Cybercrime Motive
Most cyberattacks are simply motivated by money – revenue from cybercrime has reached nearly $1.5 trillion per year. The majority of the cyber threat actors out there today are just your average criminals, having adapted to the current digital landscape. Low-end earners in the cybercrime world can still pull in close to $3,500 per month, with top earners clearing over $160,000. Clearly, profit is the reason money tops the list of cybercrime motives year after year.
Now, remove money from the equation. What becomes the endgame when the attacker measures success in terms of something other than profit? If money is not the goal, does the profile of the target change? Who would be motivated to carry out cyberattacks of this nature?
Hacktivists, but mainly nation-states (including terror groups to a lesser extent) fit the profile. Political motivation is currently one of the driving forces behind attacks perpetrated by these types of cyber threats. Influencing public opinion (2016 Democratic National Committee leak), disrupting the production capabilities of a foreign adversary (2010 Stuxnet virus) and advancing military operations (2007 use of Suter in Operation Outside the Box) all exemplify politically charged cyberattacks.
Taking a Closer Look at Energy and Natural Resources
Firms in the energy and natural resource sector face threats founded in both financial and political motives. Financial because these companies are first and foremost a business, but also political because – as part of our society’s infrastructure – they play a role in the lives of people and operations of public and private sector firms in entire regions.
The U.S. government has taken note. In July 2018, the Senate Energy & Natural Resources Committee held a session with time allocated to discussing policy revolving around the securing of power grids and gas/electricity delivery infrastructure from cyber and physical attack vectors.
Several factors come into play when examining the current landscape. Many infrastructure-related systems in place today were designed before security became a topic of major concern. As such, outfitting these systems with modern security technology to detect and alert on intrusion attempts can prove difficult. Simultaneously, evolving technology is being introduced into that legacy environment. Think about IoT (internet of things) devices like smart sensors, smart meters and products that integrate into cloud solutions, often with security as an afterthought.
The risk posed by compromise of this infrastructure is unmistakable. Fortunately, most risk has been uncovered by researchers or white hats attempting to strengthen security. But there are a few instances of malicious cyber activity targeting energy infrastructure.
Ukrainian Power Grid Attack
The most commonly recognized (and first well-documented) cyberattack on energy/power infrastructure was the attack on the Ukrainian power grid that occurred in December 2015. The immediate impact of the incident: a blackout affecting over 230,000 residents, most of them customers of a company called Prykarpattyaoblenergo. The perpetrators didn’t just decide to flip the breakers either; they strung multiple facets of the attack together, across three energy distribution companies, in an attempt to leave residents uninformed and delay operators from getting the grid back online.
How was Prykarpattyaoblenergo initially compromised? Multiple employees opened phishing emails containing a macro within a Microsoft Word document that, when executed, unleashed a form malware called BlackEnergy. The actors then used access to the corporate Windows network to harvest user account credentials and slowly gather information to formulate the specifics of their next attack. Eventually, they moved laterally to the SCADA network, bypassing the firewall that segmented the two networks, using compromised accounts that had VPN access without two-factor authentication. It’s from this network that they were able to interact with equipment affecting power supply.
Before initiating the outage, the attackers took two additional steps: 1) they disabled the backup power supply of multiple control centers to keep the operators responsible for dealing with outages in the dark, literally, and 2) they overwrote the firmware of serial-to-Ethernet converters at electrical substations to prevent operators from being able to close the breakers without physical access. Then, as the attackers began to open breakers to start the outage, a telephone denial-of-service attack (similar to a DDoS attack) hit customer call centers. The torrent of fake phone calls was designed to prevent legitimate customer calls from getting through, thus slowing the exchange of information between them and operators.
Takeaways
The Ukrainian example can be somewhat astounding, but lessons can be learned from those control failures. Surface-level items, such as the importance of two-factor implementations and anti-phishing measures come to mind. But what about hardening the inside of your network? Consider assuming that an outsider already has credentialed access to your network (through phishing, for example). There are steps you can take to limit the scope of potential compromise, to prevent that outsider from harvesting other credentials and pivoting throughout your systems.
Fortunately, the United States has put forth good, established control frameworks to guide critical infrastructure in combatting these sorts of threats. An example of one specific to the energy industry is the Cybersecurity Capability Maturity Model (C2M2) Program.
Outside of introducing control frameworks, you can submit controls to simulated real-life threats in the form of penetration testing. Assessments in this form can help simulate an attacker with network access – testing network segmentation, lateral movement techniques and endpoint hardening, among others.