By Holden Mann and Rich Heidorn Jr.
Hackers who once focused on the industrial control systems of oil and gas producers have been increasingly targeting the electric grid since 2018, according to a new report by ICS security firm Dragos.
The company said electric, oil and gas infrastructure of all countries are at risk from multiple global adversaries. “Attacks on electric systems — like attacks on other critical infrastructure sectors — can further an adversary’s criminal, political, economic or geopolitical goals,” said the report, released last week. “As adversaries and their sponsors invest more effort and money into obtaining effects-focused capabilities, the risk of a disruptive or destructive attack on the electric sector significantly increases.”
The report, which Dragos called a “snapshot of the threat landscape as of January 2020,” said the risk of a cyberattack disrupting the North American electric sector is “high.”
Since April 2019, more than a dozen U.S. electric utilities were hit with spearphishing emails spoofing licensing and certification bodies in an effort to implant LookBack malware, Dragos said.
It said the recent increase in activity targeting North American electric utilities included a group called Parisite, which is targeting known virtual private network vulnerabilities, and a password spraying campaign — testing a small number of commonly used passwords on a large number of accounts — by the group Magnallium, which expanded from oil and gas operations to the electric sector in fall 2019. “Magnallium’s increased activity coincides with rising escalations between the U.S. and allies, and Iran in the Middle East,” the report said.
Diverse Threat Actors
Dragos identifies 11 major groups targeting electric utilities around the world, seven of which have attempted destruction, sabotage or reconnaissance within North America. The firm sorts these groups by several elements, including their methods of operation, preferred targets and the infrastructure used to execute actions.
While Dragos does not link individual groups to specific state actors, several are identified with well-known online espionage and sabotage campaigns. For example, the report attributes CrashOverride, an attack on electric utilities in Ukraine that has been blamed on Russia, to the Electrum network. Similarly, the Chrysene group, which targets a range of sectors in the Middle East, is linked with operations like OilRig and Shamoon that have been attributed to Iran. Magnallium also has been linked to Iran. (See related story, Iran Cyber Threat Increasing, Experts Say.)
ICS Capabilities
Dragos said the only groups with ICS-specific capabilities and tools to cause disruptions are Xenotime — which also has begun probing electric utilities in the Asia-Pacific region — and Electrum.
At least three groups have shown the intent or capability to infiltrate or disrupt electric networks, Dragos said, including Xenotime, which Dragos calls “the most dangerous and capable activity group.”
“Dragos assesses this group would be capable of refocusing its disruptive efforts on electric utilities since it has already affected safety instrumented systems in the Triconex, which are a mainstay in power generation.”
The report said attackers are getting the skills needed to infiltrate ICS networks thanks to the increasing availability of open-source information on industrial networks, protocols and devices. “Additionally, the spread of commodity IT hardware and software into OT [operations technology] networks increases the attack surface, providing ingress opportunities via techniques familiar to the adversary,” Dragos said.
Attack Scenarios
Dragos’ report identified six possible attack scenarios on electric utilities, including compromises of third-party suppliers and OT communications.
The report warns that hackers are increasingly seeking to compromise third-party suppliers, saying Xenotime, Dymalloy and Allanite have used trusted relationships to infiltrate target networks.
In addition to targeting VPN appliances used for remote connections to operations networks, adversaries are seeking to exploit managed service providers (MSPs), which are embedded within client IT and OT networks. “Thus, a breach at an MSP can lead to direct access to multiple victim networks,” the report said.
In 2018, the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (CERT) warned of a campaign to compromise MSPs serving IT, energy, health care, communications and critical manufacturing.
In March 2019, sPower, a joint venture of AES and the Alberta Investment Management Corp., was hit by a denial of service attack that briefly cut contact between operators and 500 MW of wind and solar generation in Wyoming, California and Utah. The attack, which exploited a known vulnerability in Cisco firewalls, was the first confirmed to have interrupted electrical system operations in the U.S., according to the Department of Energy.
NERC critical infrastructure protection standard CIP-013-1, which takes effect in July, will require asset owners and operators to develop risk management plans for high- and medium-impact bulk electric system cyber systems. (See NERC Plans Review of Supply Chain Standards.)
A Dragos report in August said its investigation of the CrashOverride attack indicates Electrum intended to disrupt protective relays during power restoration. “If executed correctly, such an event would cause a prolonged power outage, severely hamper restoration and potentially cause physical harm to operators and equipment,” Dragos said.
Although the relay gambit failed, Dragos said, “it could act as a blueprint for future electric-targeting adversaries attempting to disrupt operations and cause the greatest possible damage.”
Dragos also acknowledged that hackers could seek to disrupt electric operations by attacking natural gas pipelines but said it had not seen any evidence of “systematic attacks” on the sector.
Another opportunity for hackers is during planned maintenance outages, Dragos said, when anomalous behavior may be less likely to be undetected.
“During initial equipment installation or maintenance windows, it is normal for utilities to allow additional external entities into operational environments with USB keys, configuration files [and] laptops for engineers and vendors,” Dragos said. “This is a prime opportunity to exploit and infect an OT network purposefully or incidentally.”
In 2012, according to CERT, an unnamed electric utility was hit with a malware infection on a generating plant’s control systems that was distributed accidentally via USB. The incident delayed the plant’s restart for three weeks.
Borrowing from NERC Standards
Dragos recommends that even utility functions not covered by NERC’s mandatory reliability standards voluntarily borrow from them to increase their protections. For example, non-BES operators such as distribution utilities can practice CIP-002 requirements by identifying and prioritizing their critical assets. Utilities covered by CIP-008 and CIP-009 should use required exercises to review the controls “across the entire utility security program to provide additional resilience,” it said.
CIP-007, which applies system security management controls for BES cyber systems, could be employed more widely to ensure that no devices or services use default credentials. CIP-005’s requirements for creating an electronic security perimeter also could be deployed for non-BES utilities and facilities.
And, given the growing scope of adversary organizations, electric utilities should understand how the activity groups are targeting other industries such as oil and gas.
The good news? Because it takes hackers a long time within the target to learn how to disrupt the system, “defenders have multiple points of opportunity along the potential attack chain to detect and eliminate adversary access,” Dragos said. “Defenders still maintain the advantage at this time.”
