The power sector's terror of a debilitating cybersecurity attack is magnified seemingly every day as new vulnerabilities or destructive threat actors are identified. But according to several industrial security experts, that fear may be overblown because it often doesn't take into account the growing breadth of industry insight and knowledge learned from past attacks or attempted breaches.
It's "when" not "if." That's an axiom that has prevailed in many wide-ranging discussions about cybersecurity. It sounds the alarm that security complications and digital assaults are on the rise in an ever-more connected environment. And it's a clear warning that a defensive posture is imperative on every level.
In the power sector, the prospect of imminent intrusions or network compromise of facilities, systems, and equipment on the bulk power system is often accompanied by the specter of critical asset failure. Disruptions could prove cumbersome and costly–or worse, affect the reliability or operability of the bulk power system, prompt an accident, or cascade across organizational and geographic boundaries. These justifiably grave concerns have prompted alarm from governments and industry and sent them scrambling to design comprehensive and collaborative defense strategies. The U.S. Department of Energy (DOE), for example, said in a May 2018–released multiyear energy sector cybersecurity strategy that threats are outpacing the sector's "best defenses," and it warned that costs of preventing and responding to cyber incidents are straining company efforts to protect critical infrastructure (Figure 1). It also outlined a long list of continuing industry needs, including addressing a severe shortage of qualified cybersecurity professionals, easier information sharing, and challenges concerning real-time security state monitoring and risk assessment.
1. Keep out. Human beings are behind many cybersecurity risks that affect power facilities. Source: Creative Commons
However, the DOE's roadmap also offered ample optimism. Along with identifying a long list of targeted activities, research development, and demonstration projects that are underway to achieve stronger cybersecurity, it also surveyed several technology pathways to help prevent, detect, and mitigate cyber incidents. Collaboration is also fairly widespread. The industry actively engages in cybersecurity risk information sharing programs, and several companies are part of public-private partnerships that conduct tabletop exercises and cyberthreat simulations. Owners and operators of the bulk power system, for example, participate in North American Electric Reliability Corp. (NERC) cybersecurity drills dubbed GridEx. At the same time, for their own protection, many companies have ramped up strategies and policies to thwart potential breaches in compliance with regularly changing Critical Infrastructure Protection (CIP) standards set out by NERC (and approved by the Federal Energy Regulatory Commission).
And, as experts from firms specializing in industrial cybersecurity told POWER in November, any breach–successful or not–has presented the industry with an opportunity to learn, and ramp up response and resilience. The power sector faces a massive inventory of attack activity (see sidebar, "Notable Cyber Breaches in the Power Sector"), which are perpetrated by diverse threat actors and affect assorted components in varied plant systems, the experts said.
Notable Cyber Breaches in the Power Sector
The power sector faces a barrage of cyber attacks on industrial control systems (ICSs) of varying levels of cyber and engineering sophistication. This basic list, adapted for the power sector, does not rank actual breaches by frequency, though it may be useful to understand the broad nature of attacks and attackers. (For more, see a whitepaper compiled by Waterfall Security Solutions at: www.bit.ly/Waterfall-Security.)
#1 ICS Insider. A disgruntled insider with access to plant equipment uses social engineering to steal passwords able to trigger shutdowns of one or more generating units.
#2 IT Insider. A disgruntled insider with access to an IT network uses social engineering to steal passwords able to give the individual remote control of a copy of the human-machine interface system on an engineering workstation.
#3 Common Ransomware. Accidentally downloaded to an engineering workstation and spreads to rest of plant control system.
#4 Targeted Ransomware. Spear-phishing seeds a Remote Access Trojan (RAT) on an IT network, which is used to deliberately spread ransomware through plant control systems.
#5 Zero-Day Ransomware. Ransomware incorporating a zero-day Windows exploit spreads through IT/OT firewalls.
#6 Ukraine Attack. The now well-known first-generation Ukraine attack using spear-phishing and remote access, triggering generating unit shutdowns.
#7 Sophisticated Ukraine Attack. A variation of the well-known Ukraine attack–the variation targets protective relays and causes physical damage to turbines.
#8 Market Manipulation. An organized-crime syndicate uses known vulnerabilities in internet-facing systems to seed RATs that are ultimately used to simulate random equipment failures, triggering plant shutdowns and real-time power market fluctuations.
#9 Sophisticated Market Manipulation. A similar attack targeting a generating site's services suppliers as a means of seeding peer-to-peer RAT malware into control systems and simulating random failures.
#10 Cellphone Wi-Fi. A combination of spear-phishing and a trojan cellphone app provides attackers with access to control system Wi-Fi networks.
#11 Hijacked Two-Factor. Sophisticated malware allows attackers to hijack remote desktop/virtual private network sessions after a remote user logs in with two-factor authentication.
#12 Industrial Internet of Things (IIoT) Pivot. Hacktivists pivot into an ICS via a poorly-defended cloud vendor.
#13 Malicious Outsourcing. A disgruntled employee of a remote services vendor configures a simple time bomb on important control servers on the employee's last day on the job.
#14 Compromised Vendor Website. Hacktivists use a compromised vendor's website to insert malware into a software update, which targets specific generating sites.
#15 Compromised Remote Site. A physical breach of a remote substation allows hiding a laptop at the remote site with a Wi-Fi connection that is later used to attack the central plant.
#16 Vendor Back Door. Hacktivist-class attackers discover a vendor's back door that provides the poorly defended vendor's website with remote control of generation control components in the name of "remote support."
#17 Stuxnet. A Stuxnet-class attack targets a heavily defended site by compromising a services vendor for the site and crafting autonomous, zero-day-exploiting malware.
#18 Hardware Supply Chain. An intelligence-agency-grade attack intercepts new computers destined to upgrade a plant distributed control system (DCS) and inserts wireless, remote-control equipment into the computers.
#19 Nation-State Crypto Compromise. A nation-state-grade attack compromises the public key infrastructure by stealing a certificate authority's private key, or by breaking a cryptographic algorithm, such as SHA-256, allowing them to falsify security updates.
#20 Sophisticated, Credentialed ICS Insider. An ICS insider is aligned with the interests of a sophisticated cyberattack organization, deliberately cooperating with the organization to create sophisticated malware and seed it in the plant control system.
–Andrew Ginter, vice president, Industrial Security, Waterfall Security Solutions.
Although most firms agree that it is important to understand the nature of breaches, some cautioned against categorizing or ranking attack types by frequency or severity, saying it was difficult (or pointless). Others, like Waterfall Security Solutions, recommended that a standard set of "Top 20" industrial control system (ICS) attacks could be useful as a methodology to communicate cyber-sabotage risks to verdict-delivering business decision-makers "who are not familiar with cyber-security minutia," especially as it applies to "low-frequency, high-impact (LFHI) types of attacks for which there is little statistical data."
Proactivity Is Key and Traditional Approaches Work
All firms interviewed by POWER, however, agreed that to thwart breaches, power companies should adopt a proactive approach requiring "detection-in-depth," which refers to employing multiple layers of security, such as enhanced monitoring of permeable barriers like the information technology (IT)-operational technology (OT) network gap. And as many advised, in the event of a breach, companies must be prepared with specific investigation capabilities and incident response plans.
Maryland-based firm Dragos–an ICS cybersecurity company that tracks seven named activity groups that explicitly target and operate inside ICS networks (and suggests "there is much more activity not yet categorized, and we suspect many more operating globally")–specifically emphasized the value of proactivity to discover or remediate threats earlier. "The fascinating feature of current ICS threats facing defenders is the shared tradecraft amongst them. While the final element of each threat causing impact is ‘novel'–the months and years of operations leading to that point are surprisingly common," it said. Instead of focusing on the "novel" components of an ICS attack, the firm urges defenders to focus on the whole adversary process–the "kill chain"–which includes the initial access, lateral movement, and intelligence gathering, which could take months or years before a disruption, it noted.
"For instance, almost every ICS intrusion Dragos has monitored began with remote access external to the industrial environment either as from compromised VPN [virtual private network] credentials via [third] party vendors or intrusion into the IT/business network using email phishing and strategic web compromise (i.e., ‘watering holes'). These adversaries focus on password stealing to masquerade as legitimate users," it said. But for Dragos, because threat actors exploit few, if any, zero-day vulnerabilities–software security flaws that software vendors know about but don't have a patch in place to fix–"success is achievable" using "traditional approaches."
As Thomas Pope, an adversary hunter for Dragos, told POWER, "So, really, it comes back to that capital doctrine of you need to keep your walls from being breached, but the problem is you have to let email in, so you're kind of allowing the attackers in because you have to, and so you have to figure out another way to repel them," he said. Selena Larson, Dragos intel analyst, emphasized, "phishing is a very common infection vector, and it's very successful." Waterhole attacks are also "pretty common, like phishing," and those can be thwarted by training and awareness, she said.
The Value of Risk Management Cannot Be Understated
Reg Harnish, CEO of GreyCastle Security, a cybersecurity services provider that specializes in critical infrastructure, also endorsed well-publicized approaches, though he noted that cybersecurity is still evolving. "We're still learning some things and eventually [maybe 10 years from now], it'll just become one of those things that you do as a business." For now, he advised anyone involved in power production and distribution (Figure 2) to take the first critical step of understanding what their risks are. "There's this idea of a risk assessment, but it's not a universal term," he noted. However, "there's just so much complexity in organizations today that its hard to inventory or know what you have. Until you know, it's pretty difficult to secure it."
2. Connected plants. The power sector faces a massive inventory of cybersecurity attack activity. Attacks are perpetrated by diverse threat actors and affect assorted components in varied plant systems. Source: Creative Commons/POWER
Risk tolerance–"what you are okay with"–is as critical, he said. One useful way to address both is through the National Institute of Standards and Technology (NIST) Special Publication 800-30 and 800-37, which will allow defenders to determine what they should do, the order in which they should do it, and how much they should do. "I think until organizations do that, most are investing in cybersecurity, but it's not really improving their position–they're spending on the wrong things or doing things in the wrong order."
Harnish also urged companies to address workforce behaviors. "Every single risk comes down to a human being," he said. "If you haven't figured out how to take the risks that human beings introduce to your organization and change that equation so that they defend your organization rather than exploit it or make it vulnerable, then cybersecurity becomes very difficult."
The final critical lesson is to ensure organizations have a customized response capability, Harnish said. "You have to ask, ‘What is your capability and what is your strategy for that going forward?' so that when something happens, you know who to call, you know how to activate your response plan, you know how to measure success, and you know how to track incidents and all sorts of other things."
Preparing the Defense Muscle
Edgard Capdevielle, president and CEO of Nozomi Networks, an ICS cybersecurity firm that offers a real-time visibility supervisory control and data acquisition (SCADA) application, too, called attention to the evolution in cybersecurity tactics (Figure 3). "Security is always going to be a cat-and-mouse game, but in IT that cat-and-mouse game is pretty sophisticated. Both the cat and mouse kind of get better over time." But he noted, in OT, "we do not have that level of sophistication." One reason is that "breaches are still far apart in frequency," he said. That's good news–but also concerning. "OT breaches take a lot of skills in the hands of evil doers, but they don't really have the motivation, other than ideology." Many breaches on the OT side have come from nation-states, he noted. "But we need to be prepared if motivations align–which is what we're all expecting.... And the fact that we've never had to defend ourselves in this front, our defense muscles are just not ready," he said.
3. Threat vectors. Cybersecurity breaches–successful or not–have presented the industry with an opportunity to learn, and ramp up response and resilience. Source: Creative Commons
Capdevielle stressed that understanding why industry is not prepared is important. Starting in the 1970s, he explained, owners of power generation and transmission components and associated control systems began automating many manual processes, converging IT and OT systems in a bid to increase reliability and efficiency. More recently, owing mainly to obsolescence, rising maintenance costs, and improved efficiency, industry is also shifting toward more connected power plants, installing more intelligent devices and smart equipment. However, the deployment of more intelligent controls has also increased the vulnerability of systemic exposure, which can result in widespread impacts. Historically, "industrial control networks had a different technology that did not physically allow for a connection," he noted. "Nowadays–actually over the past 10 years–TCP/IP [transmission control protocol/internet protocol] or standard connectivity has really been adopted on the OT side. But we are under the denial that we can air-gap–keep them completely separate–even though the underlying technology was designed to connect." Nozomi identifies this "denial" as the crux of the problem. "Everywhere we show up, people swear that their network is air-gapped, and with a super-high degree of statistical proof, we can show them–and we physically show them–that that is not correct," said Capdevielle.
However, as with the other experts, Capdevielle suggested that "if you start with the basics, you're going to be OK." The first thing he suggests is increasing visibility of industrial networks. "Identify all your network assets," he said. "You should be able to inventory them, detect vulnerability in those assets, and you should be able to decide what risk level you're able to tolerate by making risk management decisions associated with whether you patch those assets or not at your own priority and speed. If you do that, you're protecting yourself against potentially 60% of the stuff out there," he said. The next steps would entail continuously monitoring those networks by keeping an eye out for anomalies, and active threat hunting to make sure safeguards implemented for industrial security tie into the rest of overall security environment. "That should be part of the IT/OT convergence," Capdevielle noted. ■
–Sonal Patel is a POWER associate editor.