Organizations across every industry today face a wide range of cyber threats and serious security challenges from various vectors. A top concern among these is the persistence cybersecurity experts are seeing among advanced threat actors–either cyber criminals or nation state hackers–looking to conduct demonstrable harm to the national security interests, foreign relations, or economic posture of the U.S., or to the public confidence, civil liberties, or public health and safety of the American people. Previous attacks have shown that these people are motivated, highly capable, and constantly improving. The damages they leave in their wake are substantial.
Handcuffed by Hackers
One of the most critical threats is the increased malicious activity conducted by nation state threat actors, particularly those originating from Russia, Iran, and North Korea, which are driven by rising geopolitical tensions. The Sony Pictures Entertainment breach in 2014 is a perfect example of the trouble these attackers can cause, even when an organization has a strong security posture and in-depth safeguards. In that event, Sony was crippled by North Korean hackers and could not conduct normal business for weeks on end. Computers were inoperable, and entire servers and data centers were shut down–even offices and movie lots that were protected by managed, electronic access became inaccessible.
Beyond the threat of incidents like this one, physical destruction by cyber means and acts of cyber warfare are serious emerging concerns. In December 2016, utilities in Ukraine were targeted by malware dubbed CrashOverride, or Industroyer, which is designed to inflict physical harm to infrastructure, particularly by disabling power grids. CrashOverride is one of the few malware variants confirmed to be designed for damaging physical systems.
While the duration of the cyber attack in Ukraine was short-lived, the impacts continue. Intelligence has emerged to indicate it was developed by Russian hackers, possibly state-sponsored, for a cyber warfare campaign in response to tensions in the Crimean Peninsula. The December attack is also believed to have been a warning shot or test bed for future efforts.
Analysis of the malware that was forensically recovered from the impacted Ukrainian plant has informed the intelligence community just how sophisticated this threat is. The hackers behind it could have produced significantly more harm and damage than they did. Analog grid control mechanisms that were in place as operational back-ups made it possible for the plant to prevent the attack from being much worse and allowed power to be restored relatively quickly.
Recipe for Disaster: Old Systems and Adaptable Malware
What makes CrashOverride so dangerous is that it is adaptable to the specific environment that a utility has in place. It can completely lock operators out of targeted machines, meaning that if the power is taken down, operators cannot remotely login to recover. The results are widespread outages.
Researchers from antivirus provider ESET explained: CrashOverride "is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly. To do so, it uses industrial communication protocols used worldwide in power-supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas)…Dangerousness lies in the fact that it uses protocols in the way they were designed to be used…The attackers didn't need to be looking for protocol vulnerabilities; all they needed was to teach the malware ‘to speak' those protocols."
U.S. utilities need to take careful note of intelligence around CrashOverride for two important reasons:
- The current global climate gives reason to be prepared for potential hostility from nation state actors.
- Energy infrastructure in the U.S. is particularly vulnerable to cyber attacks.
Unfortunately, many industrial control systems that energy companies currently rely on were built decades ago, without security in mind. The foundation of the U.S.'s energy infrastructure consists of antiquated communication protocols and procedures without encryption or cybersecurity protections in place. This allows it to be hacked easily by actors testing their ability to manipulate legacy systems and protocols surrounding industrial controls. Damage can range in severity, including disrupted power distribution, system failures, and harm to equipment.
While there is no direct evidence publicly available that this malware has spread to utilities in other nations, the industry must work with government institutions to identify evolutions of this campaign and any tools, techniques, and procedures employed by these actors. Understanding the types of mechanisms and methodologies used, and how they are likely to be applied in the U.S., helps security professionals identify threats before large-scale harm can be done.
There are several critical steps utility providers can take to strengthen their defenses against malware and other cybersecurity concerns.
Collaboration with Government and Law Enforcement Agencies. Energy companies are part of every country's critical infrastructure, and protection of that infrastructure is a public issue. To protect utilities, it is imperative for energy organizations to work closely with the broader industry, the Federal Bureau of Investigation, Department of Homeland Security, and other government organizations to fully understand threats and ways to proactively defend against them. Government agencies can help identify the actors that are looking to engage in attacks against the energy sector and share important intelligence with security teams as it emerges.
Identification of Vulnerable Assets. For any organization looking to bolster cybersecurity, including energy providers, it is important to first understand the organization's business operations. This means taking into account the critical and valuable elements–such as grid operations, service distribution, and client information–and protecting those elements first and foremost. By prioritizing the "crown jewels," organizations can ensure that their security programs are at a minimum protecting the most vulnerable and sensitive assets.
Defense-In-Depth. Energy companies should be putting defense-in-depth layers on top of their industrial controls to update security for legacy systems. Outdated policies that were developed before cybersecurity became a major consideration must be renewed for stronger controls and to incorporate standard best practices. An energy company's security team, processes, and technology should be customized to the unique needs of the organization and the types of threats it is likely to face. With CrashOverride in mind, it is important for energy providers to build programs that defend against spreading malware and hire experts that understand the nuances of this particular threat.
Intelligence-Led Security. To really have a holistic defense in place, it is necessary for everything to be rooted in shared and fluid intelligence. Law enforcement agencies often have access to intelligence that the private sector would not otherwise be privy, and it is essential to participate in processes that facilitate the sharing of this information, as well as intelligence from other organizations across industries and in other countries. Energy companies should implement an intelligence repository that can provide a one-stop-shop for evaluating intelligence that has been gathered from internal analysis as well as outside resources. This provides a broad picture of the threat landscape, the various cyber actors motivated to attack utilities, and specific defense techniques that have held them at bay.
Vulnerability Assessments. Organizations should engage cybersecurity subject matter expert professionals, whose sole purpose is to actively impersonate threat actors, with the intention of uncovering weaknesses in the network. Penetration testers and seasoned incident responders should work together in a cross disciplinary approach to identify where threat actors are likely to gain entry and compromise the organization. These findings can continually inform which areas of the network need to be strengthened, or when training is needed to educate employees about their evolving role in cybersecurity.
Rapid Incident Response and Recovery. A comprehensive incident preparedness and response plan should be developed. Incident response should include, but not be limited to, containing an incident as quickly as possible; recovering operations with minimal disruption; and ensuring that lessons learned are ingested into the intelligence repository for more proactive incident prediction in the future. This minimizes the overall impact and helps sustainably improve the network environment in a way that prevents repeat attacks.
Countering Cyber Threats
There are many proactive steps organizations can take to reduce risk and thwart even the most advanced cyber threats. Historically, organizations have handled cyber threats with a relatively reactive posture, relying on intrusion detection systems and ad hoc response to security alerts. Those tactics are foundationally important, but with the constant evolution of today's cyber threat landscape, a more proactive and strategic approach is necessary to remain ahead of threat actors.
A persistent actor will eventually find a weak spot, and a motivated actor has the potential to cause significant damage, as CrashOverride demonstrated. With a comprehensive approach, energy providers can begin to proactively prepare for attacks like CrashOverride, while ensuring stronger defense, response, and recovery are in place if an attack does arise.
–Anthony J. Ferrante is a senior managing director at FTI Consulting. He is based in Washington, D.C., in the Global Risk and Investigations Practice of the Forensic and Litigation Consulting segment.