Cybersecurity, Distribution Automation / Substation Automation, Generation

How to Stop Malware Attacks on SCADA Systems

Issue 10 and Volume 19.

malware

by Julian Waits Sr., ThreatTrack Security

Combating malware is a constant struggle for organizations in all industries, and the U.S. energy sector is no exception. All information technology (IT) managers and security personnel face increasingly sophisticated threats, but personnel at power generation firms also must deal with the potential vulnerability of their supervisory control and data acquisition (SCADA) systems. These systems remain vulnerable to attack, despite the president’s and Department of Homeland Security’s (DHS’) having recognized them as critical, vulnerable components of the national infrastructure. An answer exists, but it requires looking beyond generic cybersecurity solutions and focusing instead on highly customizable, automated malware analysis.

In 2013 at the International Conference on Cyber Security, then-FBI Director Robert S. Mueller indicated that cybersecurity threats would equal or eclipse the terrorist threat. More recently, a February report by the Bipartisan Policy Center, a Washington, D.C., nonprofit think tank, indicated that the cybersecurity threat to North America’s electric grid is growing. The report, “Cybersecurity and the North American Electrical Grid,” states that a cyberattack could come from many sources and target several potential vulnerabilities in the North American electrical grid.

Many groups consider energy infrastructure and the systems that manage this infrastructure high-value targets. These attacks represent a high ROI from perpetrators’ point of view: If successful, attacks can cause significant damage while requiring relatively little effort and resources.

One area of vulnerability stems from interactions power generation firms have with suppliers and partners. Many often work with small contractors that potentially have inconsistent, out-of-date or poorly implemented security practices. The downside of working closely with small contractors that lack strong IT security measures became clear when Target discovered hackers broke in when network credentials were stolen from a third-party HVAC vendor that worked at multiple Target locations and other top retailers, according to an article by blogger Brian Krebs on KrebsonSecurity.com. Many contractors handle sensitive data without the sophisticated cybersecurity tools needed to protect themselves or analyze targeted attacks properly. Further, SCADA systems sometimes are connected to the public Internet to support business demands.

During the past few years, researchers have found thousands of industrial control systems that can be accessed from the Internet, according to a DHS report. In 2013, Project SHINE, conducted with the assistance of the DHS Industrial Control Systems Cyber Emergency Response Team, identified some 7,200 Internet-connected critical infrastructure systems that manage and operate infrastructure such as power and water utilities.

It is also important to recognize the security vulnerabilities smart grids have created. Although they provide the industry with critical capabilities such as real-time dynamic pricing, demand control response and line loss analysis, hooking up critical systems such as SCADA to smart grid networks has connected aging infrastructure to modern Internet Protocol (IP) networks. Anything with an IP address can be a target for an attacker, but the odds of a successful hack increase dramatically when that infrastructure is out-of-date, poorly protected or both.

In ThreatTrack Security’s recent survey of IT security professionals in the energy sector, “Energy Companies and Financial Services Firms Remain Vulnerable to Data-Breaching Malware,” we found, somewhat surprisingly, that many respondents know their organizations are vulnerable. Forty-four percent of respondents said they expect their company will be targeted by an advanced persistent threat (APT), targeted malware attack or other sophisticated cybercrime or cyberespionage tactic within the next 12 months.

Many security professionals at energy companies are aware of the impending threat, but their abilities to combat these threats are questionable. In the survey, 37 percent of respondents said their endpoints had been infected at least once during the previous 12 months by malware that evaded detection by their traditional signature-based defenses such as antivirus, email security or firewalls. Email is the leading threat vector for energy companies; 61 percent identified email as the method through which their organization encounters the most malware.

Why is the U.S. energy sector not better able to defend against cyberattacks, given that its IT networks have been classified as critical components of the national infrastructure, additional attacks are expected within the next 12 months, and likely threat vectors have been identified?

If there were one word that could be used to describe why cyberattacks on the U.S. energy sector are so difficult to identify and neutralize, that word would be “complexity.” Fifty-five percent of survey respondents said the complexity of malware is their top cybersecurity challenge.

Attacks on energy concerns are highly customized, and the malware samples used might be completely new and not found in an antivirus signature list of known malware. There isn’t enough data, and, therefore, shared, on known attacks. Unfortunately for power generation plants and those responsible for safeguarding their technology systems, being targeted by new malware is not rare.

Given hackers’ sophistication, success in defending against a SCADA system attack also depends on customization. Effective dynamic malware analysis sandboxes must be customized to replicate real-world environments and be tuned to detect attacks that target SCADA systems. This is a key step in generating data that can be used to identify and neutralize an attack. Unfortunately, generic, off-the-shelf sandbox solutions—or those configured to work on proprietary cybersecurity solutions of specific vendors—won’t work for attacks customized for SCADA systems or any other IT infrastructure that is not part of the generic sandbox environment; they are configured to cast a wide net that often lacks the ability to identify specific, targeted attacks that put energy companies at the most risk. Cybercriminals evade many sandbox technologies. It is increasingly common for an attack to employ automated reconnaissance to ensure it is being run in an actual live production environment. If it determines that it is being run within a virtual-machine sandbox, the malware will not execute a specific phase of its attack, thus avoiding detection.

Consequently, another critical capability for effective dynamic malware analysis is the flexibility to run on physical hardware to prevent virtual machine-aware malware samples from evading detection. Many rudimentary sandboxes run only in virtual environments. Being able to configure a bare-metal analysis environment is another way to ensure SCADA-seeking malware is identified and stopped.

Finally, the key to stopping those SCADA attacks come from deploying a malware analysis tool that enables users to recreate their entire application stacks, including the systems and applications that connect to and manage SCADA devices. This is because the attack might require that the sandbox employs a specific application (e.g., Adobe Reader) or a specific version of an application.

Also critical, a sandbox must be capable of flagging suspicious activity unique to any organization’s environment by employing a customized rule set to automate the detection process. The rule set could be configured to flag specific activity, such as attempts to discover certain users, host names and SCADA software, as well as attempts to scan on the networks and ports that SCADA systems use.

Once the exact attack environment has been recreated and the appropriate rules have been set up, it becomes a matter of automating and repeating the process to collect data, then using that data to fully understand each threat and the risk to the organization. This will improve response times from days or hours to just minutes by using behavioral analysis data collected as guidance to identify, prioritize and remediate threats.

Protecting critical energy infrastructure is difficult. Many legacy systems are out-of-date and are being targeted increasingly by bad actors of all stripes because of the potential havoc that could result from a well-orchestrated attack.

Those entrusted with protecting this critical infrastructure must seek a dynamic, highly customizable malware analysis solution that allows them to recreate their entire application stacks, including virtual and native environments. Using such a solution provides the ability to detonate malicious code in a customized sandbox to see exactly how malware will behave. Once they have cracked the code of the attack, they can automate the analysis of malware samples and collect valuable data related to the attack—data that can be shared across organizations and used to break the chain of events’ leading to cyberattacks.

Customization, automation and data sharing provide the answer to the question of how the energy sector can identify and neutralize cyberattacks and protect some of the most critical infrastructure in the U.S.

Julian Waits Sr. is president and CEO of ThreatTrack Security, where he guides the company’s growth as it traverses the enterprise security market with threat analysis, awareness and defense solutions that combat advanced persistent threats, targeted attacks, zero-day threats and other sophisticated malware.

More POWERGRID International Issue Articles
POWERGRID International Articles Archives
View Power Generation Articles on PennEnergy.com