Opinion: Security firm’s Iran report mostly hype

A new report from the security firm Norse that claims growing Iranian cyberattacks on critical infrastructure relies on questionable data. It's the latest in a string of cybersecurity vendor reports that grab headlines but erode trust in the industry.  

Critical Infrastructure

There is a growing habit of cybersecurity companies using international relations to grab news media headlines for marketing purposes. This has lasting impacts on the trust imparted to the security community while posing a threat to sensitive foreign policy efforts. The latest example is the cybersecurity company Norse's upcoming report on increasing Iranian cyberthreats.  

The report, expected to be released at an event in Washington on Friday afternoon, claims that there was an increase in Iranian activity and sophistication toward targeting industrial control systems. These control systems ensure the operation of critical infrastructure such as the power grid and water utilities. Norse states it saw a 115 percent increase in attacks launched from Iranian Internet addresses totaling more than 900 attacks per day. But that's not what the data shows. 

I received an advanced copy of an earlier version of the report that was shared within unclassified government and private industry channels. It made claims of 500,000 attacks on industrial control systems by Iran in the past 24 months although only 47 of those were targeted against US Internet addresses. The report was confusing but the data clearly revealed that the "attacks" from Iranian Internet addresses were actually Internet scans from locations such as Iranian universities and hospitals.

 The scanning of systems sounds highly provocative and can be interesting but often go unnoticed because they are common and often meaningless. Overvaluing such scans and the originating Internet addresses can be embarrassing as the threat intelligence company ThreatStream found out when it claimed there were cyberattacks being uncovered against industrial control systems last September. It turns out though that the fake systems the threat intelligence company stood up were being scanned by researchers in Tennessee.

Norse’s claim of industrial control systems being attacked and implying it is definitively the Iranian government is disingenuous. The systems in question are fake systems such as those that ThreatStream used and the data obtained cannot be accurately used for attribution.

In essence, Norse identified scans from Iranian Internet locations against fake systems and announced them as attacks on industrial control systems by a foreign government. The New York Times gained an advanced copy of the Norse report and in turn reported the analysis with another Norse claim that the company Telvent, a vendor for industrial control systems, was also targeted by Iranian attacks. The news article states “Norse said it witnessed 62 attacks, in a span of 10 minutes, from an [Internet address] in Iran on a Telvent system that provides the foundation for all of the company’s [sic] Scada infrastructure.”

For clarification, what actually occurred is Norse connected a Telvent system to the Internet and saw scans against it over time.

The New York Times notes that while Norse may have a financial motive to “portraying a world of cyberthreats” there would be little incentive in attributing them to any particular country. While this sounds fair it fails to accommodate for the fact that the report was cowritten by Frederick W. Kagan who directs the conservative think tank American Enterprise Institute.

There is certainly incentive for the combined parties to highlight an increasing Iranian cyberthreat during sensitive nuclear negotiations. So much incentive actually that Norse’s announcement of the New York Times article states in the fourth sentence that “lifting of the economic sanctions put in place to stifle Iran’s nuclear weapons program could also allow the country to further invest in the development of even more advanced cybercapabilities.” The report’s announcement comes with a clearly pointed motive.

As added hypocrisy, there have been allegations in the news against Eugene Kaspersky, the chief executive officer of cybersecurity company Kaspersky Labs, that he has close connections to Russian spies for doing little more than being born in Russia – whereas the US company Norse gets heralded for uncovering Iranian cyberthreats while there is a clearly stated agenda.

Cybersecurity vendors are being rewarded for bold statements with national headlines that make for great marketing. Proving the claims to be incorrect can be difficult. Even when proving the analysis ambiguous is much easier, such as the Norse report, it garners less media attention and is cast aside for the more alluring headlines. As justified skepticism in the security field grows against these reports though, outsiders see a fragmented community. The result is executives and national leaders that are less likely to trust and empower other companies who have validated findings and warnings of real threats. 

Iran is very likely increasing their cybercapabilities as well as their ability to target critical infrastructure. They are likely doing this because nations around the world are doing the same thing as a normal progression of militaries expanding capabilities for conflict scenarios. It is an issue that needs addressed through technical and nontechnical solutions including foreign policy. The solution though is most certainly not inaccurate vendor reports. The Norse report’s claims of attacks on industrial control systems is wrong. The data is misleading. The attention it gained is damaging. And even though a real threat is identified it is done in a way that only damages national cybersecurity.

Robert M. Lee is a PhD candidate at Kings College London researching industrial control system cybersecurity. He is also a US Air Force Cyber Warfare Operations Officer and cofounder of Dragos Security LLC. He may be found on Twitter @RobertMLee. The views and opinions in this piece do not represent or constitute opinions by the US government, Department of Defense, Intelligence Community, United States Air Force, or anyone or any organization other than the author’s views. They are his alone.