By Patrick Kennedy, Claroty Security Evangelist
Over the past 10 years, a new form of economic warfare has emerged in which parties attack the critical infrastructure of countries with the goal creating mass disruption. The first example of this was the 2015 Ukraine power grid cyber attack where 30 substations were switched off and 230,000 people were left without electricity for one to six hours.
As one of the leading global economies, Australia is not immune to such threats. A recent report by Accenture stated that Australia’s critical infrastructure remained a “significant target” for such threats, warning that there was a high chance that malicious agents could attack Australia’s infrastructure “at any time”.
Australia operates one of the longest single electric grids in the world, and as such, our electric utilities represent a distinct target for threat actors. The growing threat has also driven a greater recognition of the need to improve cyber-defences, with the Australian Energy Market Operator (AEMO) recently stating that protection of the electricity sector against cyber-attacks is a matter of “national importance”.
Power generation plants, along with much of the world’s industrial apparatus, have become increasingly automated and connected over the past 30 years. Automated industrial control systems (ICS) now drive many key operational processes, which has delivered profound increases in operational efficiency but has also increased the attack surface of these environments.
Hackers are increasingly exploiting this newly connected terrain to conduct reconnaissance, gain remote access, and in some cases, mount attacks. It is therefore imperative that plant operators have well planned cyber security strategies in place that are spearheaded by cyber security experts.
Related article: The asset management gaps in utilities creating cybersecurity risks
Corporate IT networks have the luxury of off-hours to conduct system maintenance and patch vulnerabilities. On the other hand, power generation plants operate around the clock, which can mean the simple task of rebooting a workstation to update its software can bring operations to a costly or even dangerous halt.
Further complicating vulnerability management for these companies is the 25-year (or more) lifecycle of most operational technology (OT) assets, which often run proprietary applications supported by legacy operating systems. Many of these systems were never designed to be patched, leaving them exposed. Upgrading this expensive hardware and software can be cost prohibitive for most organisations but vulnerabilities are of little consequence in the absence of credible threats. Unfortunately, the last several years have borne witness to a marked increase in the rise of capable and willing attackers.
Malware, ransomware and the persistent threat
In some instances, malware threats are purpose-built to specifically target OT environments. Recent examples in the energy sector include the successful attack on three Ukrainian energy distribution companies and recent attempts to infiltrate the US power grid. These are generally believed to be the result of attempts to shut down the critical infrastructure, or establish persistence within the network as a base to initiate some future malicious activity.
More frequently the risk comes from “spill-over” between the IT and OT networks. Ransomware attacks such as WannaCry and NotPetya initially penetrated dozens of industrial sites through the IT network but subsequently jumped the gap to the OT network, causing massive outages and costing operators hundreds of millions of dollars in downtime and lost revenue. Most of the incidents that have affected OT operations in Australia to-date fall into this category.
Related article: Why effective cyber protection needs to start from the top
Expanding attack surface
The pool of actors capable of disrupting industrial infrastructure has ballooned. In addition to falling barriers to entry, the OT attack surface is expanding at an exponential pace. As more and more networked OT assets and other IoT devices populate power plants, attackers are leveraging this newly connected terrain to access previously hardened targets. This attack surface extends far beyond the confines of a single OT network – it is often globally dispersed and rife with multi-party interfaces. Each of these connections constitute new, unmonitored threat vectors that are ripe for exploitation.
Third-party management and support in OT networks are in some cases a necessity and require access to support equipment. In doing so, power plants are trusting that their partners follow stringent cyber security controls and practises that they enforce. Many security breaches have been conducted through these types of third-party vendors who prove to be the weakest link in the chain.
You can’t protect what you can’t see
OT attacks on power generation plants can result in blackouts, disrupting the everyday lives of citizens, causing reputational damage to power suppliers. The length of time it may take to restore full generation capacity and repair the damaged equipment could lead to months of reduced capacity and load on other areas of the grid.
Power generation plants must understand the normal behaviour of each OT asset and gain visibility of their assets and environment to make informed decisions about controls and defences. Installing the right visibility software and security analytics, in addition to having a designated cyber security expert in charge of assets will enable power generation plants to detect threats and protect their devices and processes.