Recently there’s been a lot of talk about the “Russians” attacking America’s energy grid, but few details have been disclosed as to how these revelations have been discovered. Now, more than ever, it is critical to understand the true threats that exist while simultaneously being cautious not to perpetuate the “It’s the Russians!” cold war rhetoric.
In our report entitled “The Energy Sector Hacker Report: Profiling the Hackers Groups that Threaten Our Nation’s Energy Sector,” published last year, ICIT brings you the facts and eliminates the fiction as to the actual vulnerabilities, exploits, the actors operating in this space. Among the areas covered by the paper are:
- The Incidents that have Shaped Energy Sector Discussions
- A Breakdown of the Major Components of our Energy Grid
- The Expanding Threat Landscape
- The Threats to the Energy Sector
- Energy Sector Threat Actors
Among our Nation’s critical infrastructures, the Energy Sector is a primary target for exploitation by nation state and mercenary APTs, hacktivists, cyber jihadists and other hacker teams. General, broad stroke conversations on the softball topic of “resiliency” are being had in micro bureaucracies throughout the industry with little attempt being made to dissect the threat actors or the toolkits being used to exploit the seemingly endless layers vulnerable to attack. According to the Honorable Deborah Lee Jackson of the United States Air Force, with regards to the cybersecurity posture surrounding the United States Energy sector, “We are in the most complex, uncertain, and rapidly changing threat environment…we never seem to correctly predict what happens next” . Within Energy organizations, leadership changes and priorities shift, but the need for resiliency outlasts. Threats to the sector are relentless and are increasing as systems become more interconnected and accessible. At a time when cyber and physical security are most vital to combat the plague of adversaries waging war on Western Nations, it is critical to analyze the most complete picture of domestic and foreign threats.
A conversation about energy sector resiliency that is absent of details about actors, malware (other than Blackenergy) and evolving vectors of attack is an incomplete conversation and more of an exercise in security theater than true and viable defense. By focusing on a discussion devoid of the critical details, such as possible threat actors and their tools, techniques, and procedures, the Energy sector is positioning itself to rely on a security foundation built on false confidence. An accurate picture of the threat landscape is necessary to develop the in-depth and layered defenses vital to the protection of internal Energy systems and the national electric grid.
This report introduces the most prominent actors and exploits, along with hacker group profiles and choice vectors of attack into the conversation of energy sector resiliency in order to convert bureaucratic babble into a strategic conversation about true and viable security that takes into consideration the complete picture of energy sector vulnerabilities. Organizations cannot thoroughly defend themselves against the evolving stealth and technical sophistication of this expansive threat landscape until actor profiles, vectors of attack, bad actor techniques and exploit evolution are injected into the energy sector resiliency conversation. Industry threats and capabilities will continuously change and evolve and this report is meant to offer nothing more than a starting point for the content that the energy sector resiliency conversation is lacking.
Incidents that Shaped Energy Sector Discussions
On August 14, 2003, overhanging foliage downed a powerline in Ohio and resulted in a power outage. The outage should have triggered an alarm to redistribute power at the FirstEnergy Corp. control room; however, a software bug triggered a race condition that prevented the alarm. The local blackout spread and built momentum as other stations on the grid were also taken offline. This led to power outages for 45 million Americans and 10 million Canadians in the states of New York, Pennsylvania, Connecticut, Massachusetts, New Jersey, Michigan, and parts of Canada . Depending on location, electricity was unavailable for hours to weeks. Ten deaths were officially attributed to the blackout, though researchers from Yale School of Forestry and Environmental Studies and John Hopkins University attribute 90 deaths to the blackout in New York City alone. Further, the Bush Administration realized that some government systems that monitor border crossings, port landings, and access to secure sites, were unavailable during an outage and could therefore be exploited by terrorists. The 2003 Northeast blackout led to a widespread reliability and security reform in the Energy sector. The sector developed a vast regulatory and compliance culture predicated on keeping the grid reliable and operational.
In 2010, nearly one-fifth of the systems supporting Iran’s nuclear sector were infected with the Stuxnet worm. Stuxnet targeted systems running Microsoft Windows and Siemens Step7 software. It leveraged four 0-day vulnerabilities to modify the code running in programmable logic controllers (PLCs) that controlled machinery, such as centrifuges, and cause them to deviate from their expected behavior. In particular, Stuxnet infected Iranian PLCs to either collect information or to inflict cyber-kinetic damage by causing the centrifuges to spin too fast and eventually break. Stuxnet consists of a worm that executes the payload and its subroutines, a link file that automatically executes propagated copies of the worm, and a rootkit that is capable of obfuscating activity and collecting data. Stuxnet can be tailored to attack SCADA and PLC systems and it may have been the inspiration or platform upon which the Flame APT, Night Dragon, and other groups built their malware. Stuxnet was typically introduced to a system through an infected USB drive. The worm automatically installed when the drive was connected to a system and it scanned for Microsoft Windows; Siemens Step7, Siemens PCS 7, or WinCC software; and at least one Siemens S7 PLC. If both were found, then the rootkit installed and the malware injected code into the PLC while returning a feedback loop of normal operations system values to the user via a man-in-the-middle attack. Otherwise, the worm went dormant on the system. It is clear that the creators of Stuxnet designed it with great care to only infect targets that matched the victim profile. On one hand, Stuxnet caused the Energy sector to seriously consider cybersecurity as a necessity. On the other hand, the malware campaign inspired other campaigns against the Energy sector, such as BlackEnergy.
In October 2015 Ted Koppel’s book “Lights Out” renewed attention to power grid vulnerabilities and the possibility of impending terror attack. Koppel’s book focused on the potential consequences of an extended power outage and on his opinion that “The Department of Homeland Security has no plans beyond those designed to deal with the aftermath of natural disasters.” Koppel’s book and the 2013 National Geographic special “American Dark”, upon which it builds, assume that the Energy sector is so unprepared for potential events, that outages would last for months or years. Koppel’s book is not the most realistic depiction of the American Energy sector; however, it received a great deal of acclaim in the months following its release, due in part to media attention on the BlackEnergy malware attack that caused brief blackouts in the Ukrainian power grid.
Despite media speculation, a simple malware campaign cannot entirely take down the American power grid. The interwoven networks of utility companies, transmission networks, distribution hubs, and other facets, are too complex for any one attacker to wholly dismantle. The grid depends on multiple parties who all operate different infrastructure that is configured differently. Redundancy systems and physical fail-safes protect the grid from catastrophe. Nevertheless, the Energy sector is more vulnerable than most are willing to admit. Many of the legacy systems on which the nation depends lack sufficient backup and redundancy measures.
As a result, cyberattacks can disrupt operations, hamper communications, or stall the economy. ICIT Fellow Juan Espinosa (Parsons) adds, “Following the cyberattack on the Ukraine power grid there were reports that pointed out that an important vulnerability within the U.S. is that, unlike Ukraine, our power grid typically does not have manual backup functionality . This means that if automated systems controlling our utility power grid were to be attacked, it would take much longer for the response teams to restore power.” Even if the analog controls prevent cataclysmic outages, the fail-safes, which shutdown the underlying systems, cannot by their very nature, prevent disruptions. These disruptions, lasting hours or days, inflict economic and societal harm on the victim areas by disrupting businesses and raising citizens’ discomfort. In some cases, the disruptions can impede law enforcement and security by momentarily disrupting critical infrastructure, security systems, and surveillance systems.
The ICS and SCADA systems upon which the energy sector traditionally depends are segmented and air-gapped; however, these systems are increasingly more vulnerable to insider threat and cyber-attacks. According to former U.S. Department of Energy CTO Pete Tseronis (Exabeam), “It's a matter of WHEN, not IF, the power grid in our country is subject to a cyber-attack”. Many utility companies depend on patchwork legacy systems that precede the technicians tasked with their operation. In particular, the SCADA and ICS systems that support the United States power grid are beyond their intended useful life of 25 years or longer. These systems were not designed with cybersecurity in mind because no one envisioned that the internet would develop to become so ubiquitous, so pervasive, or so threatening . Trends to integrate IT and OT systems with internet of things technologies expands the threat landscape and opens the systems to modern threats.
According to a March 12, 2015 US Department of Homeland Security (DHS) report, in 2014 the energy sector faced the majority of the 245 reported ICS cyber-attacks (79). The next highest targeted sectors were critical manufacturing and healthcare with 65 and 15 incidents respectively. Of the total 245 incidents, at least 55% are believed to be the result of efforts of advanced persistent threats (APTs) or sophisticated threat actors . Likewise, Tripwire’s November 2015 survey of 150 IT professionals in energy, utilities, and oil and gas industries found that 82% of energy sector IT professionals agree that a cyber-attack could cause physical damage; 65% lack visibility into cyber attacks capable of causing physical damage; and only 35% of those polled claimed to be able to track threats targeting their operational technology (OT) systems. Moreover, 76% of respondents believed their organizations were already the targets for cyber-attacks that could cause physical damage; 78% said their organizations were potential targets for nation-state cyber-attacks; and every executive respondent said that a kinetic cyber-attack on their OT would cause physical damage .
The United States Energy sector is dependent on an intricate amalgamation of interwoven networks of antiquated legacy systems and interconnected under-protected modern technology. The nation’s socioeconomic survival depends on a complex electricity grid, which is in turn dependent on an assortment of power generation plants, distribution facilities, and transport mechanisms, to deliver energy to the homes and businesses that support life, business operations, and critical systems. The Energy sector was not built upon a foundation of security and cyber-resiliency .
The overwhelming majority of America’s homes, business, and services depend on the lifeblood of the nation; electricity . The electric grid is so essential to everyday life, that it is literally the only critical infrastructure network that is visible in every city, business, or home in America. Citizens depend so much on the electric grid and the energy production facilities that support it that their brains barely register the powerlines overhead or the substations in town. Electricity is like air in that many do not think too much about it, unless it is not constantly available. Only during a power failure, when control over temperature management, entertainment, cooking, refrigeration, light, and services, are unavailable do citizens truly realize how critical the Energy sector is for conventional life . When citizens lose access to electricity, public resentment grows and crime increases. If the disruption persists, lives may be at risk.
The electric grid and the supporting energy production infrastructure are built to be reliable, flexible, and economically competitive. Reliability is achieved through a large transmission network that allows operators to account for anticipated and unanticipated losses while still ensuring that demand is met. Flexibility is achieved through a diversification of energy production resources and locations and through a location-based optimization of energy facilities. This means that coal facilities are used in regions that have plentiful coal supplies while wind technologies support regions with strong wind currents; nevertheless, the expansive transmission network ensures that energy can be routed to distant cities in times of need. Finally, the American electric grid relies on a variety of generation facilities and power plants that inter-compete to offer the most affordable rates to consumers. The competition between different variants of energy production also ensures that the American people are not entirely victimized by fluctuations in fuel prices of one type or another .
Notice that the three founding principles of the American energy distribution network do not include security. The brilliant engineers of the electrical grid and the supporting energy networks did not found the Energy sector on principles of cybersecurity and cyber hygiene because the internet did not bloom into its formidable and ubiquitous form until long after the Energy sector was established. Since its foundation, the Energy sector has rapidly and dynamically adapted to accommodate: new technologies, increases in demand, diversification of production facilities, regulations, and market fluctuations. Every second, calculations are processed to dynamically adjust the electric grid to meet the greatest demand at the lowest cost. As in other sectors, the advent of the internet eased the management and maintenance of critical systems through the marriage of legacy technology with novel applications and technology; however, the security added to the preexisting systems is often mismanaged or inadequate to the task of securing the underlying critical infrastructure systems .
The Energy sector is comprised of power generation facilities, transmission networks, distribution nodes, network operations, and consumer endpoints , . The majority of electricity generation facilities are owned by electric companies and utilities, which are regulated by state-level Public Utility Commissions (PUC) or Public Service Commissions (PSC). PUCs and PSCs set the electricity rates within their states or regions that production facilities may charge. Both types of commissions are independent regulatory bodies, appointed by state legislatures. Generator construction and operation are subject to PUC or PSC approval . Electricity is generated by a variety of coal or natural gas burning plants, hydroelectric dams, nuclear power plants, wind turbines, and solar farms. The technology and viability of each contributing subsector depends upon the facilities’ region, age, distance to dependent consumers, and other factors. Each category of plant offers different capabilities and has different operational constraints. For example, coal and nuclear power plants take a significant amount of time to increase or decrease their electrical output and consequently these facilities have little short-tern flexibility in the adjustment of resulting electrical output. Alternately, natural gas facilities can be ramped very quickly and are often used to meet peaks in demand. More variable technologies, such as photovoltaics and wind turbines are used in areas where their lifetime operational output exceeds their cost. Grid monitors constantly monitor the contributions of the production facilities in each operating region to ensure that the total supply meets demand and that there is a reserve margin of backup electricity generating capacity withheld to account for potential forecasting errors or disruptive activity at a generation facility .
Electricity is often generated in either a spinning electrical generator, such as a waterwheel in a hydroelectric dam, a large diesel engine, or in a gas or steam turbine which relies on burning coal, oil, or natural gas or on the steam produced from the heat of nuclear fission reactions . These turbines, are vulnerable to Aurora attacks and malware similar to Stuxnet that could result in kinetic damage by mis-rotating the turbines. These cyber-kinetic attacks can result from the altering of logic on PLCs, from an altering of thresholds on engineering workstations and subsystems, or in numerous other ways. Moreover, depending on the system, an attack may take less than a minute; which may be less time than an operator takes to notice the incident and respond by manually shutting down the system .
Electricity is transmitted from generation facilities to distribution nodes to consumers through high-voltage transmission lines. To increase redundancy and reliability, transmission networks are interconnected . The national electric grid is comprised of interconnected regional grids that share infrastructure and balance consumer demand. The largest of the networks are the Florida Reliability Coordinating Council (FRCC), the Southeast Reliability Corporation (SERC), the Reliability First Corporation (RF), the Northeast Power Coordinating Council (NPCC), the Midwest Reliability Organization (MRO), the Southwest Power Pool (SPP), the Texas Reliability Entity (TRE), and the Western Electricity Coordinating Council (WECC) . Transmission networks are either managed by utilities or separate entities known as Independent System Operators (ISOs) or Regional Transmission Organizations (RTOs), who facilitate competition among electricity suppliers and provide access to transmission by managing the use of transmission lines. Like generation facilities, transmission lines are subject to approval by state-level PCUs or PSCs; however, the Federal Energy Regulatory Commission (FERC) regulates electricity transactions made between regional grid operators. FERC is a national agency that regulates the electricity grid at a national level and resolves disputes between market participants . Transmission lines are made of aluminum alloy and reinforced with steel. The lines carry high voltages (11kV – 765kV) because percent of electricity lost in transit as heat and resistance is inversely proportional to the voltage. In the United States, the rate of loss is an average of 6% . The typical maximum transmission distance is approximately 300 miles . Depending on the region, transmission lines can either pass overhead or underground. Overhead cables are uninsulated, less expensive, and vulnerable to natural events. Underground cables are more expensive, insulated, and more difficult to install. The insulation added to underground cables makes them more reliable because the cables are less susceptible to natural events, magnetic fields, or other electric fields .
Power generation facilities produce electricity at low voltages and rely on transformers to convert the electricity to a higher voltage for transport. The electricity is transported across the power lines, and then another transformer converts the voltage back down to low values for the distribution network to deliver to homes and businesses . The transmission segment of the power grid is most susceptible to physical attacks and insider threats because people, rather than systems, can subvert the tangible controls and overrides designed to prevent incidents. For instance, on April 16, 2013 attackers cut the AT&T fiber-optic telecommunication lines outside San Jose California and opened fire at the substation. Over the course of 19 minutes, the attackers fired over 100 bullets and damaged 17 electrical transformers and 6 circuit breakers belonging to PG&E Corp. at the Metcalf Transmission Substation. The bullets riddled the transformers’ casings and caused them to leak their coolant oil and overheat. Former FERC Chairman Jon Wellinghoff stated that military experts postulated that the attack was professional and could have been “the most significant incident of domestic terrorism involving the grid that has ever occurred.” The FBI investigated the attack and as of February 2014, did not believe that it was the work of a terrorist group. A black-out was prevented by rerouting power from nearby Silicon Valley based power plants. The attack resulted in over $15 million in damages and required 27 days to repair the damaged transformers and return the station to operation. In the following three years, PG&E spent over $100 million upgrading security at its substations. PG&E installed more security cameras, better lighting, and replaced the chain-link fence with a concrete barrier. Because of the incident, in 2014, FERC imposed NERC developed mandatory physical security standards on substations that required utilities to identify critical assets and develop security plans, approved by independent third parties .
The distribution network is the series of wires, substations, and step-down transformers and transport wires that carry electricity from the transmission lines to consumers . Distribution stations, also known as power substations, reduce the transmitted voltage from hundreds of thousands of volts down to less than ten thousand volts. The stations also distribute electricity in multiple directions. Finally, power stations often have circuit breakers and switches that can disconnect the substation from the larger grid, when necessary . Distribution networks and retail rates are regulated at the state-level by PUCs and PSCs .
One of the largest vulnerabilities in the Energy sector is the reliance on a limited number of high-voltage and extra-high-voltage transformers, that are large, expensive, and difficult to transport or replace. In the event of compromise or loss, the systems take months to manufacture overseas and nearly as long to transport to the United States. The backbone of the transmission grid consists of approximately 2000 of these units throughout the nation. The number of transformers in each state is proportional to the size and population density of that region. A 2013 Lloyd’s study suggests that widespread damage to the EHV transformer network as the result of unanticipated events such as solar storms or cyberwarfare, could result in worst-case damages exceeding $1.2 trillion and outages lasting almost two years. The least extreme prediction of damage from a CME solar storm leaves 15 million people without power for up to six months and results in $217 billion in direct economic damages, $202 billion in indirect damages, and $474 billion in damages worldwide. The most severe outages would be felt in areas with a high population density, such as New York, California, and the Eastern seaboard. The manufacturing, finance, and government sectors would suffer the greatest impact. Globally, China, Canada, and Mexico would sustain the greatest damage from cascading economic impacts on the U.S. economy. In contrast, the Electric Power Research Institute suggests that temporary EHV transformers could be placed in a matter of days and kept operational until replacements were sourced from external nations. If you have experienced a power outage, it may well have been due to lightning, foliage, or an errant driver striking a transformer and inconveniencing a region for some time. At its least, damage to a single transformer can deny power to a region for hours to days depending on the inciting event, the load on the grid, and the distance to the next nearest transformer. Areas outside a 300-mile radius from an operating EHV transformer might be left without power for considerably more time. Rural areas may have fewer transformers, while urban areas have higher population densities and grid demands. Consequently, a cyber or physical attacker could strategically target one or more transformers in a region in an attempt to incite mass panic or to obfuscate nefarious activities. Depending on the duration of the outage, lives could be at risk. While modern critical infrastructure, such as hospitals, have backup generators or micro-grids, average households likely lack the alternate means to refrigerate food, heat or cool homes, or otherwise comfortably survive. The longer an outage lasts, the greater the crime-rate and the greater the burden on emergency response services. The Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corp. (NERC) require organizations to consider threats to the grid and proactively correct deficiencies .
Many organizations monitor or directly control EHV transformers from remote ICS systems. If malware, such as BlackEnergy, targeted ransomware, or threats unknown, targeted systems supporting EHV transformers, the resulting damages from physical system mismanagement could be just as severe as a CME solar storm. Unlike a theoretical CME storm, which might occur once every century, targeted cyberattacks can occur multiple times every second. Though each utility relies on different and often custom built infrastructure, a dedicated attacker could target one or more companies with versatile malware or by exploiting a vulnerability in a common ICS management software or third-party network. Cyberattacks will not be universally successful, nor are they necessarily likely to result in significant kinetic damages; nevertheless, the feasible disruptions to services possible could seriously impact conventional operations . Cyberattacks against energy infrastructure are often categorized as low risk, severe impact; however, given the vulnerable state of the ICS, SCADA, EMS, RTU, HMI, and other systems upon which the Energy sector depends, the risk to the sector and indeed to the nation is much greater than the common misconception. Consider, that SCADA and ICS systems, even when air-gapped, are well known for acquiring assorted malware by accident. When adversaries such as Hail-Mary threat actors begin targeting energy systems with intent, easy to achieve, severe consequences will inevitably follow.
See the PDF below.