Companies within critical infrastructure sectors--including energy and utilities firms, aviation organizations, water systems and nuclear facilities--have been at risk of cyberattacks for years both in the United States and other countries around the world. The threat actors are nation-states looking to disrupt the inner workings of the targeted countries, such as when the Ukraine power grid was shut down by hackers in 2015, cutting off electricity to 700,000 people.
The United States hasn’t suffered such damage, but government agencies and the country's critical infrastructure have been under a sustained hacking campaign since 2016 by bad actors tied to the Russian government, according to officials with cybersecurity firm Vectra.
The Department of Homeland Security (DHS) and FBI teamed with Symantec to develop an analysis of the campaign, and the agencies have made other moves to highlight such threats to critical infrastructure sectors in the United States.
In a report released this month, Vectra researchers noted the ongoing threats, particularly to the energy and utilities sector. Attacks against this segment of critical infrastructure are distinct from others. Such attacks are deliberate, can run over long periods of times--sometimes months--and often come through the company’s enterprise IT network rather than the infrastructure’s industrial control system (ICS). Threat actors that infiltrate a network can damage the ICS and steal information about the critical infrastructure.
The findings in Vectra’s 2018 Spotlight Report on Energy and Utilities “underscore the importance of detecting hidden threat behaviors inside enterprise IT networks before cyberattackers have a chance to spy, spread and steal,” Chris Morales, the vendor’s head of security analytics, wrote in a blog post. “These threat behaviors reveal that carefully orchestrated attack campaigns occur over many months.”
The report paints a picture of highly deliberate and methodical attacks that are significantly different from more high-profile and faster-moving cyber campaigns against institutions such as banks.
“The difference is in the motive,” Morales told ITPro Today in an email. “Attacks mostly occur for opportunistic financial gain, which is not what would happen in the energy and utility industry. The attacks targeted against energy and utilities is for disruption purposes, which disrupts a country’s capabilities. This is more of a nation-state motive during warfare. Having access to the design and weaponizing provides a strategic advantage between nations.”
The report points to an alert issued in March by DHS’ computer emergency readiness team outlining Russian government cyber efforts against energy and other critical infrastructure systems. The alert noted that in such campaigns there are two types of targets: staging and intended. The staging targets are peripheral organizations like third-party suppliers whose networks--often less secure than those run by the energy companies--are used to store malware and stage attacks against the intended victim, which is the company within the critical infrastructure sector.
The threat actors use the staging victim’s infrastructure to connect to multiple intended targets using a command-and-control behavior called external remote access.
“When attackers move laterally inside a network, it exposes a larger attack surface that increases the risk of data acquisition and exfiltration,” Morales wrote in the blog post. “Remote attackers typically gain a foothold in energy and utilities networks by staging malware and spear-phishing to steal administrative credentials. Once inside, they use administrative connections and protocols to perform reconnaissance and spread laterally in search of confidential data about industrial control systems.”
Threat actors can then use administrative credentials to gain access to critical infrastructure systems and data, he wrote, adding that “this is one of the most crucial risk areas in the cyberattack lifecycle.”
Such attacks target ICS and supervisory control and data acquisition (SCADA) systems, Vectra researchers said in the report. The information in the report was based on observations and data from the 2018 Black Hat Edition of the Attacker Behavior Industry report from Vectra, officials said. That report showed bad actor behaviors and trends in networks from more than 250 customers in manufacturing and other industries.
The Spotlight report focused on energy and utilities firms found that during the command-and-control phase of attack, 194 malicious external remote access behaviors were detected per 10,000 host devices and workloads. In addition, 314 later movement attacks were detected and, during the exfiltration phase--when accessed files pertained to ICS or SCADA systems--there were 293 data smuggler behaviors detected.
The need to detect hidden attackers in a company’s IT network before damage is done to the ICS and critical information is stolen will increase in the coming years, according to Morales. The National Institute of Standards and Technology (NIST) has published an abstract topology that shows how the power system of the electric-grid energy delivery system interconnects with IT systems.
“The topology highlights the growing importance and scale of enterprise IT networks within energy and utilities as the industry pivots toward two-way communication within the smart grid, including the use of IT devices and communication that combine IoT networks with ICS networks,” Morales wrote in the blog post.
Morales told ITPro Today that companies in the energy and utilities fields understand the risk posed by threats in IT networks, but that it hasn’t been a high priority for them. That will have to change, he said.
“For decades, power system operations have been managing the reliability of the power grid in which power availability has been the primary requirement, with information integrity as a secondary but increasingly critical requirement,” Morales said. “There has always been a component of IT security, but a lot of emphasis is placed on the SCADA systems first. In addition to blueprints and SCADA system designs, confidentiality of customer information is also important in the normal revenue billing processes and for privacy concerns. It is in this confidentiality where we see a risk in attacks on the IT networks in energy and utility companies.”