Vulnerabilities Grow as Utilities Link Control Systems to the Internet

The Biden administration and utility companies are trying to reduce the risks, but at least 15 well-equipped groups are hunting for ways in.

The global electric utility sector is facing an increasingly dangerous cyberthreat landscape, even though there hasn’t been a publicly witnessed disruptive attack over the past five years. Utilities worldwide have been strengthening their security against threats to their IT networks but have not paid enough attention to their industrial control systems, or ICS, and operational technology, or OT, systems.

Those are two of the high-level conclusions of a new report, “Global Electric Cyber Threat Perspective,” released by Dragos Inc., a Maryland company that specializes in industrial cybersecurity. The company held a web briefing Oct. 26 to share its findings.

Historically, utilities’ ICS were “islanded,” said Jason Christopher, principal cyber risk adviser at Dragos, but over time the connections to the internet have been growing.

The trend “comes with business justifications,” Christopher said. “It’s all for business cases—to get real-time data, and to be able to send it back to the operators. [And] now it’s blending itself into more edge cases, the cloud, for instance, or how to get more data into our networks. Oftentimes, security is left in the lurch.”

He commended the Biden administration for releasing a 100-day plan in April specifically aimed at strengthening the security of utilities’ ICS and the energy sector supply chain. It’s a positive development that the government recognizes the fact that future threats will be based on the growing connectivity between ICS and the internet, he said.

“This is one of the things that caught me off guard: It’s the first time I’ve seen an administration call out OT systems” for improved security, he said. “Always [before] it was a disguised conversation … As of August 16, at least 150 electric utilities serving almost 90 million Americans have adopted or committed to adopting technologies” to improve security.

Dragos currently is tracking 15 “activity groups” of hostile or potentially hostile actors, said Pasquale Stirparo, principal adversary hunter at Dragos and author of the report. An activity group is identified “based on observable elements that include an adversary’s methods of operation, infrastructure used to execute actions and the targets they focus on. The goal…is to delineate an adversary by their observed actions, capabilities and demonstrated impact—not implied or assumed intentions. These attributes combine to create a construct around which defensive plans can be built,” the report states.

Of those 15 activity groups, 11 are targeting utilities, and two of those possess enough ICS-specific capabilities and tools to cause disruptive events, Stirparo said.

In terms of the threat environment, there are three operational segments within the utility industry: generation, transmission and distribution. “Each of these segments has its own characteristics,” Stirparo said. “Taking down generation would have a bigger impact than distribution, for instance, [but] it’s not something that can be done easily.”

The recent trend in power generation resources moving from very large facilities to a number of smaller ones does not have an impact on the magnitude of the threat.

“It depends on what the final mission of the [activity group] is. Smaller entities are being targeted because they share a specific technology with a more interesting target, so they could be a test bed,” Stirparo said. “We’ve seen more activities in the U.S., [but] there’s bigger visibility in the U.S. so that’s why we see more. But we’re definitely seeing more in Europe and the Asia-Pacific. We’re seeing it across every region—no region is immune.”

In the transmission segment, there have been two attacks in Europe. For instance, an attack in December 2016 in Kiev, Ukraine, snarled the transmission system. “The adversaries tailored malware to de-energize a transmission-level substation by opening and closing numerous circuit breakers used in the delivery of power in the electric system and ensuring operator, power line and equipment safety,” the Dragos report stated.

“Why this attack is important is because it demonstrated a deep understanding of the transmission environment, which allowed the targeted customization of malware,” Stirparo said. “While the attack took place in Europe, similar attacks could happen in other parts of the world.”

The attack targeted breaker operations controlled by a specific manufacturer’s devices adhering to the IEC 6185029 standard. It communicated using the Manufacturing Message Specification (MMS) protocol. “Dragos assesses with moderate confidence the attack can be leveraged to other equipment that adheres to these standards,” the report noted.

The distribution segment is what delivers electricity into homes and businesses. While there has only been one identified attack, also in Ukraine in 2015, rather than using customized malware, “here they just controlled operations remotely,” Stirparo said. They used malware to gain remote access to three electric power distribution companies, then used the companies’ own distribution management systems to disrupt electricity to more than 200,000 people.

The good news—“good” being a relative term—is that activity groups generally need to be present in the target environment for some time before they can act. What makes that good news, Stirparo said, is that system defenses in all three segments have time and multiple points of opportunity to detect and potentially eliminate the threat. “But it requires proper visibility” into those systems, he said.

Ransomware, of course, is another kind of threat, since a ransomware attack can cause industrial activity to pause. Information stolen in a ransomware attack, such as schematics and diagrams, could be sold or shared with other bad actors. “Between 2018 and 2020, 10% of ransomware attacks that occurred on industrial and related entities targeted electric utilities, according to data tracked by Dragos and IBM Security X-Force,” the report said.

“It’s financial, not ICS-threat-specific. But it shouldn’t let anyone lower their attention,” Stirparo warned.

One potentially vast threat is the supply chain. “It’s not just about your vendors, it’s your integrators, your contractors—there’s a lot of things to consider,” Stirparo said. “I understand your pain. [In the U.S.] there are companies that have been around for more than a hundred years, [with] tens of thousands of contracts. It’s an obvious pain point.” But cybersecurity professionals have seen threat actors make their way into major corporations through third parties that had access to their networks, he added.

Connectivity is one final class of threat specifically for ICS and OT systems that the report identified.

“We’re increasing our connectivity, but not in a responsible fashion,” Stirparo said. “What are the things that are able to connect directly to the internet? Utilities have actual assets facing the internet that are not as secure as they would like to think.”

Christopher called out “transient” cyber assets as part of this. “You’re walking in with different electronic devices to connect to the system—it’s one of those more difficult things for organizations to manage, particularly in the pandemic … You’re walking directly into some facility that may have no internet access” until that device arrives.

Stirparo reviewed the recommendations made in the report, among them:

  • Access restrictions and account management, including making sure all devices and services do not use default credentials. Implement “least privilege” access across all applications, services and devices, including properly segmenting application layer services, like file shares and cloud storage services.
  • Accessibility: identifying and categorizing ingress and egress routes into control system networks, limiting them as much as possible through firewall rules or other methods to ensure a minimized attack surface.
  • Response plans: develop, review, and practice them. Stirparo stressed that IT cybersecurity professionals need to be communicating with OT and ICS managers and engineers: “Don’t introduce yourself the first time you have an incident. If you have an IT response plan and try to roll into an OT facility, you’re going to have a difficult conversation.”
  • Segmentation: Have very strong perimeters in place to limit lateral movement.
    • “Make sure you’re not having a lot of [traffic] coming into the OT environment from the IT network. Understand why things are connected and talking back and forth.”
  • Third-parties: Ensure that third-party connections and ICS interactions are monitored and logged, from a “trust, but verify” mindset, the report states.
  • Visibility: Protection is ideal, but detection is a must.

The danger to ICS and OT systems is “almost like splash damage,” Christopher said. “What is your dependency on GIS? For example, would you still be able to run out your trucks? What about VoIP phones?”

In the end, no matter what governments try to do in order to combat cyber threats, it’s up to the individual companies to know their risks and where those risks are in their systems. They then must be responsible for taking the preventive and defensive measures needed to protect their assets and their operations, Christopher added, because ultimately the safety of their facilities and networks falls on them.