The energy sector has become a major focus for targeted attacks and is now among the top five most targeted sectors worldwide.
The threat to energy firms comes from several different sources. The energy sector has become a major focus for targeted attacks and is now among the top five most targeted sectors worldwide. Companies in the sector are facing a growing risk of having their services interrupted or losing data. The threat to energy firms is only likely to increase in the coming years as new developments, such as further extensions of smart grids and smart metering expose more infrastructure to the Internet. Equipment that is not connected to the Internet and other networks is not immune to threats and there has already been a number of successful attacks against isolated systems. Operators of critical infrastructure, as well as energy utility companies, need to be aware of these threats and prepare accordingly.
In some cases, espionage from competitors is the primary motive, with data on new projects, exploration and finances being targeted. Disruption and destruction are the goals of other attacks. Some instances appear to be state sponsored, such as the disruption of the Iranian nuclear program by the Stuxnet worm in 2010, one of the attacks that began this trend. Others appear to be the work of hacktivists with political or environmental agendas. Internal attackers, like disgruntled employees, are also a major source of attacks that often lead to service disruption. The majority of the actors behind these attacks have grown more sophisticated in the way they attack.
During the monitoring period from July 2012 to June 2013, we observed an average of 74 targeted attacks per day globally. Of these, nine attacks per day targeted the energy sector. Accounting for 16.3 percent of all attacks, the energy sector was the second most targeted vertical in the last six months of 2012, with only the government/public sector exceeding it with 25.4 percent of all attacks. The high ranking was mainly due to a major attack against a global oil company, which we observed in September 2012.
However, in the first half of 2013 the energy sector continued to attract a high proportion of attacks, ranking in fifth place with 7.6 percent of targeted attacks.
Not all of the attacks analysed used highly sophisticated tools. Most of them could have been prevented by following best practice guidelines for protecting the IT infrastructure and the industrial components, indicating that despite high revenues and strategic importance, many energy sector companies are not prioritising cyber-security.
The number of targeted cyber-attacks in general has risen in the past few years. In addition to this, the rate of attack exposure has also risen, with more companies becoming aware of attacks, expecting them and searching for indications of compromise. It is not a new phenomenon, but its importance has grown. The Council on Foreign Relations, a US think tank, reported that energy companies, including oil and gas producers, were often the focus of targeted attacks during summer 2012. In May 2013 the US Department of Homeland Security (DHS) warned of an increase in sabotage attacks against US energy companies located in the Middle East. The government had tracked multiple attacks and issued a warning together with the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). A report by the US Congress supported this picture, stating that many power utilities companies were under constant or daily attack through cyberspace. Taking into account that successful breaches of critical infrastructures are still rare and that these numbers included generic malware infections, it nevertheless highlights the potential for cyber-attacks in the energy sector. As in most sectors, attackers are often after valuable information. For example, we have seen attackers target intellectual property such as technology for photovoltaic research and wind turbines, or data on gas field exploration. Information such as this is of high value and can generate huge profits for attackers or their sponsors. The same information can also be misused for an act of sabotage. Many power utilities companies fear disruptive attacks the most, regardless of whether it is done by internal or external attackers. The energy sector has a high potential for critical disruption through sabotage attacks. Any interruption to the power grid would cause substantial chaos and cascading effects resulting in financial loss.
In the past there have been quite a few attacks that included targets in the energy sector. Some of these were more focused, like Stuxnet, Duqu, Shamoon/Disttrack and Night Dragon. Others saw power companies targeted among many other sectors, such as Hidden Lynx, Nitro, Flamer, Net Traveler and Elderwood to name a few. One of the biggest examples, and a game changer for many organisations, was Stuxnet. This targeted sabotage attack, which is believed to have been aimed against uranium enrichment facilities in Iran, made clear what could be done through cyberattacks.
It is also clear that the energy sector is not exempt from the generic attacks that every company faces, such as ransomware that locks PCs or financial Trojans that attempt to steal passwords and credit card details. For example, such a case happened in May 2013, when a small fuel distribution company in North Carolina fell victim to a cyberheist that transferred $800,000 from the company's bank account. Such threats spread broadly and might impact any person, regardless of their employer. These attackers aim at infecting as many computers as possible in order to maximise their chances of profits. These attacks can include nonspecific data breaches where employee or customer records get stolen, as happened to the US Department of Energy in July 2013.
For this paper we focused on email data from targeted attacks between July 2012 and June 2013. Even though watering holes are becoming more frequently used in targeted attacks, it is unfortunately quite difficult to reliably map these to individual campaigns. A blocked drive-by download attempt does not give any indication if it was a targeted attack or just general noise. In quite a few cases we see the same common malware, like Poison Ivy, being used by generic attackers and by targeted attacks. In such cases the sole difference between a sophisticated targeted attack and a generic one lies in the person commanding the malware.
Exposed systems: Online and offline
Historically most industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems were in separated networks not connected to the Internet or any other network. Unfortunately this security through segregation approach does not fully protect against cyber-attacks. In reality, networks are rarely completely isolated. Often some configuration updates are periodically installed or log files are transferred. If systems are not directly connected, the method of choice for these types of interactions is usually through a USB stick or a non-permanent modem connection, which provides a way into the restricted networks. This allows malware to spread into such isolated networks as demonstrated many times by threats such as Stuxnet.
If networks are truly segregated, this would mean that there would be no software updates installed, leaving old vulnerabilities open. There are also issues around processes. For example, the revocation lists for digital certificates are seldom updated and therefore certificates which are no longer valid cannot be checked properly and would still be accepted.
With the increasing desire for connectivity now reaching industrial plants, many operators have started to connect their ICS to the Internet. New adapters can bridge to older technology which was never intended to be controlled over the Internet, allowing it to be connected easily. This allows for efficient centralised monitoring and, to some extent, remote control of equipment.
Depending on the type of machinery controlled through the human-machine interface (HMI) of the ICS, not all modifications are possible. Some systems are physically connected in a pure read-only mode for monitoring. And even if they are fully connected, some turbines have physical limitations or emergency systems based on physical effects that cannot be overridden by the digital controller. Thus, not all Hollywood scenarios of open flood gates or turbines that fly through the air are possible. However, sabotage attacks that damage equipment are definitely possible, as has already been demonstrated. In the future, more systems are going to implement the failsafe switches in software, opening up the vector for malware attacks.
An additional source of concern is that some countries have started to open the energy market for smaller private contributors. This means that almost anyone can use mini power plants like water, wind or photovoltaic sites to feed energy back into the power grid. Often these operators do not have a full IT staff supporting the facilities at hand, which might lead to more vulnerable installations. Furthermore they may deploy new technology which might be untested and contain some unknown vulnerabilities. While these smaller sites make up only a small portion of the grid, new decentralised power input feeds are a challenge for the balance of the power grid as well and need to be carefully monitored. Small outages or changes can have a domino effect for the whole power grid.
To increase the exposure of energy firms even further, sites like SHODAN, which is essentially a search engine for devices, enable anyone to easily find exposed controllers on the Internet. Of course not all of the industrial control systems connected to the Internet are critical systems or even real ones. Some researchers have started to create honey pot systems in order to study the attackers, which have apparently already attracted attackers like the Comment Crew/APT1 group, who have broken into these decoy systems.
Smart grids: A new potential avenue of attack
Smart grids and smart metering are bringing significant change to the world's power systems. Experts predict that billions of smart meters and sensors will be installed worldwide over the next ten years. They enable utility companies to measure energy consumption at a more granular level, creating better flow patterns and enabling different prices for consumption based on the time of day and location. This development brings new opportunities, as well as new challenges.
As with any connected infrastructure, it is important to secure the network and its endpoint on multiple levels. There has already been proof of concept attacks that demonstrate how smart meters could be manipulated to send back false information or report incorrect billing IDs, leading to power theft.
In addition to the issue of securing these devices, smart grids will produce a huge amount of data which, depending on regulations, will need to be kept for audits. Some of this data may be sensitive and could raise privacy concerns if not properly protected. This could easily grow to petabytes of data that needs to be safely stored and managed.
Spear phishing attacks in the energy sector
Spear phishing is, along with watering hole attacks, one of the most common attack vectors used to attack companies. The attacks are simple to carry out. They often follow the same pattern, starting with a reconnaissance phase to gather all publicly available information. This is followed by the incursion phase of breaking in and compromising computers. After that comes the discovery phase, where the attacker gathers passwords and maps the internal network. The final stage is capture and exfiltration, where the valuable information is copied and sent back to the attacker.
Cyber-espionage campaigns and sabotage attacks are becoming increasingly common, with countless threat actors attempting to gain a foothold in some of the best protected organizations. At this stage, roughly five targeted attacks per day are being mounted on firms in the energy sector. These attacks have become increasingly sophisticated, although the capabilities and tactics used by these threat actors vary considerably. In the second half of 2012, the energy sector was the second most targeted with 16 percent of all the targeted attacks. This strong increase was mainly due to a large scale attack against one global oil company. In the first half of 2013, the energy sector was ranked fifth with 7.6 per cent of all attacks focused on this sector. In general we have observed that attackers are becoming more efficient and focusing on smaller operations that attract less attention. The attackers tend to go after valuable information - such as maps of a new gas field - but the sector is also a major target for sabotage attacks, which will not generate direct profit for the attacker. Such disruptive attacks do already happen and may lead to large financial losses. State sponsored agents, competitors, internal attackers or hacktivists are the most likely authors of such sabotage attacks. Fortunately, there have not been many successful sabotage attacks against energy companies to date. However, the increasing number of connected systems and centralized control for ICS systems means that the risk of attacks in the future will increase. Energy and utility companies need to be aware of these risks and plan accordingly to protect their valuable information as well as their ICS or SCADA networks.
(The author of the article is Candid Wueest, Threat Researcher, Symantec).