Hack attacks on the energy industry are gaining momentum, especially now that the utility of the future is being forced to embrace digitization and integrate its new technologies. [Digitalization -the next lever to create value out of data].
In fact, the US Department of Homeland Security’s Industrial Control Systems Computer Emergency Response Team reported that 32% of reported cyber security incidents in fiscal year 2014 were related to the energy industry. This is bound to escalate. [Cyber Security:How Utilities Can Reduce Threat.] and [Cybersecurity In Focus].
The most recent event occurred in Israel [January 2016] in which the Israel National Electric Authority shut down some of its computer systems for two days while it cleaned malware off infected systems so that the infection couldn’t spread to other systems.
While cyber analyst in Israel, Eyal Sela, downplays the incident in a letter to an industrial-related website, Industrial Control Systems, Dr. Yuval Steinitz, the Minister of National Infrastructure, Energy, and Water resources, announced at the CyberTech Conference in Tel Aviv that a "severe cyber attack" was ongoing on the Israel National Electric Authority.
He added that the taking systems offline is not preferable and described the incident as “one of the biggest computer-based attacks Israel's power authority has experienced.” Israel's Electricity Authority is a department in the country's Ministry of Energy, and is separate from the Israel Electric Corporation, the country’s state-owned utility company.
While it was “only” ransomware via a phishing attack” that hit the Israel Electric Authority, not the power grid, it’s too close for comfort.
As Dr. Steinitz put it at the conference: “This is a fresh example of the sensitivity of infrastructure to cyberattacks and the importance of preparing ourselves in order to defend ourselves against such attacks.”
The attack comes only five weeks after the Ukraine's power grid was successfully disrupted in what's believed to be the world's first-known hacker-caused power outage. Researchers still aren't sure if the malware (possibly BlackEnergy) was the direct cause of the blackout which left hundreds of thousands of homes without electricity, but they have confirmed the malicious malware package infected at least three of the regional power authorities that were involved in the outage. Researchers have since said the attack was extremely well coordinated.
Researchers from security firm iSIGHT Partners confirmed it would be the first known instance of someone using malware to generate a power outage.
"It's a milestone because we've definitely seen targeted destructive events against energy before—oil firms, for instance—but never the event which causes the blackout," explained John Hultquist, head of iSIGHT's cyber espionage intelligence practice. He adds: "It's the major scenario we've all been concerned about for so long."
Malware updates targeting energy sector
In the past, BlackEnergy has been used to carry out espionage on targets in news organizations, and industrial groups but it seems that the energy sector may be its new target.
BlackEnergy was discovered in 2007 and was updated two years ago to include a host of new functions, including the ability to render infected computers unbootable. Researchers from antivirus provider ESET, who confirmed the presence of BlackEnergy at the three Ukrainian power authorities, have revealed that the malware was updated again to add a component dubbed KillDisk, which destroys critical parts of a computer hard drive and also appears to have functions that sabotage industrial control systems.
The latest BlackEnergy also includes a backdoored secure shell (SSH) utility that gives attackers permanent access to infected computers.
KillDisk malware, found in several electricity distribution companies in the Ukraine, indicates that it is theoretically capable of shutting down critical systems.
However, there is also another possible explanation-The BlackEnergy backdoor, as well as a recently discovered SSH backdoor, provide attackers with remote access to infected systems. After having successfully infiltrated a critical system with either of these trojans, an attacker would, again theoretically, be perfectly capable of shutting it down. In such a case, the planted KillDisk destructive trojan would act as a means of making recovery more difficult.
According to ESET, the Ukrainian power authorities were infected using booby-trapped macro functions embedded in Microsoft Office documents.
Cyber security-no sleep for energy sector
It’s unsettling to think that industrial control systems, used to supply power to millions of consumers, can be infected using such a simple social-engineering tactic. In addition, it’s worrying to know that malware is now being used to create power failures that can have dire consequences for cities and even countries.
To avoid this scenario, the sector has to view cyber security as an ongoing process, constantly watching out and preparing its infrastructure for cyber attacks that will keep reinventing themselves. [Cybersecurity-No Finish Line].
It must also be mentioned here that cyber security technology on its own can only partially address the issue of cyber threats. [Cybersecurity For The Critical Infrastructure Sector.] Utilities also need to deploy the proper organization and processes early on in order to supplement the impact of cyber security protection technologies. One potential solution is for utilities and vendors to develop standardized processes together, so that concepts such as device configuration will be effective in a multivendor environment.