It is hard to think of another facility more crucial than power distribution facilities, which control everything from turning on the lights in homes to running critical infrastructure systems. The US Institute for Critical Infrastructure Technology (ICIT) recently labelled what it terms ‘disruptionware’ in the context of an attack on a national energy grid as “a weapon of mass destruction.”
Western countries have been concerned about the threat of cyber-attacks crippling energy grids ever since the Russian targeting of the Ukrainian power grid in 2015 and, more recently, indictments by the US Department of Justice against two Chinese threat actors for targeting groups including a Department of Energy site.
The same group that targeted the Ukrainian grid, named as Dragonfly or Energetic Bear, was subsequently alleged to have been responsible for numerous other attacks on energy facilities, including a major attack on the UK power grid, which only came to light as a result of a leaked memo from GCHQ and the UK National Grid, has been on high alert for cyber-attacks since the start of the COVID-19 crisis.
Yet these vital facilities are not only poorly protected when compared to many other types of organization, but are also becoming increasingly vulnerable to cyber-attacks. Threats such as Trisis, Industroyer and BlackEnergy are now increasingly deployed in order to exploit a growing number of glaring vulnerabilities within power distribution systems.
The push to modernize power distribution facilities has brought in its wake a host of new entry points for threat actors to exploit. The rapid shift to smart grids means that utilities are now adding tens of thousands of largely unprotected devices such as new sensors, controllers, relays and meters.
Existing perimeter security is currently largely incapable of controlling all entry points to the network; once any one of these is bypassed, attackers can access a wide range of assets and remain undetected for long periods of time. Increasing connectivity of OT networks to remote sub-stations as well as to organizational systems also brings with it a host of vulnerable and often unsecured entry points.
Automation components, such as programmable logic controllers (PLCs) function via microprocessors and contain function-specific software programming. They also have management and communications capabilities running over network paths. These have been a major target for cyber-attacks as a means of gaining access to control systems.
Legacy industrial control system (ICS) protocols such as Modbus and DNP3, commonly used throughout power systems, have little or no security measures and lack authentication capabilities. These can easily be intercepted, spoofed or altered - potentially causing a dangerous event in the operations environment.
Like many other utilities, power distribution organizations also increasingly rely on remotely accessible equipment and mobile devices. While this has an immediate payback in terms of efficiency and convenience, it has also created vulnerabilities stemming from unsecure access or from connection to critical systems via remote tools and devices.
Coming from a world of stand-alone secure systems, many vendors of ICS systems also unwittingly create ‘backdoor’ access to devices and software, which are easy to exploit. Some vendors are even known to threaten to void equipment warranties should their products be reconfigured from the original factory settings by changing passwords or installing unapproved security packages.
The absence of constant network monitoring systems in most OT networks means that many utilities cannot even obtain basic forensic data related to cyber intrusions and attacks. This not only leaves such facilities vulnerable to financially motivated ransomware demands, but also to potentially devastating attacks from state-sponsored threat actors bent on causing physical destruction as well as economic damage.
Badly secured facilities mean that potentially highly destructive intrusions can sit on a power distribution network’s system undetected for months until they are triggered at a time calculated to cause maximum damage, possibly coinciding with other forms of attack or during a period of social unrest or national emergency such as the current COVID-19 crisis.
In order to protect against system abuse or cyber-attacks, power distribution networks must provide real-time monitoring across their newly-extended security perimeters in order to detect anomalous and non-authorized behavior while addressing both external and internal attack vectors.