Russian agents have launched a cyberattack on the power grid in the US! That was the message of a somewhat alarming news story that recently hit the headlines. As Reuters put it, ‘malware associated with Russian hackers has reportedly been detected within the system of a Vermont electric utility.’ Yet days later, the story was debunked as something of an exaggeration. Far from being a sophisticated, deliberate cyberattack, it seems that an employee at the Burlington Electric Department simply logged on to check his email and connected to a potentially suspicious IP address – an IP address that is not always linked with malicious activity anyway.
So we can all just heave a sigh of relief, right? Wrong. These days, most cyberattacks are so complex that it is difficult for experts to attribute them to specific countries or organizations – at least in the days immediately following an attack. And utility companies and power grids are undoubtedly cybercrime targets – in December 2015 an attack resulted in a power blackout in a region of Ukraine. Indeed, we recently blogged about the very real fear that nuclear power plants may soon be targeted by cybercriminals, because the computer systems running many such organizations contain surprisingly basic vulnerabilities.
Power grids and utility companies depend on industrial supervisory control and data acquisition (SCADA) systems – which in turn are controlled by operations technology (OT) systems. A cybercriminal with access to the OT in such an organization can take control of the programmable logic controllers and remote units that control industrial equipment. In a utility company, this could mean, essentially, switching off the electricity to a particular region.
How can cybercriminals gain this access? Well, if they are able to get inside the IT networks within such an organization, they can then steal usernames, passwords and other sensitive credentials that will grant them access to the virtual private networks (VPNs) that link up the IT and OT systems. Then it’s just a case of breaching the firewalls between the two.
And here’s where it gets really problematic. OT systems in utility organizations typically run severely out of date software – many are only just migrating to Windows 7, which is already nearly a decade out of date in the IT realm. Such out of date software dramatically restricts visibility and control on the OT side of the fence.
Little wonder, then, that recent SANS Institute report on cybersecurity for utility companies, The Industrial Control System Cyber Kill Chain, advises that it is crucial for utility firms and power grids to be able to identity cyber threats at Stage 1, before they have proliferated into full-scale Stage 2 attacks. As the report puts it, ‘sustained access provides the opportunity for attackers to initiate follow-on actions later if they align with national security or military goals and/or criminal objectives.’
In practice, this means that industrial computer networks need two levels of protection – the early detection and prevention outlined in the SANS report, but also sophisticated event intelligence and analysis to ensure that when a data breach does occur it can be rapidly assessed, isolated and repaired. The technologies available to deliver this protection are familiar – next-generation firewalls, anti-virus and sandboxing, intrusion prevention systems – but they need to be built up into a sophisticated security fabric, and complemented with internal systems to ensure that only authorized access is allowed.
The news that Russian agents probably haven’t been trying to gain control of the US power grid isn’t a message for utility firms to sit back and relax. Rather, it should underline just how complicated the process of attributing a source to today’s cyberattacks can be. Critical infrastructure organizations need to get their security in order now, adopting a proactive approach to new and emerging threats to their computer systems.