The Winter 2016 issue of VALVE Magazine featured an article in which the very real threat posed by cyber criminals to infrastructure security was discussed. Many of the experts quoted in that article said it is not a matter of if, but when, an attack would be made. So it came as no surprise when a recent article in the U.K.’s Register revealed a report by Verizon Security Solutions that a "hacktivist" group with ties to Syria compromised a water company’s computers after exploiting unpatched web vulnerabilities in its internet-facing customer payment portal.
The control system that was hacked managed programmable logic controllers (PLCs) that regulated valves and ducts controlling the flow of water and chemicals through the system. According to the article, evidence was uncovered demonstrating the hacktivists had actually manipulated the valves twice, although apparently no harm was done to customers or the plant. Additionally, the hack provided the hackers with personal information about the utility’s customers, although again, there is no evidence the information has been used for fraudulent purposes.
The breach has been repaired, but this incident is a prime example of the vulnerabilities in utility systems, many of which are relying on aging or insecure systems.
A highly visible incident occurred in December of 2015 when a coordinated attack turned off the power in a large section of the Ukraine. For cyber security specialists, this was an opportunity to do forensics on a real-life situation affecting a power grid as there had never before been a public case where the power grid was affected due to a cyberattack.
Like most targeted attacks, this one began with a phishing email. In this case, when users in the company’s business network opened either a WORD document or Excel spreadsheet, BlackEnergy3 Trojan malware was able to gain entry into the system where it lurked around and stole legitimate user credentials. The attackers then used stolen VPN (virtual private network) credentials to reach the industrial control systems network, and remote access tools to control the HMIs and pull the breakers, turning off lights and heat for approximately 225,000 customers.
Fortunately, no real damage was done by the attack, and this fact has led many analysts to believe it was a state-sponsored attack. With the tensions high between Russia and Ukraine, speculation was that the attack was a way of disrupting Ukraine’s system and sending a message to the citizenry, making them believe their state is incapable of keeping the lights on.
Whatever the source, power was restored soon after the attack, from one to six hours for all the areas hit. But as of February 2016, the last date available for reports, the control centers were still not fully operational. Ukrainian and U.S. computer security experts involved in the investigation say the attackers overwrote firmware on critical devices at 16 of the substations, leaving them unresponsive to any remote commands from operators. The power is on, but workers still have to control the breakers manually.
As was the case with the water utility attack mentioned above, this cyber-attack fortunately did not result in long-term damage to the power grid. However, the assault should act as a warning to utility companies that they are vulnerable. Experts in the U.S. have actually said that the control systems in Ukraine were more secure than some in the U.S., since they were well-segmented from the control center business networks with robust firewalls. But in the end they still weren’t secure enough—workers logging remotely into the SCADA network weren’t required to use two-factor authentication, which allowed the attackers to hijack their credentials and gain crucial access to systems that controlled the breakers.
Verizon’s report also described cyber-attacks on manufacturers, with financial gain appearing to be the main purpose as intellectual property was stolen.
In one particular instance, a manufacturer saw that a competitor on another continent had recently made public a new piece equipment that appeared to be an exact copy of a model recently developed by the victim. The victim worried not only that this equipment's design details were obtained illicitly, but that other projects were also in danger.
When an investigation was conducted, it revealed the chief design engineer on the project had been actively looking for employment elsewhere and he had been approached through LinkedIn by a “recruiter.” Through correspondence with this recruiter, malware was inserted into the company’s system through that of the chief engineer’s computer. Digital forensics showed the attacker had used that to find and copy the file with the design plans.
In the case of another manufacturer, the company’s own IT department found many instances of connections between the company’s R&D department and an external IP address. This included numerous connections over the previous 24 hours involving an outbound transfer of over 2GB of data. Since nothing on the network should have been transferring that much data, alarm bells went off and security protocols were initiated.
Unfortunately, it was too late. An investigation revealed a breach of an engineering team’s shared computer system within the R&D department. As a result, user credentials for everyone who had used that system were compromised. Entry was gained through a phishing email that targeted a specific individual on the engineering team. The phishing email resulted in a Remote Access Trojan (RAT) backdoor being downloaded onto the system, which enabled the attackers to ultimately access and exfiltrate a significant amount of highly confidential and proprietary information. This data represented months of R&D work and millions of dollars of investment by the manufacturer.
Warning to Take Action
The incidents described in this article are just a smattering of the hundreds of cases that have involved utilities and manufacturers throughout North America and around the world. They are offered as further incentive to executives to get more training and safeguards into place so that employees do not accidentally let a thief in the back door and funds are made available to install and maintain highly secure systems. It is not just financial information or proprietary secrets that are at risk – in the case of utilities, lives and the environment are at stake.
The report referred to in this article is available HERE in PDF form but it comes with a warning: You will become paranoid!