Even if OT Systems Are Not Compromised, Cyberattacks Against IT Networks of Energy Suppliers Are Common
Attacks against critical infrastructure industries such as those targeting the energy supply -- actual and potential -- are rarely out of the news. Russia and Russian state actors are the probable aggressors. But we are still in the Cold War era of attacks against energy utilities. There has been no cyber related-successful attack against the supply of energy in the United States.
However, while attention is focused on the security of the power plant, threat hunting firm Vectra believes we are concentrating our security efforts in the wrong place.
"When I talk to the industry," Vectra's head of security analytics Chris Morales told SecurityWeek, "I am always asked, 'how can you watch my power pump?' My reply is simple: 'You've got a bigger problem than just your pumps. You have employees using Windows boxes. You use Windows servers. And your ICS systems are not as air-gapped as you like to think they are'."
We seem to be in the reconnaissance phase of a potential cyber war -- not yet an actual cyber war. Aggressors -- and all fingers tend to point primarily at Russia -- are breaking into energy utility firms and stealing plans. The purpose is to be stealthy. There is no current attempt to be disruptive.
"It really is very easy," said Morales, "for an attacker to get into an energy utility network, use the tools that are already there -- such as Outlook web access -- and then be able to hide within the signal of things that are already happening. The behaviors they use aren't really special, they're just using what's already there. In one instance, attackers used a Fortinet VPN client to do command and control -- which is not something usually monitored by security systems. When they get onto a network, they use things like PowerShell to remain invisible. I wouldn't say they use advanced tools, although I would say they are advanced attackers."
They do a good job at covering their tracks, he continued. "That's why they weren't spotted for so long, which includes erasing evidence such as logs. They uninstalled any Fortinet clients they used. Every time they did something, they cleaned it up -- which means there was nothing to report on from a log perspective. You need to focus on the network and network behaviors in real time in order to find this stuff, because this is the only thing that attackers cannot clean up."
Vectra's Cognito platform provides continuous real time visibility into network behavior, using AI to perform continuous threat detection. It provides full visibility into cyber-attacker behaviors from cloud and data center workloads to user and IoT devices, claims the firm.
Figures from a new Vectra Spotlight report (PDF), which drew anonymized metadata from more than 4 million devices, show that while destructive attacks against the energy supply have not occurred in the U.S., attacks against the IT networks of energy suppliers are common. Total command-and-control attacker behaviors (which includes elements such as external remote access, hidden HTTP CnC tunnels, and hidden HTTPS CnC tunnels) have been detected in more than 600 host devices per 10,000 host devices. Across all industries, the figure is around 450 per 10,000 hosts.
Internal reconnaissance behaviors (such as file share enumeration, internal darknet scans and port scans) have been detected in almost 10% of energy and utilities devices, compared to just over 7.5% of devices across all industries.
Lateral movement attacker behaviors (such as automated replication, a suspicious Kerberos client, and suspicious remote execution) were detected in just over 11% of energy and utilities devices, compared to around 7% for all industries.
Data exfiltration behaviors (such as a data smuggler, or a hidden DNS exfiltration tunnel) were detected in around 4.25% of devices compared to around 3.75% across all industries. The report stresses that these behaviors alone do necessarily indicate an attack unless they correlate with other behaviors in different phases of the attack lifecycle.
Nevertheless, the clear implication from these figures is that even if ICS/SCADA devices are not directly being successfully targeted, the IT networks of the energy supply industry is a major target. "The key point," said Morales, "is that a lot of these energy utilities need to pay a lot more attention to the IT side of their systems. In general, they've done a pretty good job on the ICS side and the power grid -- they're not perfect, but they've actually put a lot of time and effort there. But I don't think they've put as much time and effort into their IT networks, which is where all the precursors of an attack come from -- such as stealing all the files pertaining to ICS or SCADA."
It seems like surveillance -- but if this is genuine surveillance, then the implied intention is to be able to bridge the gap between the IT and OT networks on demand in the future. "Will the files being stolen make this any easier? Absolutely they will," said Morales. "The kind of data that attackers have taken is wiring diagrams, panel layouts, and how the turbines work. They've been in the networks and they've acquired the data that shows how the entire SCADA system works. So, the next step would be to get into those systems. When you have the blueprints, you can start to figure out how to get in and what you need to do to disrupt or damage things, such as a thermostat and the operating ranges and how to change them -- which is basically what happened with the US/Israeli attack against Iranian centrifuges with Stuxnet."
Surprisingly perhaps, there is little evidence of China being involved in this type of cyberwar precursor -- most fingers tend to point towards Russia. China seems to be avoiding activity that can be related to cyberwar. It may also be honoring the Obama accord and limiting its activity to non-industrial espionage (eg, military) -- and there is certainly a lot of evidence of Chinese activity in this area. "I feel that China is a lot more capitalist than people tend to think. They don't want to take us down -- they want us to buy their stuff," commented Morales.
The question remains, however, why is there so much cyber activity directed against the energy sector? "I absolutely believe there is weaponizing at the end of this," concluded Morales. "I can't predict it, I don't know what will happen with this; but it certainly feels like preparation in case something does happen. I personally believe that if there is ever a breakout again, between us and Russia, the first thing that opponents will want to do is take down the power systems."
Unless the energy companies improve their ability to keep stealthy adversaries out of their IT networks, the implication is that they are learning -- or, worse, have already learned -- how to do this.