Growing Cyber Threats to the Energy and Industrial Sectors
- Dec 07, 2016
- Guest Author
Remember Shamoon, the malware that disabled some 35,000 computers at one of the world’s largest oil companies in 2012? If you’ve read cybersecurity news lately, you’ve probably heard that it’s back. This time, Shamoon disrupted servers at several Saudi government agencies. When the malware hit Saudi Aramco four years ago, it propelled the company into a technological dark age, forcing the company to rely on typewriters and faxes while it recovered. Had Saudi Aramco failed to do so, 10% of the world’s oil supply would have been in jeopardy.
For some reason, when it comes to our industrial and energy sectors, many are blissfully unaware of the threats faced on a daily basis. Maybe it’s because they aren’t the most immediately exciting verticals, so attacks won’t be front page news unless the power grid is taken down and impacts lives. But this obscures the fact that energy and industrial companies are attacked on a daily basis by actors as diverse as hacktivists and nation states, using digital weaponry like open source to tools that cost millions of dollars to produce or procure.
It’s hard to understand the damage that can happen as a result of a successful cyber attack on energy and industrial infrastructure. At the most benign end, companies only have to deal with a loss of productivity as staff are diverted to resolve the problem. But not all energy and industrial companies are as lucky. A cyber attack can disrupt business functions, which has an impact on end-users. It can lead to a loss of intellectual property, which has the potential to have long lasting effects on the business as it becomes less competitive. There are financial losses – not just from replacing damaged equipment, but from compensating customers, lost earnings, and regulatory penalties. Most gravely, there is the potential for physical harm – even death. While this may sound alarmist to some, an uncontrolled explosion in a nuclear station, contamination in a water plant, or extended loss of heat or electricity could have serious repercussions for human lives.
In recent years, threats facing industrial and energy sector companies have diversified.
Companies no longer have to simply worry about insider threats, where a disgruntled employee uses their position to damage the firm. The list of potential actors is n’t limited to just hacktivists and organized criminals. The attack vectors have broadened past spear phishing and vulnerable software.
Some of the biggest cyber criminals aren’t the stereotypical adolescents working from their mother’s basement, or gangsters working from a boiler room. They can be well funded, well trained, and well equipped employees of nation states. The recent Yahoo attack is believed to be from a nation state actor. Likewise, it’s believed that Guccifer 2.0 is actually Russian intelligence. Many also suspect that the BlackEnergy 3 attack that targeted the Ukrainian power grid was the product of the Russian government.
There are many reasons why a country would target another’s industrial and energy sectors. Perhaps the biggest is that it causes immense disruption and panic. In the case of Stuxnet, Iranian nuclear efforts were set back (presumably by American and Israeli intelligence services) without a shot being fired. Attacks can also be for technological acquisition. It’s widely believed that Chinese intelligence was able to breach the computer systems used to design the F22 and F-35 fighter jets. This was then used to develop their own indigenous designs.
Ransomware is a type of virus that impairs the use of a computer or damages the files stored on it unless a ransom is paid. Modern variants of ransomware, called crypto ransomware, entomb the files stored on a hard drive using strong encryption. If the victim wishes them back, they will have to pay a ransom. The cost is often in the hundreds of dollars per infected machine.
When Israel’s electricity board was infected with ransomware, it almost brought the entire country to a halt. Ransomware can be spread through campaigns that target specific individuals or companies. More often, though, it is spread indiscriminately via spam networks.
Cybercrime is a business. Like any business, the proprietors are always looking for new opportunities. One is called SCADA Access as a Service, or SAaaS. This is a perverse kind of business model, where an actor sells access to a SCADA system to another unauthorized third party.
According to Booz Allen Hamilton, this is a growing sector. It defines SAaaS services as entities that identify zero-day flaws in industrial controls networks and build exploits for them. These are then sold to third parties. It notes that many of the vendors in this field aren’t actually cybercriminals, but rather legitimate businesses selling a product to governments and police forces. It gives the example of Hacking Team, based in Italy, and Vupen Security, based in France. But it also points out actors in this field who do not have the best of intentions. According to the information security giants, there is one known criminal that uses the handle of Bonito, and has been identified as selling access to SCADA systems. The SAaaS model is ideal for hacktivists and terrorists. It allows them to inflict staggering amounts of damage and destruction to infrastructure from a safe distance and with a degree of anonymity.
Very few companies are entirely self-contained. Most have to depend on third-party suppliers and manufacturers to function. As a result, many malicious actors target smaller companies downstream in order to reach a larger organization that may otherwise be difficult to penetrate. It is for this reason that it is crucial to protect the supply chain.
One of the most stark examples of this does not come from the industrial or energy sectors, but rather from the American Dental Association (ADA). In April 2016, it sent out USB flash drives to its 37,000 members. These had been manufactured by a subcontractor in China, and were infected with code that would have allowed an attacker to remotely control a machine on which it was used.
Compromised USB drives are a common attack vector, and one that requires vigilance in order to avoid a supply chain attack or an attack that exploits social engineering tactics. In 2008, the United States Department of Defence was compromised by an unknown foreign intelligence agency when an employee inserted a compromised USB flash drive into a government laptop computer.
Between 2013 and 2014, a Russia-backed group alternatively known as Dragonfly and Energetic Bear launched targeted attacks against energy sector companies by targeting suppliers and service providers used by these companies. Perhaps most troubling, attackers occasionally target the device firmware of industrial control systems. The best examples of these are two Dragonfly malware specimens, namely Backdoor.Oldrea and Trojan.Karagany. These were distributed via spear phishing attacks and watering hole attacks. Perhaps crucially, they targeted the underlying Windows operating system that’s typically used in ICS contexts.
We’re glad you asked. Check out NopSec’s recent 20-minute webinar on emerging threats to these vital sectors.
Attacks that target ICS systems are a niche, albeit one that is constantly growing. Threats are being discovered all the time, and the actors behind them are often dangerous, well-funded, and skilled.
But the situation is by no means hopeless. There are ways to mitigate threats. For those in the industrial or energy sectors, it’s crucial that you have an ongoing security strategy. You should constantly be taking advantage of threat intelligence in order to determine who the actors targeting your sector are, what tactics and approaches they employ, and whether it’s likely that your company would be targeted by them.
You should also have a remediation strategy that will allow you to resolve any compromise with a minimum of disruption for your customers and for your business. This should not be a top-down approach. It should not merely involve management and C-suite level staff. Every employee has a role to play in protecting the business, so every employee should have the security training that would allow them to do their part.
See our white paper for more information.