The following is a contributed article by Richard E. Harrison, COO at Dispersive Networks.
Last July, the U.S. Department of Homeland Security announced the nation's electric industry had been the focus of recent cyberattacks. Hackers breached air-gapped, theoretically secure electric utility networks. The DHS indicated the intruders achieved the ability to "throw switches" and disrupt flows of power on the grid. The initial points of access were vendor networks, and "hundreds of victims" were compromised.
However, there has been some indication DHS may have overstated the severity of this attack.
Dragos — a firm active in the utility cyberspace and lead investigator in the 2015 and 2016 Ukrainian grid cyberattacks — indicated the breach had not created the capability to throw switches. Instead, it was a preparatory reconnaissance mission likely setting the stage for an attack that might be a response to some geopolitical event. Dragos representatives also indicated any such attack would likely be a geographically limited — not a widespread regional — assault that would last for a relatively short duration.
An official from Edison Electric Institute — the association representing U.S. investor-owned utilities — commented that grid operators have been aware of and responding to this particular threat for nearly a year. According to EEI, there was "no emergency today."
These statements left many observers confused as to the U.S. electric grid's current state of security. To provide clarity, it may be useful to ascertain the facts as we know them and what needs to be done to ensure a safe power grid.
It all began over three years ago
In December 2015, adversaries used malware to access the corporate utility networks of three Ukrainian electric distribution companies. They then advanced into the supervisory control and data acquisition (SCADA) systems. This gave them the capability to disconnect substations.
It was the first time a cyberattack was able to take down part of a utility system, and the results were sobering.
More than 225,000 customers lost power for up to six hours. Workers were forced to use manual overrides to restore electricity. The malware also erased Windows systems and destroyed serial-to-Ethernet devices. As a result, local grid operators not only lost access to their SCADA, but also were left without automated control of some grid assets for more than a year.
The distinguishing feature of this event was the attacker's ability to have the grid direct its own systems against itself, taking critical substations out of action. Malware was involved to create the capabilities, but it was the direct action of the adversary that created the disruption.
A second attack in December 2016 was more limited. It focused on a single substation and lasted only an hour. Attackers opened circuit breakers on the transmission system and kept them open despite repeated attempts by grid operators to close them. This caused the substation to de-energize.
The hackers used the malware employed in the 2015 breach and once again deployed the grid systems against themselves. However, in its evaluation of the second assault, Dragos noted some troubling differences.
The 2016 attack demonstrated the invaders' capability to take on grid operators in multiple environments rather than operating from a single vendor platform. This breach revealed an emerging capability to access the network, map out the control system, and determine specific assets to target. It used the grid's own language to address equipment. The assault also featured a new level of automation that created scalability and the power to attack additional sites with the same level of resources. And finally, the second attack revealed the ability to program malware to run automatically without human direction, set to perform specific activities at a predetermined time.
Of course, the Ukrainian attacks were simply a sign of things to come. According to a Dragos report, adversaries in July 2017 deployed spear-phishing emails to compromise several utilities. The email contained a contaminated Word document that, once it had identified unpatched workstations, began "wormlike activity" looking for networks related to transmission. When any such network was detected, the worm reached out to the command-and-control servers and began evaluating and targeting.
Security firm Symantec has warned that attackers have successfully accessed over 20 target networks, including a number of U.S. utilities. The assailants gained access to control systems that communicate with grid equipment. They were even able to obtain screenshots of operator control panels. This would help them know which switches to manipulate for an attack.
As the aforementioned DHS/Dragos/EEI episode illustrates, different parties for different reasons may well differ on many aspects of an attack, from the damage done to who knew what when. However, three facts are indisputable.
- At least one determined and patient adversary has systematically tried to access and perform reconnaissance on the systems of North American power companies.
- Adversaries have demonstrated the ability to attack utility operations in a coordinated and systemic fashion using the target's own SCADA systems to take down critical assets and cause outages.
- These efforts have evolved over time and will continue to be more sophisticated, insidious and destructive.
What we need to do
This threat will not go away. Relying on physical defensive techniques — software patching, anti-malware tools, creating strong perimeters and air-gapped networks — will not be enough to ward off future attacks.
Our utilities and grid operators need to deploy a combination of tools, evolving countermeasures and human initiative. Interaction with vendors and ecosystem partners must be more rigorously screened. Better practices must be developed to defend against the traps hackers set to access systems. Communications across the entire energy ecosystem must be made significantly more secure. To that end, utilities need to:
- Proactively map their existing IT and OT systems to understand what's connected to what and then limit multicast and auto-discovery to prevent adversaries from doing the same thing
- Hide application fingerprints, user fingerprints, and source / destination relationships to prevent adversaries from mapping the network
- Lock down their Domain Name System (DNS)
- Secure the current network and plan to safely connect new distributed assets to their systems using state-of-the-art tools and techniques that incorporate port scan protection
- Authenticate all connections before a device or user is allowed to access the network or network services
- Microsegment the network so devices and users only gain access to the services they need
- Realize that they are engaged in a persistent, low-level cyber conflict and that this environment requires a shift to a culture of constant cyber vigilance.
- Use a virtual network layer that provides up-to-date, NIST-recommended cryptographic algorithms, and choose a virtual network technology that can be quickly updated to respond to zero day attacks, emerging vulnerabilities or changes in crypto requirements
- Understand that adversaries will capture encrypted data-in-motion and store it for future processing when the adversary can melt the encryption. Do not rely on key exchange mechanisms that negotiate the key over the same path as the data without some mechanism for protecting that from eavesdropping.
- Constantly test and train employees to recognize and ward off attempts to penetrate the network using social engineering techniques and spear-phishing.
- Assume that their systems have already been compromised and that the hackers inside their networks are in Advanced Persistent Threat mode, reconnoitering their systems and take appropriate steps to detect intrusions and increase capabilities for resilience
- Share information with each other and appropriate authorities, vendors and ecosystem partners about existing and emerging threats (a federal program — the Cybersecurity Risk Information Sharing Program — exists, but many utilities do not participate)
- Work with standards bodies such as NIST and SunSPEC to ensure cybersecurity is a recognized and essential component of relevant standards
- Engage with regulators to ensure they have the resources to acquire the requisite tools, accomplish these additional tasks, and staff and train accordingly
Utilities are fending off millions of attacks on a daily basis. But nimble adversaries quickly adapt their techniques to make the tools that protect against yesterday's hack obsolete. As a result, it's time to rethink the ways we protect the grid.
Otherwise, we can expect more — and more chilling — DHS reports.