Hack the Grid: It May Be Easier Than We Thought. Now What?


Cybereason, one of the top companies scanning the increasing cyberthreat landscape, reported earlier this month that the ICS (industrial control system) environments that handle the generation, transmission and metering of energy, may be easier to hack than even the most seasoned security professionals may have believed.

Critical infrastructure keeps our economy and society going, and has long been a threat that governments around the world are taking seriously – but are those governments, and utility partners, taking enough precautions to avoid our power grid down?

No power – no Internet.

No Internet – no public services, public safety, ecommerce or communications in general, not to mention frozen transportation systems and more.

We’ve seen frightening attacks in the last few years on critical infrastructure, including attacks on a dam in New York, and successful attempts to install malware on the operating systems of companies in the smart grid, nuclear and water industries.

Cybereason researchers set up a honeypot in mid-July that mimicked a utility substation’s network environment, attracting the attention of what seemed to be an amateur who nevertheless repeatedly disabled the security system.

And while Cybereason reckoned the attack was not part of any advanced persistent threat group (APT) connected with a nation-state, still it is highly disturbing that even amateurs can hack into a system and disable it.

The honeypot environment went live late in the second quarter and had a network architecture that’s representative of a typical power substation including an IT environment, an OT environment and HMI (human machine interface) management systems. The environment employed customary security controls including segmentation between the different environments.

“The honeypot contained bait to entice attackers, including three Internet facing servers (Sharepoint, SQL and domain controller) with remote access services like RDP and SSH and weak passwords. Nothing was done to promote the servers to attackers. However, the servers’ DNS names were registered and the environment’s internal identifiers used a moniker that resembled the name of a major, well-known electricity provider,” Cybereason wrote in a blog.

“Two days after the honeypot was launched, Cybereason determined that a black market seller had discovered it based on a toolset that had been installed in the environment. The tool -- xDedic RDP Patch -- is commonly found in assets that are being sold in the xDedic black market. It allows a victim and an attacker to use the same credentials to simultaneously log-in to a machine using RDP (Remote Desktop Protocol).”

What can be done to address the threat of amateur and professional attacks against the energy grid?

We asked Rick Conklin, CTO, Dispersive Networks, a company providing hyper-secure wide area networking solutions to the energy industry, to weigh in.

“As the adoption of renewable and distributed energy resources accelerates, there is a corresponding need for increased, real time visibility into assets across the entire electric industry ecosystem. This visibility is necessary to ensure load balancing of supply and demand, but it’s problematic in that it opens the grid to a huge number of potential intrusion points,” Conklin said. “Given that many communicating nodes are IoT devices with attack vectors for a range of cyberthreats, it’s imperative that grid operators, utilities, distributed energy resources (DERs) and other ecosystem partners take steps to harden the grid to protect it in the face of increasingly agile and sophisticated adversaries. Specifically, I recommended that the following precautions be taken:

  1. Implement call-out only techniques for all devices connected to the grid
  2. Limit communications to authenticated and authorized “known” peers
  3. Encrypt each stream with a different key
  4. Ensure path and link diversity, especially for critical assets
  5. Use split-session techniques

Additionally, I encourage grid participants to evaluate virtualization technologies as a novel way to protect critical infrastructure, especially in a multi-cloud environment. This will allow operators to spin resources up and down in the face of attack and make the network more resilient.”

Cryptomining bots also were part of the honeypot test. Cybereason reports that after a few days “the honeypot was hit with cryptomining bots, phishing bots, DDoS bots, activity that Internet-connected assets typically experience. Then 10 days after the honeypot went live, the actor who is assumed to be the asset’s new owner connected to it using one of the backdoors created by the seller. The transaction most likely took place in a nonpublic channel, preventing Cybereason from obtaining information on how the payment was made.”

So how is blockchain being used to support attacks through payments that don’t traverse centralized (and regulated) payments systems?

Cybereason went on to explain that “After being stymied by the firewall, the adversaries began using a multipoint network reconnaissance process to identify potential paths from the IT environment into the OT environment. This approach assumes that different assets in an environment have different segmentation and network accessibility policies. For instance, in a typical IT/OT environment, certain assets (monitoring systems, data repositories and file servers, for example) that are hosted in the IT environment are also accessible from the OT environment. Using multipoint network reconnaissance the attackers move laterally to multiple assets and run parallel network discovery processes to locate an asset that is accessible to the OT network.”

The attackers then moved from the remote server to a Sharepoint server, to the domain controller to the SQL server, running network discovery to determine if one of these assets would allow them to access the ICS environment. Instead of scanning the full network, attackers focused on scanning for assets that would give them access to the HMI and OT controllers.

This didn’t take long.

Within 47 hours, the attackers got into the environment and conducted reconnaissance aimed at finding an entry point from the IT environment to the OT environment.

Regarding state actors, the US Department of Homeland Security (DHS) recently said about the two-year old alleged Russian government hacking campaign official Jonathan Homer said the Russians had accessed an industrial control system (ICS) but had not caused any operational impact on the system.

“They’ve had access to the button but they haven’t pushed it,” Homer said.

The Ukraine was not as lucky as the US.

The hackers who successful brought down power centers in Ukraine in late 2015 were not amateurs.

According to an extensive investigation, they carefully planned their assault over many months, first doing reconnaissance to study the networks and steal credentials before launching a synchronized assault.

Ukraine was quick to point the finger at Russia for the assault, but according to the analysis, there were multiple parties involved, which some say indicates collusion between private and nation-state agencies.

The report also noted that the control systems in Ukraine were more secure than some in the US.

The power was only out for six hours in the Ukraine, however the control centers suffered damage that took months to address.

The cost of a broad scale successful attack on our energy grid in the US?

Trillions of dollars and countless lives lost, as every system shuts down, from banking to sewers.

The U.S. Department of Homeland Security revealed that Russian government hackers have gained deep access to hundreds of U.S. electrical utility companies, gaining far more access to the operations of many more companies than previously disclosed by federal officials.

Even more recently the FBI came out with a warning regarding hacking networks through the Internet of Things.

Edited by Ken Briodagh

Related Articles

RAN Research arm of Rethink Outlines 5G Market in New Report

By: Ken Briodagh    2/21/2020

A new report from the RAN Research arm of analyst firm Rethink Technology Research has taken a deep look at the landscape of 5G networking.

Read More

Monitoring Your Network with Time Series: How Open Source Can Help

By: Ken Briodagh    2/20/2020

Network monitoring is critical to all IoT Operations and for security and Time Series can be a secret cheat code to keeping that network all shipshape…

Read More

Texas Leading the Charge in States with Most Smart Cities

By: Special Guest    2/20/2020

Of all the states hopping on the Smart City bandwagon, Texas leads the charge in smart city tech. Of the twenty-three (and growing) smart cities in th…

Read More

It's IoT Time: IoT Evolution 2020 is Over, But the Story Continues!

By: Ken Briodagh    2/19/2020

We are finally starting to dig through all the learning, connections and amazing experiences that came out of last week's IoT Evolution Expo and we wa…

Read More

IoT Evolution Announces IoT Evolution Expo 2020 Best in Show Award Winners

By: Ken Briodagh    2/19/2020

Leading Internet of Things event Honors Best of Show Award Winners in Fort Lauderdale, Florida

Read More