Recently there’s been a lot of talk about the “Russians” attacking America’s energy grid, but few details have been disclosed as to how these revelations have been discovered. Now, more than ever, it is critical to understand the true threats that exist while simultaneously being cautious not to perpetuate the “It’s the Russians!” cold war rhetoric.
In our report entitled “The Energy Sector Hacker Report: Profiling the Hackers Groups that Threaten Our Nation’s Energy Sector,” published last year, ICIT brings you the facts and eliminates the fiction as to the actual vulnerabilities, exploits, the actors operating in this space. Among the areas covered by the paper are:
- The Incidents that have Shaped Energy Sector Discussions
- A Breakdown of the Major Components of our Energy Grid
- The Expanding Threat Landscape
- The Threats to the Energy Sector
- Energy Sector Threat Actors
Among our Nation’s critical infrastructures, the Energy Sector is a primary target for exploitation by nation state and mercenary APTs, hacktivists, cyber jihadists and other hacker teams. General, broad stroke conversations on the softball topic of “resiliency” are being had in micro bureaucracies throughout the industry with little attempt being made to dissect the threat actors or the toolkits being used to exploit the seemingly endless layers vulnerable to attack. According to the Honorable Deborah Lee Jackson of the United States Air Force, with regards to the cybersecurity posture surrounding the United States Energy sector, “We are in the most complex, uncertain, and rapidly changing threat environment…we never seem to correctly predict what happens next” . Within Energy organizations, leadership changes and priorities shift, but the need for resiliency outlasts. Threats to the sector are relentless and are increasing as systems become more interconnected and accessible. At a time when cyber and physical security are most vital to combat the plague of adversaries waging war on Western Nations, it is critical to analyze the most complete picture of domestic and foreign threats.
A conversation about energy sector resiliency that is absent of details about actors, malware (other than Blackenergy) and evolving vectors of attack is an incomplete conversation and more of an exercise in security theater than true and viable defense. By focusing on a discussion devoid of the critical details, such as possible threat actors and their tools, techniques, and procedures, the Energy sector is positioning itself to rely on a security foundation built on false confidence. An accurate picture of the threat landscape is necessary to develop the in-depth and layered defenses vital to the protection of internal Energy systems and the national electric grid.
This report introduces the most prominent actors and exploits, along with hacker group profiles and choice vectors of attack into the conversation of energy sector resiliency in order to convert bureaucratic babble into a strategic conversation about true and viable security that takes into consideration the complete picture of energy sector vulnerabilities. Organizations cannot thoroughly defend themselves against the evolving stealth and technical sophistication of this expansive threat landscape until actor profiles, vectors of attack, bad actor techniques and exploit evolution are injected into the energy sector resiliency conversation. Industry threats and capabilities will continuously change and evolve and this report is meant to offer nothing more than a starting point for the content that the energy sector resiliency conversation is lacking.
Incidents that Shaped Energy Sector Discussions
On August 14, 2003, overhanging foliage downed a powerline in Ohio and resulted in a power outage. The outage should have triggered an alarm to redistribute power at the FirstEnergy Corp. control room; however, a software bug triggered a race condition that prevented the alarm. The local blackout spread and built momentum as other stations on the grid were also taken offline. This led to power outages for 45 million Americans and 10 million Canadians in the states of New York, Pennsylvania, Connecticut, Massachusetts, New Jersey, Michigan, and parts of Canada . Depending on location, electricity was unavailable for hours to weeks. Ten deaths were officially attributed to the blackout, though researchers from Yale School of Forestry and Environmental Studies and John Hopkins University attribute 90 deaths to the blackout in New York City alone. Further, the Bush Administration realized that some government systems that monitor border crossings, port landings, and access to secure sites, were unavailable during an outage and could therefore be exploited by terrorists. The 2003 Northeast blackout led to a widespread reliability and security reform in the Energy sector. The sector developed a vast regulatory and compliance culture predicated on keeping the grid reliable and operational.
In 2010, nearly one-fifth of the systems supporting Iran’s nuclear sector were infected with the Stuxnet worm. Stuxnet targeted systems running Microsoft Windows and Siemens Step7 software. It leveraged four 0-day vulnerabilities to modify the code running in programmable logic controllers (PLCs) that controlled machinery, such as centrifuges, and cause them to deviate from their expected behavior. In particular, Stuxnet infected Iranian PLCs to either collect information or to inflict cyber-kinetic damage by causing the centrifuges to spin too fast and eventually break. Stuxnet consists of a worm that executes the payload and its subroutines, a link file that automatically executes propagated copies of the worm, and a rootkit that is capable of obfuscating activity and collecting data. Stuxnet can be tailored to attack SCADA and PLC systems and it may have been the inspiration or platform upon which the Flame APT, Night Dragon, and other groups built their malware. Stuxnet was typically introduced to a system through an infected USB drive. The worm automatically installed when the drive was connected to a system and it scanned for Microsoft Windows; Siemens Step7, Siemens PCS 7, or WinCC software; and at least one Siemens S7 PLC. If both were found, then the rootkit installed and the malware injected code into the PLC while returning a feedback loop of normal operations system values to the user via a man-in-the-middle attack. Otherwise, the worm went dormant on the system. It is clear that the creators of Stuxnet designed it with great care to only infect targets that matched the victim profile. On one hand, Stuxnet caused the Energy sector to seriously consider cybersecurity as a necessity. On the other hand, the malware campaign inspired other campaigns against the Energy sector, such as BlackEnergy.
In October 2015 Ted Koppel’s book “Lights Out” renewed attention to power grid vulnerabilities and the possibility of impending terror attack. Koppel’s book focused on the potential consequences of an extended power outage and on his opinion that “The Department of Homeland Security has no plans beyond those designed to deal with the aftermath of natural disasters.” Koppel’s book and the 2013 National Geographic special “American Dark”, upon which it builds, assume that the Energy sector is so unprepared for potential events, that outages would last for months or years. Koppel’s book is not the most realistic depiction of the American Energy sector; however, it received a great deal of