by Sahba Kazerooni, Security Compass
In the past few years, the cyberthreats against electric and gas utilities have accelerated dramatically.
Breaches that once primarily were caused by negligent or malicious insiders are now more likely results of state-sponsored cyberespionage campaigns, organized criminal groups and “hacktivists.”
A new wave of cyberattacks is targeting the energy industry. To combat them, electric and gas industry officials must take a stronger, more proactive stance on cybersecurity.
One of the top new risks is called the distributed denial-of-service (DDoS) attack.
To call DDoS new is a bit ironic because these attacks have existed since the dawn of the Internet. But in the past two to three years, they’ve experienced a renaissance of sorts, with significant technological improvements that make them exponentially more powerful than previous attacks, widespread availability of “rent-a-bots” that make it easier for hackers to launch these attacks, and the increasingly criminalized nature of these attacks, which makes them more dangerous.
According to Verizon’s “2014 Data Breach Investigations Report,” 14 percent of all cyberattacks on utilities came from DDoS attacks in 2013.
That makes it the third-most common cyberattack on utilities.
In addition, utilities were the fifth-worst industry in data breaches that resulted in lost or stolen data, according to the report.
One example of the threat posed by DDoS is the February 2013 attack on a large municipal electric, water and sewer utility, which resulted in a two-day outage of the utility’s website, online payment system and automated pay-by-phone automated billing system.
In April 2014, Connecticut’s state utility regulators reported multiple electric, gas and other utilities also had been breached by hackers.
A DDoS attack occurs when a hacker or group of hackers floods a company’s computer network or website with bogus data or requests to overwhelm it to the point where it can no longer function or serve legitimate users.
But a DDoS attack is more than simply shutting down a website temporarily; the damage from these attacks can extend far deeper into the corporate network so that internal network operations slow down or halt, payment transactions can no longer be processed, and the network architecture might be damaged.
It even can disrupt industrial control systems such as supervisory control and data acquisition (SCADA) and programmable logic controllers (PLCs), which should be of particular concern for utilities.
They also can be used by sophisticated hackers to facilitate more dangerous secondary attacks.
Utility executives must be aware of four ways that DDoS attacks have evolved recently:
- Far more powerful. DDoS attacks have been around two decades, but today’s iteration of this attack is far worse. Previously, attacks rarely reached the level of a 1 gigabyte per second (Gbps) network traffic flood; but today, this level is common because of technical changes in how a DDoS attack works. Some attacks are scaling as high as 50 Gbps. This massive increase in power makes it more difficult for utilities and other companies to block these attacks using older methods and requires more simulated advance testing.
- Commercialization. It used to require some skill to launch a DDoS attack. First, you had to create a “botnet,” i.e., a network of thousands of infected computers that can be controlled remotely by the attacker, to generate the bandwidth needed to overwhelm a corporate computer network. But because of the rise of rent-a-bot services in the dark Web, it’s easy for any criminal, regardless of his or her level of sophistication, to pay a nominal fee to rent this type of criminalized computer network and launch an extremely powerful DDoS attack.
- More expensive for victims. DDoS attacks cost victims $40,000 per hour (estimated average across all U.S. industries), with an average duration of six to 24 hours, according to a recent Incapsula report. That makes the average cost of a single DDoS incident $500,000.
Increased criminalization. Past DDoS attacks didn’t generate revenue for hackers. This is no longer the case. Hackers increasingly are using DDoS attack cyberextortion schemes (46 percent of all DDoS attacks, according to Incapsula), whereby the hacker demands a large ransom to stop disabling the company’s network. This attack would be particularly effective on utilities, as a disruption in consumer services would be devastating. Hackers, however, also are finding that DDoS attacks can be highly effective at distracting and overwhelming a company’s information technology (IT) and security teams, which enables them to launch more damaging secondary attacks such as customer data theft (33 percent) or implanting viruses and malware (50 percent).
All of these developments should alarm utility executives, but the potential for secondary attacks is of greatest concern. The energy industry faces a growing level of sophistication by those who attack it. For instance, in recent years, it has faced advanced state-sponsored campaigns like BlackEnergy, Energetic Bear, Mirage and Night Dragon, as well as numerous ongoing campaigns by China’s PLA Unit 61398. The industry is not adjusting its cyberdefenses to manage these threats better. A recent Ponemon Institute report found that only 28 percent of energy, utility and manufacturers say security is a top priority, and 83 percent say their company has not achieved a mature level of cybersecurity.
For the electric and gas industries to keep up with the growing cyberthreat, they must:
- 1. Establish a DDoS policy. First, electric and gas utilities must establish a firm, clear and comprehensive policy that prepares the organizations for a potential DDoS attack, including the mitigation and recovery phases. This policy should guide decision-making during an attack and educate and inform employees. It also should answer key questions ahead of time, such as: How will the utility maintain its normal operations during an attack? How will it prevent an attack from affecting its industrial control systems? How will it respond to ransom requests?
- 2. Avoid detection mistakes. Most organizations are caught off guard initially when hit by a DDoS attack. They mistakenly think the network slowdown or outage is the result of a software or hardware glitch, so they waste time trying to find the problem. Time is critical in a DDoS attack, and early detection is key. A utility must establish baseline measurements of its normal network traffic now so when its traffic suddenly spikes, it can determine quickly if this is a result of a DDoS incident. The faster a utility can respond, the more likely it is to save money, limit damage and prevent secondary attacks.
- 3. Have go-to experts. Utilities need to plan for DDoS attacks that will surpass their in-house teams’ abilities to respond effectively. Create a list of emergency contacts the company can turn to 24/7 to mitigate the attack and control damage. For example, a third-party DDoS mitigation service will be helpful at rerouting traffic and scrubbing out illegitimate traffic. In addition to having technical advisors on standby, a utility also should know the proper government, legal and regulatory entities it can turn to for advice, recommendations and notification purposes.
- 4. Simulate the worst attacks. The only way to know if a utility’s network and team are prepared for an advanced DDoS attack is by running a simulated test known as DDoS black-box testing. This allows a company to see exactly how its network and personnel will perform under the stress of a real-world attack and whether its defense is sufficient. During a test, a company can monitor its systems live while working directly with the testing team to direct the attack as it sees fit (such as scaling it up or down, changing what part of the network is being attacked, etc.). The utility then can tweak its defenses and make it harder for future attacks to succeed. Because of potential risks, it’s important that these tests be performed in a controlled environment by a qualified DDoS black-box testing team.
- 5. Thwart secondary attacks. Because the risk of secondary attacks is high, utilities must ensure their personnel (particularly the executives and IT teams) keep up their vigilance during a DDoS attack. Examples include: expecting social engineering attacks (e.g., email phishing) that will seek to exploit the confusion during a DDoS crisis; keeping a close watch on network alerts issued by monitoring systems; and responding quickly to any unusual network activity.
- 6. Cyberinsurance. Last, utilities should make sure DDoS incidents are covered by their cyberinsurance plans, including costs associated with mitigation attempts, downtime, cyber ransoms, etc.
The risks posed by DDoS attacks have changed considerably during the past few years and should not be overlooked by the electric and gas industry. With the proper planning and preparation, it is possible to defend against these attacks and limit their potential damage.
Sahba Kazerooni is managing director of Security Compass, where he oversees the DDoS Strike program and its advisory division for Fortune 500s. A former software developer, he is CSSLP certified and leads OWASP’s flagship ASVS project. Security Compass specializes in cybersecurity services for the energy, finance, technology and health industries. Email firstname.lastname@example.org.
PowerGrid International Articles Archives
View Power Generation Articles on PennEnergy.com