- A growing number of hackers are developing capabilities to disrupt energy infrastructure in North America, according to a new report from Dragos. The industrial cybersecurity firm said it is now tracking 20 “activity groups” that target a wide range of industrial sectors around the world, but noted the cyber defenses of the electric sector are among the best.
- A group known as “Bentonite” emerged in 2022 with a focus on the oil and gas sector. Also new is “Chernovite,” which Dragos said has developed a modular industrial control system, or ICS, attack framework called “Pipedream” which could initially target the electric sector, among others.
- Grid officials do not expect the threat to abate. “Increasingly bold adversaries regularly employ new tactics, techniques, and procedures; they are also exploiting new and legacy vulnerabilities,” the North American Electric Reliability Corp. said Tuesday in its annual report.
When it comes to cybersecurity, last year extended a trend seen in 2021, NERC said.
“The threat landscape continued to demonstrate adversaries’ potential capability to disrupt critical infrastructure in North America,” the reliability organization said. “As a result of sector interdependencies, grid evolution, and an expanding supply chain, the threat surface as well as the potential magnitude of impacts has increased.”
In the electric sector, the increasingly-distributed nature of grid resources means more potential targets, say experts. But Dragos said utilities are largely well-defended and positioned to respond, among industries targeted by hackers.
“Electric utilities showed the best preparedness, followed by oil and gas,” the Dragos report said. “Manufacturing represented the worst results among verticals.”
Attackers continue to hone their capabilities, however. The Bentonite group Dragos began tracking last year “has been active and focuses on targeting oil and gas [companies],” said Ben Miller, vice president of services. Miller hosted a discussion Thursday of the Dragos report.
“They're doing initial access, reconnaissance, and they have demonstrated command and control capabilities within these custom properties and oil and gas facilities,” Miller said. So far, however, the group has “not necessarily demonstrated the ability to gain access into the OT or ICS environments.”
A group of threat actors dubbed “Erythrite” have been targeting U.S. and Canadian companies since 2020 and last year “compromised the IT environments of two large electrical utilities,” according to Dragos.
Dragos also began tracking a group known as Chernovite in 2022, with particular focus on its modular ICS attack framework called “Pipedream.” Initial targets could include the electric sector, oil and gas, and manufacturing, Dragos said.
Chernovite “possesses a greater breadth of ICS-specific knowledge than previously discovered threat groups,” according to the report, The Pipedream malware “includes capabilities to disrupt, degrade, and potentially destroy physical processes in industrial environments” and is the “first cross-industry and repeatable disruptive ICS attack framework known to date.”
Defending against an increasingly-sophisticated threat means developing a response plan that is specific to the OT environment, said Miller.
“That can be very broad and can be actually quite intimidating,” Miller said. “Our recommendation is to start off with a scenario — whether it is Chernovite and Pipedream or whether it is a ransomware case — and develop that scenario and a clear response plan, before moving on to the next one.”
Entities that have done this with more the than a single scenario are “ahead of the pack,” he said.
NERC’s annual report also highlighted the need for grid security to extend beyond cyber concerns.
“Throughout North America as the year drew to a close, the need for continued vigilance was thrown into sharp focus with attacks on substations in North Carolina and in the Pacific Northwest,” NERC said.
Multiple substations in Washington were damaged on Dec. 25, leading to more than 14,000 outages on the Tacoma Power and Puget Sound Energy systems. And a North Carolina firearms attack earlier in the month knocked power out to about 45,000 Duke Energy customers.
“The industry should expect further regulatory inquiries and potential actions from the federal government in response,” according to Jason Christopher, director of cyber risk at Dragos. But with 55,000 substations around the country, “there are obvious risk-based limitations on addressing physical threats that need to be managed.”