Late last year, several Ukrainian power companies experienced unscheduled power outages, with malware known as BlackEnergy (BE) discovered on the computer networks of many organizations involved in the nation’s infrastructure. The U.S. immediately dispatched an investigatory team comprised of representatives from agencies such as the National Cybersecurity and Communications Integration Center, Department of Energy, Federal Bureau of Investigation, and the North American Electric Reliability Corporation.
A joint investigation with Ukrainian authorities came to the conclusion that this was caused by external cyber-attackers. Power outages were the result of remote cyber intrusions at three regional electric power distribution companies impacting about 225,000 customers.
The attack was synchronized and coordinated, probably following extensive reconnaissance of the victim networks. A series of attacks occurred within 30 minutes of each other and impacted multiple central and regional facilities. Malicious remote operation of the breakers was conducted by multiple external hackers using either existing remote administration tools at the operating system level or some form of remote industrial control system (ICS) software.
The perpetrators acquired legitimate credentials prior to the cyberattack to facilitate access. At the conclusion of the attack, some systems were impacted by KillDisk malware which deletes or corrupts selected files.
The Uninterruptable Power Supplies (UPS) was also sabotaged via remote management, interfering with restoration efforts. Under attack The energy sector, it turns out, is attacked more than other critical infrastructure industries, according to U.S. Department of Homeland Security (DHS) incident response statistics. Exelon’s experience backs this up. “We see many attempts on our environment, but we haven’t been impacted by any headline events to date,” said Samara Moore, Senior Manager of Critical Infrastructure Protection (CIP) Security and Compliance at Exelon.
The power and oil & gas industries can expect an increasing frequency of such attacks going forward. The pipeline sector, said Moore, may not be a major target of attackers, but it provides a way to disrupt a region or divert attention so they can go after another target. “Supervisory Control and Data Acquisition (SCADA) systems have end points and control centers that are geographically dispersed, thereby presenting a possible target,” said Moore.
Attackers or threat actors include nation states, competitors, organized crime, script kiddies (one who uses existing exploits or scripts to hack; they are often, but not always young), hacktivists, insiders and terrorists. Their motivations may be financial, industrial, military, ideological, political, retribution and prestige. Assets that might potentially come under threat include: SCADA, programmable logic controllers (PLCs), communication networks, intellectual property (IP), users, infrastructure, business plans, user devices and customer lists. “Failing to deal with such threats could affect reputation, revenues and the
brand image,” said Moore. “It can also lead to regulatory fines, competitive disadvantage and distraction from major objectives.”
Her advice is to be proactive, not to only attempt to deal with such issues as they come up. Unfortunately, the lines of infiltration are many and hard to prevent.
(More in July/August 2016 issue of Turbomachinery International magazine)