US UTILITY SECTOR: CYBER RISKS & SOLUTIONS

WhiteHawk Inc. By Ron White

Case Study February 2019

Abstract Due to system innovations and the scope of services they provide, the utility sector and its

architectures face a significant cyber threat from a broad range of sophisticated actors. Cybersecurity officials can identify and address a majority of critical risks in real time through

access to affordable risk auditing, rating, alerting, and mitigation services sector-wide.

1

A CASE STUDY ON THE US UTILITY SECTOR:

CYBER RISKS AND SOLUTIONS

EXECUTIVE SUMMARY Due to IT innovations and the foundational services they provide, the utility sector and its architectures face a significant cyber daily threat from a broad range of sophisticated actors.

Utility sector cybersecurity professionals use current compliance-based methods including the National Institute of Standards and Technology (NIST) Framework; Information System Security Officer (ISSO) guides; and Cybersecurity Capability Maturity Models (C2M2s) and more. These approaches are foundational, but not sufficient to identify cybersecurity vulnerabilities and gaps and implement best practices for the utility sector.

Many utility sector entities understand current cyber threat actors and methods. But many do not know how to expeditiously identify, prioritize, and effectively mitigate their top cyber risks versus primarily responding to compliance-based audits.

The advent of and access to broad network and Incident Command Systems (ICS) data sets, Artificial Intelligence (AI) driven analytics, and instrumentation introduce new cyber challenges. Innovative commercial grade information technology (IT), operational technology (OT) and ICS risk rating capabilities (external and internal), provide effective transparency, risk monitoring, and mitigation.

Cybersecurity officials can identify and address a majority of critical risks in real time through access to affordable risk auditing, rating, alerting, and mitigation services sector-wide.

2

UTILITY SECTOR CYBER RISKS The US has more than 3,300 utilities today1. Their business and service operations increasingly depend on the Internet. Utilities also are being targeted by more sophisticated cyberattacks by both state and non-state actors than at any time in our history.

• A global survey by management consultant Accenture showed that 49 percent of utility executives believe their country faces a moderate risk of electrical supply interruption from a cyberattack on distribution grids in the next five years. Only 57 percent of those executives thought they were well-prepared for such an attack.

• The US has caught Russian specialists mapping critical infrastructure sites as far west as Kansas2. Among others, hackers targeted quality control engineers at Wolf Creek Nuclear Operating Corporation’s nuclear power plant in Kansas. The specialists most likely are those stationed in Washington working for Russia’s military and signals intelligence agency (GRU).

• In 2018, top officials at the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) officials announced —for the first time—that Russia had been targeting the energy, electric, nuclear, commercial, water, aviation, and other critical infrastructures in the U.S. The multi-stage intrusion campaign affected domain controllers, file servers, and email servers. Analysis revealed Russian cyber actors gained remote access into energy sector networks allowing them to collect information pertaining to US ICS.

o DHS and FBI accused the Russian government of attempting to garner the capability to destabilize basic services nationwide in the future. This campaign had the potential to impact multiple organizations in areas vital to US citizens’ daily operations.

o A sophisticated attack based on the type of information targeted on a mid-Atlantic power grid could cut off a wide range of critical services including:

§ Hospitals § First responders § Banks § Power plants § Airports and air traffic control § Traffic controls on thousands of miles of heavily traveled roads

1 “Largest gas and electric utilities in the U.S. as of May 11, 2018, based on market value (in billion U.S. dollars)”. Statista, The Statistics Portal. Accessed Dec 21, 2018. https://www.statista.com/statistics/237773/the-largest-electric-utilities-in-the-us-based-on-market-value/.

2 Perlroth, N and Sanger, D. “Cyberattacks Put Russian Fingers on the Switch at Power Plants, U.S. Says”. March 15, 2018. New York Times. https://www.nytimes.com/2018/03/15/us/politics/russia-cyberattacks.html

Contrary to popular portrayals of massive cyberattacks in which entire cities shut down block-by-block, actors would execute a truly crippling blow in stages against multiple systems over a few hours.

3

Even if attackers concentrate efforts over a short period of time, the ensuing chaos could yield wide-spread casualties and property damage. Under such circumstances, the US National Security Council (NSC) may be forced to respond. Even a smaller-scale attack impacting a few hundred square miles would almost certainly draw a significant US response.

Although well-organized hacker groups with terrorist and/or ideological motivations pose a threat to the US utility sector, most state actors have more resources and the expertise to conduct large-scale attacks on the US utility sector. The most active and capable state actors—Russia, China, Iran, and North Korea—have conducted cyber reconnaissance and are prepared to actively target US utilities by design. The main intent of each country may vary.

• Russia and China use cyberattacks for strategic contingencies, military planning, and espionage, at times simply demonstrating their capabilities.

• Iran has been the target of sophisticated and destructive cyberattacks. • North Korea is often about sustainability, where they carry out cyberattacks to attempt to

deter the US from taking action. They have also acted out in retaliation to threats, economic sanctions, or perceived insults (e.g. Sony Pictures Entertainment hack), and of course, cyberespionage.

4

KEY THREAT VECTORS USED AGAINST THE UTILITY SECTOR

State and non-state actors use some of the same techniques to attack a utility target. Many small and mid-sized utility companies are especially vulnerable. Staff shortages or lack of employee training on IT and OT connections, computer security, and active cyber threats increase risks for these companies. Some actors compromise vendors’ software before installation on a network grid. This is an especially effective way to attack the supply chain companies that support the utility sector. The descriptions of the capabilities of the following types of attacks make it clear they pose a serious threat to utility companies in the U.S. and around the world:

Malware: Malware is software designed to covertly operate on a compromised system without the knowledge of the user. This broad definition encompasses other types of “malicious software,” such as ransomware, spyware, and command and control software. Criminal organizations, state actors, and even well-known businesses have been accused of, and even caught, deploying malware against utility IT and OT infrastructure.

Like some other cyberattacks, malware attacks often draw media attention because of their potential to inflict severe damage across a utility architecture. Stuxnet malware is a complex malware platform examined further in this case study.

Spear phishing: A common type of cyberattack, spear phishing attacks focus on a specific individual or group and send them carefully worded emails. The attacker must study the target in detail so its message will look and sound authentic to the target. The attacker tries to induce the target to open or download an attachment containing malware.

If the attackers are able to write more sophisticated and detailed messages, they may be able to target the top management of an organization. Experts sometimes call this whaling.

5

Structured Query Language (SQL): SQL is a language designed to manipulate and manage information in a database. It is now regularly found in commercial and open-source databases. SQL injection, or SQLi, is a type of cyberattack that targets databases using specifically crafted SQL statements. The attack induces a system to execute unexpected or undesirable actions.

A successful attacker may be able to bypass authentication, infiltrate, steal, modify, corrupt, or delete information, and run an arbitrary code. The attacker may also gain root access to the entire IT business or operational system.

Denial-of-Service (DoS): DoS attacks focus on disrupting or preventing legitimate users from accessing websites, applications, devices, or other resources. Criminal organizations have used these attacks to extort money. Activist groups conduct them to further their agenda. And state actors use DoS attacks to retaliate against an enemy.

The impact and costs associated with DoS attacks can be wide-ranging. They can be as small as forcing someone’s smartphone to reboot unexpectedly. A large-scale attack can prevent online businesses from serving their customers and, depending on the length of time of the attack, possibly costing them millions of dollars in lost sales. Because of the hyper connectivity of networked systems, this type of attack poses a serious threat to utility companies worldwide.

MAJOR CYBERATTACKS ON CRITICAL INFRASTRUCTURE IN RECENT YEARS

A brief look at several real-world examples demonstrates why utility industry decision makers should not dismiss generic warnings and instead develop tailored, modern cybersecurity plans.

Ukraine/Russia: In December 2015, Ukraine’s electric grid suffered a cyberattack that left about 225,000 people without power for six hours. Cyber experts consider this event to be the first known successful cyberattack on a power grid. In late 2016, another cyberattack cut off 20 percent of Kiev’s overall power supply for one hour. Given the fairly moderate impact, the hackers in this event may have been non-state actors, according to investigators. And most recently, in 2018, Russian hackers targeted Ukraine’s national water supply endangering water sanitation. Ukraine’s security service detected the intrusion avoiding a potential humanitarian crisis.

Estonia: In early 2007, a probable Russian DoS attack crippled government and corporate websites after officials announced they would move a Soviet World War II memorial out of the capital city of Tallinn.

6

Germany: A cyberattack on a steel mill in 2014—possibly using a variant of Stuxnet3—took control of production software and caused significant material damage. It was the second known cyberattack to cause physical damage. German officials announced in March 2018 that a long-running cyberattack breached the computer network of the Foreign Ministry in Berlin, compromising sensitive documents. In late 2015, officials said a cyberattack on the parliament resulted in the theft of a significant amount of data.

Saudi Arabia: A probable Iranian cyberattack on a petrochemical plant in 2017 compromised industrial control systems produced in the US and used in about 18,000 plants worldwide. The plants included water treatment facilities, oil and gas refineries, chemical plants, and nuclear facilities. The systems regulated voltage, pressure, and temperatures within pipes in a plant. The secondary intent of this attack was to destroy computer data and shut down the plant. But the main intent was to trigger a large explosion to kill personnel on site. A bug in the hacker’s code prevented attackers from fully achieving their goals.

US: According to the FBI and DHS, Russian hackers have gained access to the control rooms of electric utilities. They conducted a long-running and continuing covert campaign on the supply chain networks of trusted vendors. These networks use air-gapping to enhance security. Air-gapping is a measure employed on one or more computers to ensure a secure computer network is physically isolated from unsecured networks, such as the Internet or an unsecured local area network. Trusted vendors have special access to update software, run diagnostics, and perform other services throughout the US utility sector. By compromising these networks, Russia has the capability to cut power in large areas of the US for hours or even months. The length of time it would take to restore power depends on the level of damage inflicted on the network, according to a leading utility security expert. It can be much like the extent of the damage a major hurricane might inflict.

3 Stuxnet is a malicious malware worm discovered in 2010. It primarily targets control systems for large infrastructures including energy plants. Numerous variants have been identified since then.

7

A CLOSER LOOK AT THE STUXNET IMPACT TO UTILITIES - WHAT IS IT? AND HOW DOES IT WORK?

Stuxnet is an extremely sophisticated computer virus first detected in the summer of 2010 by the US and Israeli information security communities. It exploits previously unknown Windows zero-day vulnerabilities to infect computers and spreads through networks to cause physical damage.

In the 2010 discovery, it was not intended to be used against all computer systems. Attackers used it against specific networks connected to uranium-enrichment centrifuges for enriched uranium production intended for nuclear weapons and reactors.

The virus works in three stages. It analyzes and then targets only Windows networks and computer systems connected to specific models of programmable logic controllers (PLC) manufactured by the Siemens corporation.

PLCs allow computers to interact with and control industrial machinery such as uranium centrifuges. After infiltrating these machines, the virus continuously replicates itself. In the second stage, the virus infiltrates a Windows-based Siemens software system widely used in industrial computing networks.

By compromising this software, the virus gains access to the PLCs and begins stage three. Stage three reprograms the PLCs and causes the centrifuges to spin too rapidly, and for too long, damaging or destroying them in the process. While this is taking place, the compromised PLCs inform the controller computer that the system is working normal. This makes detection difficult and delays potential counteraction until it’s too late.

At the same time in stage three, the virus gives its creators access to potentially crucial industrial information. It also allows them to operate machinery at other individual industrial sites. The virus is so invasive that if a USB device was plugged into a compromised system, it would infiltrate the device. The virus then spreads to any subsequent computer systems that the USB is plugged into.

8

WHO CREATED STUXNET AND WHY?

US and Israeli intelligence agencies began developing Stuxnet in 2005, likely as a closely held special access program (SAP) named Operation Olympic Games. Its purpose was to destroy dated and state-of-the-art centrifuges, and other related equipment Iran used to enrich uranium to the point where it was suitable for use in nuclear weapons.

If they could not destroy all the centrifuges, developers anticipated the virus would at least cause a significant interruption of Iran’s nuclear weapons development program.

Eventually, Stuxnet attacked and infiltrated 15 Iranian facilities. A random worker’s USB drive may have initiated the attack. One of the first signs something was wrong occurred in the summer of 2010, probably detected by the U.S. and Israel. Problems began to occur at Iran’s Natanz nuclear facility.

When inspectors from the International Atomic Energy Agency (IAEA) visited Natanz, they noticed a large number of uranium-enriching centrifuges breaking down. But they did not know the cause at that time.

In late 2010, Iran contracted computer security specialists from Belarus. Those specialists found multiple malicious files on the Iranian computers, later revealed to be the Stuxnet virus.

Estimates of the damage done to Iran’s enrichment centrifuges range anywhere from 30 percent destroyed to as much as 60 percent. More conservative and accepted estimates put the damage at almost 1,000 centrifuges destroyed, or about 30 percent of Iran’s enrichment capacity.

THREE COUSINS OF THE STUXNET VIRUS

According to cyber researchers at Budapest University, the discovery of Stuxnet in 2010 began a new era in the “arms race” in cybersecurity. They said Stuxnet was not the first targeted attack on industrial systems, but it was the first to receive worldwide attention due to its unique purpose.

Duqu: In October 2011, during a forensics investigation at a European firm, the investigators discovered malware with striking similarities to Stuxnet and named it Duqu. Rather than destroy, Duqu operated as a cyberespionage tool. Duqu has the same internal structure, mechanisms, and implementation details of Stuxnet.

Flame: In May 2012, investigators discovered another information-gathering malware—and variant of Stuxnet—and named it Flame. This malware has identical code segments to an early version of Stuxnet. Investigators believe Flame is part of the same cyberespionage operation as Duqu.

9

Godel: In June 2012, cyber analysts discovered a malware named Gauss. Gauss appears to be based on the same platform as Flame and is also an information-gathering malware. This malware has a unique feature, an encrypted module called Godel. Godel can only be decrypted on its targeted systems. As of 2012, researchers were clueless about the purpose, operation, and true mission of this module.

Interestingly, Stuxnet and these three variants had been operating for some time before discovery. Sophisticated malware is ever-changing, and adversaries will continue to use it against the US utility sector.

KEY PRAGMATIC AND AFFORDABLE CYBER RISK MITIGATION THINKING AND SOLUTIONS Accenture Five-step Approach4: Accenture has developed a common sense, five-step approach for combating cyberattacks on the US utility sector.

Congress would likely have to pass legislation in order for the U.S. to accept and enforce this approach or something similar nationwide. The law would have to include provisions for significant federal and state funding to train current personnel, attract and train new recruits, and ensure up-to-date technological support. For this effort to succeed across the country, utility units would need to reorganize to eliminate the cultural and organizational silos often present between operational and technical business units.

4 Outsmarting Grid Security Threats, as of September 28, 2017. Accenture Consulting. Accessed Dec 21, 2018. https://www.accenture.com/t20170928T152900Z__w__/ie-en/_acnmedia/PDF-62/Accenture-Outsmarting-Grid-Security-Threats-POV.pdf

--Investigate a platform approach to cyber security

capabilities

--Integrate resilience into asset and process design

--Share threat information

--Develop security and emergency management

governance models

--Develop relationships with regional and security

officials and cyber response experts

10

WhiteHawk Solution Background Based on the Cyber Risk Management Framework Premise:

• Utilities vary in size, resources, and sophistication. • Utility sector entities are cognizant of current cyber threat actors and methods, but

do not know the best ways to identify, prioritize, and mitigate top risks. • Cyber officials do not update or keep information current when gathered from

annual sector-wide cybersecurity audits. • The utility sector cyber posture could benefit from automating and analyzing audit

data to gain better insight and improve sector resilience. • NIST Framework, ISSO, and C2M2 compliance-based practices provide foundational,

but insufficient capabilities to identify vulnerabilities and gaps, particularly for the less sophisticated utilities.

• Specific commercial grade IT, OT, and ICS risk rating capabilities provide effective transparency, risk monitoring, and mitigation.

TOP TECHNICAL SOLUTIONS FOR UTILITY SECTOR CYBERSECURITY CONSIDERATION To tackle increasing cyber risks, companies need to put cybersecurity measures at the very heart of their business. Below is a brief overview of a four-point plan to address key utility sector cybersecurity risks in real time. 1. Optimize an annual cybersecurity online compliance based self-assessment or risk baseline

• Update and align current audit questionnaires by utility sector • Automate questionnaires to enable AI driven data analytics of trends and document issues

by region and sector • Provide seamless access to affordable and impactful risk mitigation policies, practices, and

solutions that map to audit issues

2. Implement affordable access to best of breed cyber risk ratings, continuous monitoring, risk indicator alerting and mitigation services sector wide

Affordable automated tools enable cyber analysts to identify and address a majority of risks in real time. They also allow utility sector cyber managers to focus limited resources on top risk priorities. A risk-based approach identifies assets most important to an operation. Rather than getting buried under the avalanche of threat alerts, this prioritization approach enables companies to concentrate on the assets that matter the most.

11

• BitSight Security Rating Platform generates measurements on a company’s security performance to produce daily security ratings. To learn how to reduce security risk with BitSight Security Ratings, click here.

• Risk Recon obtains insight into companies' third-party security performance and IT landscape. It assists companies in allocating risk resources to areas where most needed.

3. Maintain Inventory of Control System Devices

Control systems have a number of security risks that cybersecurity experts often overlook. These risks can include unsupported software, slow response to patch, poor physical security, or can be hardware-based. Maintaining accurate inventory will help eliminate exposure to devices and external networks, thereby preventing cyber threat actors from finding pathways allowing access to exploit control systems. A detailed inventory of control systems should include:

• All hardware and software controls used in support of operations • Information pertaining to each device/model type, and • Serial numbers

Detailed inventory information can mean the difference between minutes versus days when assessing vulnerabilities. The following two tools can assist in this step.

• Tanium can help make the right decisions about asset utilization with fresh and accurate inventory information.

• Check Point helps protect industrial control systems against some of the unique challenges posed in this sector. Service uptime, data integrity, compliance, and public safety require organizations to takes specific steps to safeguard critical assets.

4. Leverage the following recommended technologies

• Implement Operational Technologies (OT) to improve unified monitoring and detection strategies to address threats.

• Use Industrial Control Systems (ICS) sensors, which provide an opportunity to improve unified monitoring and detection strategies to address threats.

• Implement technologies across OT and ICS that identify threat vectors and include the use of honey pots to attract and trap adversaries. Some options are:

o Radiflow is a leading provider of cybersecurity for ICS and supervisory control and data acquisition (SCADA) networks in the utility sector.

12

o Sandbox Technologies is a software management strategy that isolates applications from critical systems and other programs. Using tools like VMWare or Docker, containers are made to create a disposable sandbox; Linux and Solaris have it built in. Other tools perform process isolation like Black Box (sandbox technology for ICS). Black Box offers a number of solutions for integrating SCADA systems with newer technologies and leveraging existing ones.

o D3 Security is a single incident management solution that enables situational awareness across cyber threats, risk assessments, and the status of compliance with standards such as North American Electric Reliability Corporation (NERC).

o CyberSponse CyOPs platform is an enterprise-built security orchestration and security automation workbench that empowers security operation teams. CyOPs provides teams with the means to work smarter and respond in near real time. The platform includes capabilities for triage and investigation of alerts and supports collaboration and remediation between team members.

o Mission Secure Inc. (MSI) provides an innovative approach and patented software/hardware platform to help power organizations stay ahead of the evolving cyber physical threat curve. Its Secure Sentinel Platform delivers a reliable means of assuring integrity within the operator’s specific system and the ability to take corrective action preventing potentially catastrophic consequences.

To tackle increasing cyber risks, utilities need to put cybersecurity measures at the heart of their daily operations by phasing in the above approaches and taking full advantage of current cyber technologies.

For any questions or advice about potential cyber vulnerabilities or assistance in bolstering cyber defenses, please contact WhiteHawk’s Advisory Services online or at (833) 942-9237.