Industrial control systems (ICS) security risk to electric utilities is high and rising, led by numerous intrusions for reconnaissance and information gathering purposes, according to an industrial cybersecurity company. Dragos identified ICS threats from specific activity groups (AGs) demonstrating new interest from hackers in the electric sector, as three out of the four new AGs Dragos discovered last year, and eleven out of fifteen in total, have been observed targeting the electric utility industry.
While the intrusions in the electric sector have escalated, Dragos said in a new report, titled, ‘Global Electric Cyber Threat Perspective,’ that it identified three new AGs targeting the electric sector: Talonite, Kamacite, and Stibnite. Of the AGs that Dragos is actively tracking, two-thirds of the groups performing ICS-specific targeting activities are focused on the electric sector. ICS-targeting adversaries continue to exhibit the interest and ability to target electric utility networks with activities that could provide prerequisites for facilitating future attacks, the report added.
The Hanover, Maryland-based firm also found that supply chain threats are rising in scale and sophistication, as evidenced by the December attacks on SolarWinds. Software updates and routine patching are not the only potential entry vector that could be abused in a supply chain type of intrusion, Dragos warned. Original equipment manufacturers (OEMs), vendors, and third-party contractors could provide an ingress into electric utility environments through compromised or poorly-secured direct network connections and remote access connections.
The Dragos report also detected that ransomware remains a threat to electric operations, and could potentially disrupt critical operational systems or operational support systems. While the electric system has been fairly resilient, the complexity has been increasing significantly and as a result, such interconnections and dependencies may reduce its resilience, which remains largely untested in the face of a determined cyber threat.
Traditionally, adversaries have demonstrated the capabilities to significantly disrupt electric operations in large-scale cyber events through misuse of control systems, leveraging specialized malware and deep knowledge of targets’ operations environments, Dragos said. ICS-targeting adversaries continue to exhibit the interest and ability to target electric utility networks with activities that could provide prerequisites for facilitating future attacks. However, similar disruptive attacks have not been publicly observed in the electric utility industry since 2016.
In North America, the electric sector has been working for over a decade to address cyber threats through board-level decisions, preparedness exercises like GridEx, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards, and recently a 100-day action plan at the direction of the White House in partnership with the Department of Energy. The 100-day action plan was focused on increasing OT visibility, detection, and response in ICS networks, which culminated with U.S. President Joe Biden signing last month a National Security Memorandum focused on ICS technology adoption across other areas.
Focusing on power generation, the Dragos report recognizes that at least five AGs demonstrate the intent or capability to infiltrate or disrupt electric power generation. Xenotime has demonstrated the capability to access, operate, and conduct attacks in an industrial environment. Dragos assesses this group would be capable of retooling and refocusing its disruptive efforts on electric utilities because it has already targeted Safety Instrumented Systems, like Triconex safety controllers, which is a mainstay in power generation.
The Dymalloy group showed the ability to access OT (operational technology) networks in generation facilities and obtain screenshots of sensitive ICS data, including screenshots of human-machine interfaces (HMIs), while the Allanite AG is also a threat to power generation because it shares some similarities in targeting and capabilities with Dymalloy.
The Dymalloy group’s victims typically include electric utilities, oil and gas, and advanced industry entities in Turkey, Europe, and North America. Dragos found this group expanding its targeting to include the Asia-Pacific (APAC) region, based on analysis of malware samples. Dragos said that neither group has demonstrated ICS-disruptive or -destructive capabilities as of now, and they focus on general reconnaissance.
The Wassonite group has also actively targeted critical infrastructure in Asia including nuclear power generation, and successfully deployed malware in the administration systems of at least one nuclear power plant. This is concerning, though no evidence suggests it successfully penetrated operations networks.
At the electric transmission phase, Dragos determined that at least two AGs are a threat to transmission operations. Electrum is a well-resourced AG with the capability to disrupt power transmission and currently focuses on electric utilities with most of its target entities located in Ukraine. Dragos assesses Kamacite as the initial access and facilitation group for Electrum, which was responsible for the ‘Crashoverride malware’ attack in December 2016 in Kiev, Ukraine. The adversaries tailored malware to de-energize a transmission-level substation by opening and closing numerous circuit breakers used in the delivery of power in the electric system and ensuring operator, power line, and equipment safety.
In the current threat landscape, one adversary group has disrupted electric distribution operations, Dragos said. Kamacite operations enabled the first widespread outage caused by a cyberattack, which took place in Ukraine on Dec. 23, 2015. The adversaries leveraged malware to gain remote access to three electric power distribution companies, performed system operations using the target environments’ distribution management systems, and disrupted electricity to approximately 230,000 people. Power was fully restored after a few hours through manual operations.
Last month, a NERC report revealed that operational security is an essential element of a highly reliable bulk power system (BPS). Cyber and physical security are interdependent aspects as exploitation of either physical or cybersecurity vulnerabilities could be used to compromise the other dimension, according to the NERC report.