Posted July 24, 2019
In the second installment of this series, we explore the different attack vectors used against the energy sector. If you missed the first part of the series, read it for a primer on who is perpetrating these attacks, and why.
The energy sector generates billions in revenue each year, and powers our daily lives. As we explored in Part One of the series, many different threat actors target the sector for its riches and its criticality in consumer’s and business’ every day operations. How are threat actors infiltrating these networks? The most heavily used attack vectors against the energy sector are Distributed Denial of Service (DDoS), spear phishing, and third party breaches.
The use of automated industrial controls, processes, and networks has exploded across the energy sector – and for good reason. The increasing use of the Internet of Things (IoT) means higher energy efficiency, cost savings, and increased reliability of power supply for energy companies. Though there are benefits to the IoT in the energy sector, it widens the attack surface, giving threat actors that many more avenues to infiltrate a network and perpetrate an attack.
Unfortunately, automation has, and will, continue to open the door to DDoS attacks. In March, a DDoS attack crippled a power supply company’s network in the western US for over 10 hours. The company provides power supply to consumers in California, Utah, and Wyoming. While the attack fortunately did not compromise power supply to the company’s customers, a troubling detail emerged in the organization’s official report to the Department of Energy: the attack could have been avoided if a known vulnerability was patched. The attack likely could have been avoided if the organization applied a simple software update.
Using outdated software with known patches is a surefire way to get breached—follow good cyber hygiene by updating and applying patches immediately. As an industrial giant, the energy sector is known to be slow at updating infrastructure and process software, making them a prime target for DDoS and exploit attacks.
Figure 1: DDoS Pro Tip
We already know that phishing attacks effect all industries and companies of all sizes, because attackers know that it will be successful due to the targeted, persistent strategy of the attackers. Combine this likelihood of success with the potential resulting damage, and you can see why threat actors phish the energy sector in particular. In the case of the energy sector, phishing is used to cause harm rather than monetary gain. If successful, hackers can gain credentials to power grids, oil wells, generators, and other sensitive control areas. I’m sure you can imagine the paralyzing effect this would have on everyone.
Spear phishers often follow their targets closely to gain valuable information that could make their attack more successful. Spear phishing attacks are most often perpetrated by terrorist organizations or state-sponsored actors and are not random like most phishing campaigns. These are more meticulously curated for their intended audience to ensure the victim will fall for the bait. For example, the Russian APT group, Dragonfly, which used spear phishing as discussed in part one, remained undetected on energy sector company systems for two years. Research shows that the APT group targeted 18 US energy organizations specifically, looking to gather information on energy systems and power grids.
Figure 2: Phishing Pro Tip
Third Party Breaches
Nation-state and terrorist groups have also turned towards third party attacks to gain access to Industrial Control Systems (ICSs). As these ICSs continue to move online, this gives outside organizations unprecedented access into these organizations – including vendors and third parties. The software, hardware, and services that energy companies buy from third parties allows access to every tier of the organization.
In a 2017 attack, a virus was introduced remotely on controllers used in 18,000 power plants globally. The virus disrupted the controllers purpose, which is to regulate voltage, pressure, and temperatures in nuclear and water treatment facilities. The attack nearly triggered an explosion in Saudi Arabia—and the attack was designed to do greater damage. Third party attacks are especially worrisome in the energy sector due to the reliance on vendors—external suppliers account for 80% of budget spend at utility organizations in the US. Suppliers and organizations alike need to address the risk they introduce through these third parties.
Figure 3: 3rd Party Pro Tip
All industry verticals could do a better job at proactively managing cyber risk—but the stakes are even higher for the energy sector. The consequences of a wide-spread attack on our critical infrastructure could not only be a loss for the organizations, but could be deadly to those who use their services – hospitals, schools, and government organizations. Knowing which attack vectors most commonly affect the sector can help organizations defend against them. Creating a strong cybersecurity program and culture “from the crown down” gives every member of your organization the tools needed to combat attacks, beginning with cybersecurity awareness and ending with building a robust, proactive cyber defense program. Contact us to learn how LookingGlass can help your organization build a robust cybersecurity program.