By James Azar, AP4 Group
While cybersecurity has been inoculated into most everyone who works in critical infrastructure, like the power industry, some may not realize that the threat vectors are shifting from clever hackers to state-sponsored malicious actors.
In 2015 and 2016, Ukrainian power grids targeted by state-sponsored actors suffered widespread power outages. The attacks, attributed to a group linked to the Russian government, exposed broader vulnerabilities within the energy sector’s operational technology (OT) environments.
In 2020, a cyberattack on an Israeli water treatment facility was reportedly carried out by Iranian state-sponsored hackers. The attackers attempted to alter water chlorine levels, posing a significant risk to public health and highlighting the susceptibility of water infrastructure to cyber threats. A similar attack took place at the water plant in Oldsmar, Fla, during a Superbowl weekend in nearby Tampa. Once again, the events exposed vulnerabilities in OT control systems for infrastructure.
As geopolitical tensions continue to rise, so does the sophistication of cyberattacks aimed at critical infrastructure. Because the Russian cyber attack on Ukraine stands as one of the most significant and well-documented examples of a geopolitical cyber-event, much has been learned from it.
How it went down
The coordinated attack targeted three of Ukraine’s regional electricity distribution companies, ultimately affecting approximately 225,000 customers on Christmas Eve:
- Initial compromise. The attackers gained initial access through spear-phishing emails containing malicious Microsoft Office documents. Once the documents were opened, the software installed BlackEnergy malware, a sophisticated tool used for reconnaissance and credential theft.
- Network reconnaissance. After gaining access, the attackers spent several months performing detailed reconnaissance within the IT networks of the power companies. They mapped out the network, identified critical systems, and harvested credentials.
- Credential theft. The attackers stole VPN and remote-access credentials, allowing them to move laterally within the networks and access the OT environments.
- Attack execution. Scada systems were compromised on Dec 23, 2015. The attackers opened circuit breakers at multiple substations, effectively cutting power to the affected regions.
- Destruction of systems. To delay recovery efforts, the attackers deployed KillDisk malware, which wiped the hard drives of key systems, and disabled uninterruptible power supplies, wreaking havoc on the system.
- Denial-of-Service attack. Concurrently, the attackers launched a DoS attack on the call centers of the electricity companies, preventing customers from reporting outages, impairing management’s ability to respond.
General lessons
First, the attack underscored the importance of properly segmenting IT and OT networks to prevent lateral movement by attackers. Although the power industry has been focused on this for many years, there is still much to be done.
Second, the need became evident for robust incident response and disaster recovery plans that include cyber-attack scenarios—including regular drills and coordination with national cybersecurity agencies.
Third, the event drove home the need for continuous monitoring of network traffic to detect and respond to unusual activity and threats before significant damage occurs.
Finally, organizations must invest in regular training and awareness programs so that employees recognize phishing attempts, often the initial attack vector, as in the Ukraine event.
In the US, the mandate given by Congress to CISA (Cybersecurity Infrastructure Security Agency) and DOE, is serving as the playbook to help build resiliency in the energy sector. These and other agencies offer threat intelligence sharing forums to help keep powerplants informed and updated about actual threats and existing attack vectors.
What’s behind it all
The emergence of Cyber Crime as a Service (CaaS) has lowered the entry barrier for committing cyberattacks. CaaS platforms offer various illicit services, from distributed denial-of-service (DDoS) attacks to ransomware deployments. These services can be purchased or rented by individuals with minimal technical knowledge. In effect, cyber-attacks can now be carried out by almost anyone, not just highly skilled hackers.
Regulatory frameworks for cybercrime are outdated and do not address the latest risks and challenges. A new legal framework should specifically address nations that harbor cybercriminals and allow them to operate with impunity. Economic and diplomatic consequences should be built into the framework, hopefully as deterrence.
Collaboration among various sectors and sharing of threat intelligence is crucial. The Electricity Information Security and Analysis Center (E-ISAC), operated by NERC, and InfraGard, a partnership between the FBI and the private sector, both offer robust support for regional infrastructure businesses.
Bad actors know that traditional security measures are often inadequate against such a dynamic threat landscape. They simply are not nimble enough. Advanced threat intelligence and monitoring systems, falling under broad names like network monitoring, IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems) offer continuous, real-time monitoring.
It is well-known that the proliferation of Internet of Things (IoT) devices in critical infrastructure has introduced significant risks. IoT devices often serve as entry points for cyber threats because of their frequent lack of robust security measures. Some IoT devices provide no way for the powerplant to make network changes or change default passwords. Others introduce backdoor risks from poor coding and patching mechanisms that require additional network access.
What you can do
When scoping and purchasing IoT devices, ensure that you have the ability to change the default password, patch the device with limited or no downtime, and network and manage the device without having to change network topology. Insist on a full software bill of materials.
Conducting regular audits and penetration testing, and following industry standards and regulations, will help you identify vulnerabilities. Make sure your intrusion detection, anomaly detection, and firewall systems are specifically designed for OT environments.
Cultivate a culture of security awareness among all employees. When the water treatment plant in Oldsmar became a target during Super Bowl weekend, it was one engineer’s awareness that prevented a disaster. Conduct training and drills regularly to ensure that staff are aware of the latest threat vectors and understand and adhere to best practices. Make sure you have a well-documented incident response plan in place and stress-test it regularly.
No one knows your powerplant or business quite like you. Assess your facility’s weaknesses and areas of concerns. Cultivate program champions, reward great behavior, acknowledge the good, and deal with the bad as a team. Everything should be documented and organized in a binder available at multiple locations. Finally, join E-ISAC and InfraGard to gain more insights on how to defend and recognize threats to your business.
James Azar, chief information security officer (CISO) at AP4 Group, has two decades of experience leading information security and engineering teams to solve complex challenges head-on and align technology, security, and privacy to business goals. He is the host of CyberHub podcast, CISO Talk, as well as Goodbye Privacy, a new podcast focusing on privacy concerns. The widely published Azar is a frequent speaker at industry events.