By Rod Walton, Senior Editor
Hackers are not the kind of secret agents who need to sneak over borders to attack U.S. energy infrastructure. They are already here (virtually speaking) and getting closer to their objectives all the time.
Using the parallel of wartime, these hackers are online enemy patrols which have invisibly probed into the front lines, looking for weaknesses and attack points that present the best possible chance of success. They may want credit card information or even notoriety. Sometimes their motivation is terror, chaos and infrastructural damage, such as trying to bring down part of the power grid within a city or even blacking out giant swathes of the U.S.
“The knowledge is out there, the intent is out there, and the capacity is out there,” said Jonathan Pollet, founder of Houston-based firm Red Tiger Security. “Now we’re just waiting for someone motivated enough, by money or political events, to take advantage.”
This hasn’t happened yet, but the potential is getting closer as bad actors compile knowledge of the grid’s cyber weaknesses and gather illicit financial support for their efforts. A USA Today report earlier this year indicated that the U.S. Department of Energy was under constant siege in recent years, with 1,131 attempted cyberattacks from 2010-2014. The hackers were successful about 14 percent of the time, or in 159 of the attempts, according to the article.
“I think it’s very likely” an attack on a utility company could be successful someday soon, maybe within three years, Pollet added.
Another report, this one released in September by cybersecurity ratings BitSight, indicates that the energy industry only ranks fair to middling when it comes to cybersecurity efforts. The energy-utility sector was ranked fourth among sectors, slightly above health care and behind finance, government and retail. Education was categorized, far and away, as the most vulnerable to cyberattack by BitSight.
BitSight researchers noted a dip in the energy-utility sector, finding it most vulnerable to malevolent bugs such as Poodle and Freak. The report indicated a growing concern about the cybersecurity posture of these companies even as more control systems are being brought online.
Cybersecurity is kind of like the offensive line in football. The casual fan only notices them when something goes wrong. It’s a thankless task but one which has to be done.
“This is going on inside companies every day,” said Stephen Boyer, co-founder and chief technology officer of BitSight. “There is a battle going on between attackers and defenders. It’s very, very hard to be perfect.”
Hacker attacks against Target, Sony and Ashley Madison certainly gained much attention, embarrassed many and have alarmed consumers, but Boyer said the “scary parts” of cybersecurity for utilities “are the things we don’t know about.”
Hackers glean inside knowledge, trick users into giving up passwords and protocols and leave footprints that take precious time to track down. Cybersecurity experts in the U.S. are well aware of the threats coming from China, Russia and Iran, among many other places, but the attacks could originate from anywhere, even on American soil.
“Attribution is very hard,” Boyer said. “The power goes off and no one knows who it is.”
One saving grace, surprisingly, is that the U.S. power grid is not one seamless piece, but rather numerous systems. For that reason, many experts do not think that cyber terrorists could pull off a continental-wide blackout. But they could be a threat to turn off power within a city or region.
Del Rodillas, solution lead for SCADA and industrial control systems at Palo Alto Networks, said he cannot rank the energy-utility sector’s preparedness compared to other industries. But what he worries most about is a perceived disconnect between two distinct, yet connected parts of the power companies.
“What I can say is within the energy-utility organization, there is a stark contrast in the level of security between the IT (information technology) environment and operational technology (OT) environment,” Rodillas said. “Keep in mind, though, that the staff securing IT environments in energy and utility companies are typically separate from the staff in OT responsible for security and not always working in unison. The IT environment in the energy-utility may be cutting edge, but the OT environment is typically lagging.”
For instance, through various and relatively easy means the world-class hacker can find the name of a SCADA engineer working for a utility. They try to get that engineer’s email address and, once they’ve gone that far, they send the engineer an email that entices the prey to click on something that might be of personal or professional interest.
Once clicked, a rootkit is released into the desktop that both masks the software’s existence and intent and also allows the hacker remote access to the computer, Pollet pointed out. For the past two years, his company has identified kits moving through the corporate networks, looking for open platform communications (OPC) servers and gaining more database information about SCADA systems.
“I know they have access to the system, and they’re able to read information off the system,” Pollet said. “We have not seen an adversary remotely command a SCADA system-that’s the last piece they are missing. I think they are close.”
What to do about the barbarians at the gate? BitSight’s Boyer said he was actually encouraged about the USA Today report on the hacks into the U.S. Department of Energy. Once every four days there is a physical or virtual attack on the U.S. power infrastructure, so putting utility defenders on higher alert is a good idea.
“The awareness is probably at an all-time high,” Boyer said. “They are very much aware and asking these sort of questions.”
The federal government is getting on board. A new cybersecurity framework, directed by the White House and supported by industry, was announced last year by the National Institute of Standards and Technology. The NERC CIP and ICS-specific standards like NIST SP800-82 certainly have helped increase awareness, Palo Alto Network’s Rodillas noted.
“It helps with raising the bar for successful cyberattacks,” Rodillas said. “However there is still a ways to go to have these personnel understand how targeted attacks work.
“Forget about deploying tools for detecting and stopping (attacks),” he added. “Many OT personnel don’t even know these tools exist. Getting one’s organization educated is an important first step.”
Red Tiger Security is advising its clients to isolate their control systems from corporate networks. The industry also needs to do a more work securing the growing smart meter infrastructure, given the bi-directional nature of that communication.
Harden the perimeter, Pollet added. Sounds like war. And it sounds imminent.
“I think it’s very likely,” he said. “I think it’s above 60 to 70 percent likely that it could happen in the next five years.”