The energy and utility industry represents an attractive target for cyberattacks. As part of the U.S. critical infrastructure, energy and utility companies face threats not only from cybercriminals but also from foreign nation-states. And the problem is only getting worse.
Indeed, in mid-March, the Department of Homeland Security reported that it, along with the FBI, had determined that “Russian government cyber actors” had launched “a multi-stage intrusion campaign” that targeted the networks of small commercial facilities in the energy and other critical infrastructure sectors.
Attacks against industrial control systems are on the rise and present a significant risk to energy and utility companies. A 2017 analysis by Kaspersky Lab revealed some sobering statistics on ICS attacks. In "Threat Landscape for Industrial Automation Systems in the Second Half of 2016," the security vendor determined, based on analysis of traffic to the networks of its own customers, that 39 percent of ICSs worldwide were attacked during 2016 and that more than 20 percent of industrial control devices are attacked each month.
These threats come from many different sources using a variety of attack techniques. While some attacks may be attributable to attackers randomly scanning networks in search of vulnerabilities, some are certainly targeted attacks on ICS technology by knowledgeable attackers.
Vulnerabilities Haunt Outdated Energy ICS and SCADA Systems
The major sources of risk to ICSs and supervisory control and data acquisition (SCADA) systems have a common root cause: These systems were typically designed more than a decade ago in an era when security was not a top concern for system designers. Many ICS technologies were planned to run on closed networks within a power plant or other controlled facility without any connection to the internet.
The design assumption was that every other device on the network was friendly. As architects extended SCADA and ICS designs to include broader network connectivity, they attempted to add security functionality onto existing products to meet a changing threat environment. Unfortunately, this "bolt-on" approach to security is rarely effective, making securing legacy SCADA systems and ICSs a real challenge.
The threats facing industrial control systems and SCADA systems are similar to those facing other technology devices. Cybersecurity professionals typically categorize threats as posing risk to the confidentiality, integrity or availability of systems and information. SCADA and ICS threats also fall into these categories. Confidentiality threats may expose sensitive information to unauthorized disclosure, such as allowing attackers to retrieve sensitive sensor information.
Integrity threats present the risk of unauthorized alteration of information or systems. For example, attackers might alter the configuration of an ICS to present operators with false information about the system’s status, potentially leading to disastrous consequences, such as building up pressure in a boiler until it reaches the point of explosion. Finally, availability threats prevent authorized access to systems and information. In a critical infrastructure scenario, loss of availability may leave thousands or even millions of customers without access to essential services.
Attacks against ICSs and SCADA systems may have a single objective or they may combine risks to confidentiality, integrity and availability.
Utilities Face a Variety of Attack Vectors
Malware is one of the primary risks to all IT systems, and ICSs and SCADA systems are no exception. Viruses, Trojan horses, botnets and other malware types seek to gain a foothold on systems by exploiting common vulnerabilities and then using that access to perform unauthorized activities. Malware might steal sensitive information and transmit it to an attacker, provide an attacker with backdoor remote access to alter the configuration of an industrial control system, or interrupt the availability of services by disrupting critical system components.
While many attacks use automated techniques that prey on existing system vulnerabilities, other attacks depend on human-centric vulnerabilities. Social engineering attacks attempt to manipulate legitimate users into taking actions that are detrimental to system security. For example, a social engineer might use a spear-phishing email that sends a highly targeted message to employees of an energy or utility company informing them that they must complete their performance review by clicking on a link. When they click that link, they see a login screen that appears authentic, and they log in with their username and password. Unfortunately, the system is run by an attacker, who then captures the username and password for use in an attack. Other spear-phishing attacks may prompt users to install malware on critical system components.
Social engineering attacks prey on the susceptibility of well-meaning users to psychological tricks. Other legitimate users may have nefarious intent, deliberately seeking to use their privileged positions to undermine the security of ICSs and SCADA systems. This phenomenon, known as the insider threat, is particularly dangerous because users already have a legitimate foothold in enterprise systems and then use that access to carry out malicious activity.
With the number of threats they face growing, energy and utility companies must put in place a comprehensive security strategy.
Learn how energy and utility companies can address the growing threats they face by reading the white paper, "Securing SCADA Networks."