iot health

IoT Evolution Health News

IoT Evolution Health Home

Hack the Grid: It May Be Easier Than We Thought. Now What?

By Special Guest
Shrey Fadia, Special Correspondent
August 13, 2018

Cybereason, one of the top companies scanning the increasing cyberthreat landscape, reported earlier this month that the ICS (industrial control system) environments that handle the generation, transmission and metering of energy, may be easier to hack than even the most seasoned security professionals may have believed.

Critical infrastructure keeps our economy and society going, and has long been a threat that governments around the world are taking seriously – but are those governments, and utility partners, taking enough precautions to avoid our power grid down?

No power – no Internet.

No Internet – no public services, public safety, ecommerce or communications in general, not to mention frozen transportation systems and more.

We’ve seen frightening attacks in the last few years on critical infrastructure, including attacks on a dam in New York, and successful attempts to install malware on the operating systems of companies in the smart grid, nuclear and water industries.

Cybereason researchers set up a honeypot in mid-July that mimicked a utility substation’s network environment, attracting the attention of what seemed to be an amateur who nevertheless repeatedly disabled the security system.

And while Cybereason reckoned the attack was not part of any advanced persistent threat group (APT) connected with a nation-state, still it is highly disturbing that even amateurs can hack into a system and disable it.

The honeypot environment went live late in the second quarter and had a network architecture that’s representative of a typical power substation including an IT environment, an OT environment and HMI (human machine interface) management systems. The environment employed customary security controls including segmentation between the different environments.

“The honeypot contained bait to entice attackers, including three Internet facing servers (Sharepoint, SQL and domain controller) with remote access services like RDP and SSH and weak passwords. Nothing was done to promote the servers to attackers. However, the servers’ DNS names were registered and the environment’s internal identifiers used a moniker that resembled the name of a major, well-known electricity provider,” Cybereason wrote in a blog.

“Two days after the honeypot was launched, Cybereason determined that a black market seller had discovered it based on a toolset that had been installed in the environment. The tool -- xDedic RDP Patch -- is commonly found in assets that are being sold in the xDedic black market. It allows a victim and an attacker to use the same credentials to simultaneously log-in to a machine using RDP (Remote Desktop Protocol).”

What can be done to address the threat of amateur and professional attacks against the energy grid?

We asked Rick Conklin, CTO, Dispersive Networks, a company providing hyper-secure wide area networking solutions to the energy industry, to weigh in.

“As the adoption of renewable and distributed energy resources accelerates, there is a corresponding need for increased, real time visibility into assets across the entire electric industry ecosystem. This visibility is necessary to ensure load balancing of supply and demand, but it’s problematic in that it opens the grid to a huge number of potential intrusion points,” Conklin said. “Given that many communicating nodes are IoT devices with attack vectors for a range of cyberthreats, it’s imperative that grid operators, utilities, distributed energy resources (DERs) and other ecosystem partners take steps to harden the grid to protect it in the face of increasingly agile and sophisticated adversaries. Specifically, I recommended that the following precautions be taken:

  1. Implement call-out only techniques for all devices connected to the grid
  2. Limit communications to authenticated and authorized “known” peers
  3. Encrypt each stream with a different key
  4. Ensure path and link diversity, especially for critical assets
  5. Use split-session techniques

Additionally, I encourage grid participants to evaluate virtualization technologies as a novel way to protect critical infrastructure, especially in a multi-cloud environment. This will allow operators to spin resources up and down in the face of attack and make the network more resilient.”

Cryptomining bots also were part of the honeypot test. Cybereason reports that after a few days “the honeypot was hit with cryptomining bots, phishing bots, DDoS bots, activity that Internet-connected assets typically experience. Then 10 days after the honeypot went live, the actor who is assumed to be the asset’s new owner connected to it using one of the backdoors created by the seller. The transaction most likely took place in a nonpublic channel, preventing Cybereason from obtaining information on how the payment was made.”

So how is blockchain being used to support attacks through payments that don’t traverse centralized (and regulated) payments systems?

Cybereason went on to explain that “After being stymied by the firewall, the adversaries began using a multipoint network reconnaissance process to identify potential paths from the IT environment into the OT environment. This approach assumes that different assets in an environment have different segmentation and network accessibility policies. For instance, in a typical IT/OT environment, certain assets (monitoring systems, data repositories and file servers, for example) that are hosted in the IT environment are also accessible from the OT environment. Using multipoint network reconnaissance the attackers move laterally to multiple assets and run parallel network discovery processes to locate an asset that is accessible to the OT network.”

The attackers then moved from the remote server to a Sharepoint server, to the domain controller to the SQL server, running network discovery to determine if one of these assets would allow them to access the ICS environment. Instead of scanning the full network, attackers focused on scanning for assets that would give them access to the HMI and OT controllers.

This didn’t take long.

Within 47 hours, the attackers got into the environment and conducted reconnaissance aimed at finding an entry point from the IT environment to the OT environment.

Regarding state actors, the US Department of Homeland Security (DHS) recently said about the two-year old alleged Russian government hacking campaign official Jonathan Homer said the Russians had accessed an industrial control system (ICS) but had not caused any operational impact on the system.

“They’ve had access to the button but they haven’t pushed it,” Homer said.

The Ukraine was not as lucky as the US.

The hackers who successful brought down power centers in Ukraine in late 2015 were not amateurs.

According to an extensive investigation, they carefully planned their assault over many months, first doing reconnaissance to study the networks and steal credentials before launching a synchronized assault.

Ukraine was quick to point the finger at Russia for the assault, but according to the analysis, there were multiple parties involved, which some say indicates collusion between private and nation-state agencies.

The report also noted that the control systems in Ukraine were more secure than some in the US.

The power was only out for six hours in the Ukraine, however the control centers suffered damage that took months to address.

The cost of a broad scale successful attack on our energy grid in the US?

Trillions of dollars and countless lives lost, as every system shuts down, from banking to sewers.

The U.S. Department of Homeland Security revealed that Russian government hackers have gained deep access to hundreds of U.S. electrical utility companies, gaining far more access to the operations of many more companies than previously disclosed by federal officials.

Even more recently the FBI came out with a warning regarding hacking networks through the Internet of Things.

Edited by Ken Briodagh

Related Articles

Kerlink and GISupply Partner on LoRa-based IoT for Health, Agriculture Markets

By: Ken Briodagh    7/28/2020

Applications Range from Heat-Stroke Avoidance for Construction Workers To Smart Farming and Aquaculture

Read More

COVID-19 Pandemic Offers Opportunity for Cybercriminals, McAfee Says

By: Ken Briodagh    7/24/2020

McAfee recently released its McAfee COVID-19 Threat Report: July 2020 examining cybercriminal activity related to COVID-19 and the evolution of cyber …

Read More

IoT Time Podcast S.5 Ep.26 KORE

By: Ken Briodagh    7/16/2020

n this episode of IoT Time Podcast, Ken Briodagh sits down with Marco Bijvelds, SVP, EMEA and APAC, KORE Wireless, to talk about KORE's global eSIM an…

Read More

Improving Care, Lowering Risk and Leveraging Data to Address COVID-19

By: Arti Loftus    7/13/2020

Televic Healthcare is implementing collaboration systems for healthcare, like nurse call, intercom, access control, patient entertainment and care reg…

Read More

Connectivity Continuity Without Borders

By: Ken Briodagh    7/13/2020

To learn how eSIM could fixing many of the problems of global connectivity, and why, register for a new webinar, sponsored by KORE, "eSIM for IoT: Con…

Read More