many in the operational (ICS) networks which is concerning

Some of the reporting I saw though was about the ability to cause blackouts or take down portions of the grid - nothing here indicates that

The adversary is in operational networks, taking HMI screenshots, gathering data, etc. just like Dragonfly did in 2014. That part isn't new

All that information is exactly what you'd want to collect (and engineering documents which Symantec has said were stolen) to design attacks

But simply having access & being able to click on an HMI isnt enough. Youd have to design a new capability (e.g. CRASHOVERRIDE) or go manual

Manual meaning target lots of locations at once and the adversaries put people on keyboards clicking on HMIs (e.g. Ukraine 2015)

The problem is that's highly ineffective. And while Ukraine 2015 style attack could work in the US in distribution it'd be more difficult

The impact would also likely not be as big - even in Ukraine it was only 6 hours. It would likely elicit a very strong govt response tho

In short it really doesnt make a lot of sense (though we can't discount it because we don't know for sure what makes sense to the adversary)

But regardless it wouldn't cause blackouts. Also it's FAR more difficult to do in U.S. Transmission which is where you'd impact more places

I mean look at the linemen and others keeping lights on and restoring power after Harvey. With HMI access alone you'd be far less impactful

In short: Symantec has made a very important find. And an increased targeting of energy infrastructure in US & other countries is concerning

And we need to do more about it especially politically. The fact that Ukraine 2015 & CRASHOVERRIDE went unanswered even in condemnation

and now increased targeting that reaches the ICS networks exists in the US. Simply put people shouldn't be scared but the govt needs to act

Energy companies are doing a lot of hard work. Our infrastructure is pretty awesome. But it is a targeted threat that needs countered

And it's not about downplaying its about being nuanced. We should be concerned. But the public shouldn't be afraid.

Any team inside ICS networks they weren't invited to is wrong. NSA, SVB, 8200, PLA, it doesn't matter.

Civilian infrastructure should be off limits to everyone. Even being inside them introduces risk unintentionally.

And nations around the world really need to take that stance. No it wont prevent assholes from existing but an official stance gives options

And we don't want to try setting precedence and figuring out what to do WHEN a major attack has just occurred

But in the meantime let's not pretend threats with access equates intention or capability to cause blackouts. But thx to Symantec. Good work

SVR*