- Hacking groups are increasingly targeting the North American electric sector through supply chain vulnerabilities and connected industrial control systems (ICS) capable of creating disruptions across multiple industries, according to a new report from cybersecurity firm Dragos.
- The "most dangerous and capable" group Xenotime has expanded its attacks from the oil and gas sector to include electric companies, the firm said. Almost two-thirds of groups performing ICS-specific targeting are now focused on the North American electric sector.
- Dragos is tracking seven activity groups targeting electric utilities in North America, out of 11 total groups it follows. At least three demonstrate the "intent or capability" to infiltrate or disrupt electric power generation.
Dragos' report doesn't attempt to link any of the hacking groups to nation states or specific actors, but does conclude electric sector attacks "can further an adversary's criminal, political, economic, or political goals." And as the groups invest more resources into developing hacking capabilities, "the risk of a disruptive or destructive attack ... significantly increases."
The electric sector has been on high alert this week, over concerns that escalating tensions between the United States and Iran could lead to a cyberattack.
Attacks on electric utilities can have "significant geopolitical, humanitarian, and economic impact. Thus, state-associated actors will increasingly target power and related industries like natural gas to further their goals," Dragos' report warns.
The report notes hackers are now targeting original equipment manufacturers, third-party vendors and telecommunications providers to create supply-chain compromises. Other security experts say this is a particular weakness for the industry.
"It can be difficult, if not impossible, to get more than a contractual assurance from a major partner or supplier that they aren't providing you with technology that is replete with bugs or glitches that will cause significant or catastrophic impact if exploited by an attacker," Richard Henderson, head of global threat intelligence at Lastline, told Utility Dive in an email.
"This is a problem that we have not been very good at providing an answer for as of yet — and it's not likely one we'll be able to fix anytime soon," Henderson said.
The North American Electric Reliability Corporation (NERC) hosts a biennial simulated attack, GridEx, which allows utilities to run through their response plans. In a report following the 2017 event, NERC noted none of the utilities participating in the exercise turned to vendors for help or information.
So far, hackers have not disrupted electric generation in North America — though the Dragos report does point out that a disruption to communications was reported to NERC earlier this year when hackers exploited a known firewall vulnerability at a utility's vendors.
In the electric transmission sector, Dragos named Electrum as a "well-resourced activity group" that has shown it can disrupt power flows and wants to cause a destructive event. North American electric utilities should consider the group "to be a serious threat."
And while hackers have yet to disrupt North American distribution operations, tools developed in other regions could be modified to apply here.
In 2015, Ukraine's electric grid was the target of a cyberattack which led to a lengthy blackout for almost 250,000 people. Dragos pointed out that the hackers behind that attack did not use ICS-specific malware, but controlled operations remotely via existing tools in the operations environment.
The complexity of the electric power system does provide an advantage for utilities because an adversary "must spend a long time within the target environment learning the required skills to successfully disrupt electric power," according to Dragos. That gives utilities multiple opportunities "along the potential attack chain to detect and eliminate adversary access."