The energy sector is moving way too slow and often not at all.
In spite of documented cyber-attacks on industrial control systems increasing from 640 in 2013 to 2,788 last year (a 400%+ spike), the sector has done virtually nothing to re-design its core operational systems or even implement modern perimeter defenses.
The nature of these attacks and the techniques employed point to a specific class of perpetrator with motives aimed at long term disruption and not at short term gain. These are not criminal attacks designed to exfiltrate sensitive and valuable information that could be exchanged on black markets for cash. These are instead explorative probes designed to test penetration vulnerabilities and conduct reconnaissance once inside the target networks.
Usually with attacks of this nature, the threat actors use more sophisticated zero-day style techniques, but these probes are using older, more conventional methods of phishing and watering holes (an otherwise legitimate site set up to deliver malware) to gain entry, collect credentials and begin performing basic reconnaissance on the target systems. Zero-day attacks can usually be traced to an individual or organization relatively easily, so it is as if these guys are intent upon operating quietly in the shadows for now.
Once inside, manipulating the systems themselves doesn’t require any special software or techniques as their original designs of twenty to forty years ago didn’t contemplate this sort of threat. In fact, they are quite easy to manipulate as evidenced by the results of the attacks which showcase the use of default system administration tools to gain entry and the re-use of common off-the-shelf malware to propagate and communicate once inside.
The recent wave of cyberattacks has already exceeded the pace of 2016 with 2,522 attacks documented this year-to-date. Most of these have occurred in the U.S., Switzerland and Turkey and all are being driven by the group known as Dragonfly, a well-resourced, Eastern European (aka Russian) hacking group notorious since 2011 for mounting sabotage operations against petroleum pipeline operators, electricity generation firms and other Industrial Control Systems (ICS) equipment providers for the energy sector in Europe and North America.
Power grid cyber-attacks offer a remarkably potent way to destroy a country. Energy is the primal ingredient in modern life support systems. Light, heat, water, food, medicine, transportation, defense, communication are impossible without some organized form of energy. As we saw last October with a simple botnet attack on the Internet infrastructure, combined with a completely unsecured network of internet-of-things devices, it has never been easier to employ some sophisticated social engineering techniques and launch a large-scale power grid attack that can permanently disable huge swaths of the U.S. energy infrastructure.
An attack like that would not just turn out the lights and shut down the heat, but it would also leave us defenseless, as most of our military hardware is dependent on ground infrastructure support. The resulting chaos would cripple any rescue and recovery efforts and prevent the repair of downed systems. Both North Korea and Iran know this and while our attention is diverted to nuclear threat at the moment, the threat of a cyber-attack by an advanced nation state without the counter-balances of mutually assured destruction is a far clearer and more present danger.
While warnings about Dragonfly and similar suspects have been repeatedly sent to more than a hundred companies, as well as to the Department of Homeland Security and the North American Electric Reliability Corporation (NERC), the only comment in response has been from the DHS spokesperson Scott McConnell, who wrote in a statement that “DHS is aware of the report and is reviewing it,” and “at this time there is no indication of a threat to public safety.”
One can only hope that any company that thinks it may be a target is not only detecting and removing any malware it finds on their networks but is also refreshing their staff’s access credentials. Given these bad guys’ concentration on stealing those creds, even finding and flushing malware won’t do the trick if the crypto-goons still have employees’ logins and passwords.
All electric utilities should be on high alert. This hacking group is very capable and has proven it can access, compromise and destroy. What it plans to do next is not clear, but waiting to find out is not a good strategy. Materially disrupting targeted energy grids is well within its wheel-house. And, while they may want to avoid publicity, they might as well have taken out giant billboards warning of an impending attack.
Think about that the next time your power goes out.