Lessons from the Frontlines of Power Utility Attacks

Image

Security experts have been warning companies and policymakers that systems protecting power utilities and other critical infrastructure are vulnerable to cyber attacks. Those intrusions could produce widespread damage, if they proved to be successful. In fact, as reported by Dark Reading, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released the results of an industry audit, which showed that “the energy industry faced more cyber attacks than any other industry sector from October 2012 through May 2013.” Despite the warnings, companies have not adequately prepared to defend themselves or respond to a cyber-attack. National Security Agency chief General Keith Alexander states:

"On a scale of one to 10, with 10 being strongly defended, our critical infrastructure's preparedness to withstand a destructive cyber attack is about a three based on my experience."

Statistics seem to support Mr. Alexander’s statement. According to the 2016 Industrial Cyber Security Threat Briefing by consulting firm Booz Allen Hamilton:

• 34% of survey respondents admitted that their ICS was breached more than twice in the last 12 months.
• 44% were unable to identify the source of the attack.
• The US power grid was struck by cyber or physical attacks every 4 days.
• No suspects were identified in 300+ attacks on electrical infrastructure since 2011.

Attack Vectors

The threat actors were the usual suspects: malicious insiders, nation state groups and hacktivists. The attack vectors provided additional context into the origin of the entry points for exploits, including:

• Physical (facility or plant) compromise
• Supply chain weaknesses
• Internet-connected critical infrastructure
• Malicious Insiders
• Regulatory blind spots

Campaigns

The attacks on power utilities are not random occurrences. The sophistication and knowledge of systems required to successfully disrupt operations illustrate that these are targeted attacks using a combination of tactics, including ransomware, malware and third-party supply chain entry points. Some of the campaigns reported were:

• Ransomware (Cryptolocker)
• Malware (BlackEnergy, Conficker, Ramnit)
• Physical, such as Pacific Gas & Electric's Metcalf substation
• Supply chain (Dragonfly/Energetic Bear)
  • ICS Firmware Updates
  • Device drivers
  • Infrastructure Management Services

Trends

While researching, I also observed some interesting trends, including increases in SCADA Access-as-a-Service (SAaaS) and HMI attacks, as well as active exploits against vulnerable codebases. There have also been instances of non-destructive intellectual property theft and the ever-growing ransomware threat targeting ICS operators. According to Booz Allen's briefing, ransomware samples increased from less than 100K in Q2 2014 to 6 million in Q4 2015. The infamous Cryptowall ransomware generated more than $300 million in revenue in 2015. Critical infrastructure is clearly a target. Below is a list of countermeasures, top lessons learned from past attacks, and best practices that can be used to improve the security of your industrial environment.

Lessons Learned from Ukrainian Hack

1. Sandbox tech to evaluate incoming documents and emails.
2. Use proxies to control outbound and inbound communication paths.
3. Limit workstations to communicate only through the proxy devices by implementing perimeter egress access controls.
4. Implement continuous monitoring of ICS/SCADA devices to quickly detect anomalous activity.
5. Apply network segmentation and multi-factor authentication on all systems containing sensitive data.
6. Disable remote access to UPS systems.

Lessons Learned from the Front Lines:

1. Go back to the basics with the SANS Top 20 Critical Security Controls. Audit Scripts has free resources to help measure progress against the controls.
2. Apply CIS Standards to harden systems.
3. Implement advanced monitoring on systems with trusted relationships.
4. Segment using established framework, such as ISA-99 (Purdue Model).
5. Don’t allow local drive redirection into Citrix infrastructure. VDI reflects local drives off machines, exposing interior infrastructure to a local machine, making it a conduit to infect environment.
6. Disallow direct internet connectivity to CI components when possible.
7. Disallow PLC updates directly from the internet.
8. Monitor critical files changes, including security application and operating system files. (Tripwire is an excellent tool for this!)
9. Use change detection to get alerts when security services are turned off. (Tripwire is an excellent tool for this, too!)
10. Understand hidden AD activity using 6 degrees of domain admin.
11. Provide ongoing awareness training to employees and contractors.

Although there is no silver bullet to solve all of our security issues, these solutions can help reduce risk of successful attacks against critical infrastructure. As regulations increase and industrial cyber security programs continue to mature, there are new job titles and opportunities for those interested in joining the field. Security researcher Robert M. Lee published an excellent list of resources to get started in ICS/SCADA cyber security careers.