The global power industry is facing an increasingly dangerous situation of cyber threats, although there have been no destructive attacks publicly witnessed in the past five years. Utilities around the world have been strengthening their security against IT cyber threats, but they have not paid enough attention to their industrial control systems (ICS) and operational technology (OT) systems.

These are two high-level conclusions of the new report "Global Electronic Cyber ​​Threat Outlook" released by Dragos Inc., a company specializing in industrial cyber security in Maryland. The company held a web briefing on October 26 to share its findings.

Jason Christopher, Dragos' chief cyber risk consultant, said that historically, utility ICS has been "isolated", but over time, connections to the Internet have been growing.

Christopher said that this trend is "accompanied by business reasons." "It's all for the business case-to get real-time data and be able to send it back to the operator. [and] Now it is integrating itself into more edge situations, such as the cloud, or how to feed more data into our network . Under normal circumstances, security will be in trouble."

He praised the Biden administration for releasing a 100-day plan in April specifically aimed at strengthening the security of the ICS and energy sector supply chains for utilities. He said that the government recognizes that future threats will be based on the growing connection between ICS and the Internet, which is a positive development.

"This is one of the things that caught me off guard: this is the first time I have seen the government request an OT system" to improve security, he said. "Always [before] this is a disguised conversation... As of August 16, at least 150 power companies serving nearly 90 million Americans have adopted or promised to adopt technology" to improve security .

Pasquale Stirparo, Dragos’ main rival hunter and author of the report, said Dragos is currently tracking 15 “active groups” composed of hostile or potentially hostile actors. The identification of the activity group (AG) is "based on observable elements, including the opponent's operating methods, the infrastructure used to execute the action, and the goals they focus on. The goal... is described by the effects of observed actions, capabilities, and displays The adversary-not an implied or hypothetical intention. These attributes combine to create a structure around which a defense plan can be developed," the report points out.

Of the 15 active AGs, 11 are for utilities, and two of them have enough ICS-specific features and tools to trigger disruptive events, Stirparo said.

As far as the threat environment is concerned, there are three operating sectors in the utility industry: power generation, transmission and distribution. "Each of these market segments has its own characteristics," Stirparo said. "For example, shutting down power generation will have a greater impact than distribution, [but] this is not an easy thing to do."

The recent trend of power generation resources shifting from very large facilities to some smaller facilities has no effect on the level of threat.

"It depends on what the final task of the AG is. Smaller entities are becoming targets because they share specific technologies with more interesting targets, so they can become test beds," Stirparo said. "We see more events in the United States, [but] are more well-known in the United States, so that’s why we see more. But we will definitely see more in Europe and the Asia-Pacific region. We are in each All regions have seen it-no region is immune."

In the transmission part, there were two attacks in Europe. For example, the December 2016 attack in Kiev, Ukraine, brought the transmission system into chaos. Dragos reports: “The attacker customized the malware to cut off the power of the transmission-level substation by opening and closing the numerous circuit breakers used to power the power system, and to ensure the safety of operators, power lines and equipment.”

"This attack is important because it demonstrates a deep understanding of the transmission environment, which allows targeted malware customization," Stirparo said. "Although the attack occurred in Europe, similar attacks may also occur in other parts of the world."

The target of the attack is the operation of a circuit breaker controlled by a specific manufacturer's equipment that complies with the IEC 6185029 standard. It uses the Manufacturing Message Specification (MMS) protocol for communication. The report states: "Dragos assesses with moderate confidence that this attack can be used on other devices that meet these standards."

The power distribution department provides electricity to homes and businesses. Although there was only one confirmed attack in Ukraine in 2015, instead of using customized malware, “here, they are just controlling operations remotely,” Stirparo said. They used malicious software to remotely access three power distribution companies, and then used these companies' own power distribution management systems to interrupt the power supply of more than 200,000 people.

The good news—"good" is a relative term—is that the AG usually needs to exist in the target environment for a period of time before it can take action. Steparo said the good news is that all three parts of system defense have time and multiple opportunities to detect and possibly eliminate threats. "But it needs proper visibility into these systems," he said.

Of course, ransomware is another threat, because ransomware attacks can cause the suspension of industrial activities. Information stolen in a ransomware attack, such as schematics and charts, may be sold or shared with other bad actors. According to the report: "According to data tracked by Dragos and IBM Security X-Force, between 2018 and 2020, 10% of ransomware attacks on industrial and related entities targeted power companies."

"This is financial, not specific to ICS threats. But it shouldn't make anyone diminish their attention," Stirparo warned.

A potentially huge threat is the supply chain. "This is not only about your suppliers, but also about your integrators and contractors-there are many things to consider," Stirparo said. "I understand your pain. [In the United States] some companies have existed for more than a hundred years and [have] tens of thousands of contracts. This is an obvious pain point." But he added that cyber security professionals have seen threats Actors enter large companies through third parties that have access to their network.

Connectivity is the last type of threat, specifically targeting ICS and OT systems identified in the report.

"We are increasing our connectivity, but not in a responsible way," Stirparo said. "What can be directly connected to the Internet? Utilities have actual Internet-facing assets, but they are not as secure as they thought."

Christopher refers to "transient" network assets as part of it. "You walk in with a different electronic device to connect to the system-this is one of the more difficult things for organizations to manage, especially in a pandemic...you walk directly into some facilities that may not have access to the Internet." Until the device arrives.

Stirparo reviewed the recommendations made in the report, including:

Christopher said the danger to ICS and OT systems is "almost like splash damage." "What is your dependence on GIS? For example, can you still run out of your truck? What about VoIP phones?"

Finally, no matter what measures the government is trying to take to combat cyber threats, every company needs to understand their risks and where they are in their systems. Christopher added that then they must be responsible for taking the necessary preventive and defensive measures to protect their assets and their operations, because in the end the security of their facilities and networks falls on them.

Next story: Cyber ​​security is one of the five pillars of the national modernization plan

Do not sell my personal information

When you visit our website, we will store a cookie on your browser to collect information. The collected information may be related to you, your preferences or your equipment, and is mainly used to make the website operate as you expect and provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may affect your experience on the website and the services we can provide. Click on the different category headings to learn more and change our default settings according to your preferences. You cannot opt-out of our first-party absolutely necessary cookies, because they are deployed to ensure the normal operation of our website (such as prompting cookie banners and remembering your settings, logging in to your account, redirecting you when you log in) Out etc.). For more information about the first-party and third-party cookies used, please click this link.

Strictly necessary cookies-always active

We do not allow you to opt-out of some of our cookies, as they are necessary to ensure the normal operation of our website (such as a cookie banner that reminds us and remember your privacy choices) and/or to monitor website performance. According to the CCPA, the way these cookies are used does not constitute a "sale" of your data. You can set your browser to block or remind you about these cookies, but if you do, certain parts of the website will not function as expected. You can usually find these settings in the "Options" or "Preferences" menu of your browser. Visit www.allaboutcookies.org for more information.

Sales of personal data, positioning and social media cookies

According to the California Consumer Privacy Act, you have the right to choose not to sell your personal information to third parties. The information collected by these cookies is used to analyze and personalize your targeted advertising experience. You can use this toggle switch to exercise the right to choose not to sell personal information. If you choose to opt out, we will not be able to provide you with personalized advertisements, nor will we pass your personal information to any third party. In addition, you can use this "Exercise My Rights" link to contact our legal department to learn more about your rights as a California consumer

If you have enabled privacy controls (such as plug-ins) on your browser, we must treat it as a valid request to opt-out. Therefore, we will not be able to track your activities through the Internet. This may affect our ability to personalize advertising based on your preferences.

Our advertising partners may set targeted cookies through our website. These companies may use them to build a profile of your interests and show you relevant ads on other websites. They do not store personal information directly, but are based on uniquely identifying your browser and Internet device. If you do not allow the use of these cookies, you will experience poorly targeted advertisements.

Social media cookies are set by a series of social media services that we add to the website to enable you to share our content with your friends and the Internet. They can track your browser across other sites and create profiles of your interests. This may affect the content and messages you see on other websites you visit. If you do not allow these cookies, you may not be able to use or view these sharing tools.

If you want to opt out of all our major reports and lists, please submit a privacy request on our "Do Not Sell" page. Save Settings

A cookie is a small piece of data (text file) that a website requires your browser to store on your device when a user visits it in order to remember information about you, such as your language preference or login information. These cookies are set by us and are called first-party cookies. We also use third-party cookies-these cookies come from a domain different from the domain of the website you are visiting-for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

We do not allow you to opt-out of some of our cookies, as they are necessary to ensure the normal operation of our website (such as a cookie banner that reminds us and remember your privacy choices) and/or to monitor website performance. According to the CCPA, the way these cookies are used does not constitute a "sale" of your data. You can set your browser to block or remind you about these cookies, but if you do, certain parts of the website will not function as expected. You can usually find these settings in the "Options" or "Preferences" menu of your browser. Visit www.allaboutcookies.org for more information.

We do not allow you to opt-out of some of our cookies, as they are necessary to ensure the normal operation of our website (such as a cookie banner that reminds us and remember your privacy choices) and/or to monitor website performance. According to the CCPA, the way these cookies are used does not constitute a "sale" of your data. You can set your browser to block or remind you about these cookies, but if you do, certain parts of the website will not function as expected. You can usually find these settings in the "Options" or "Preferences" menu of your browser. Visit www.allaboutcookies.org for more information.

We do not allow you to opt-out of some of our cookies, as they are necessary to ensure the normal operation of our website (such as a cookie banner that reminds us and remember your privacy choices) and/or to monitor website performance. According to the CCPA, the way these cookies are used does not constitute a "sale" of your data. You can set your browser to block or remind you about these cookies, but if you do, certain parts of the website will not function as expected. You can usually find these settings in the "Options" or "Preferences" menu of your browser. Visit www.allaboutcookies.org for more information.

We also use cookies to personalize your experience on our website, including determining to show you the most relevant content and advertisements, and monitoring website traffic and performance so that we can improve our website and your experience. You can use this toggle switch to choose not to use such cookies (and the related "selling" of your personal information). No matter what you choose, you will still see some ads. Since we will not track you across different devices, browsers, and GEMG assets, your choice will only take effect on this browser, this device, and this website.

We also use cookies to personalize your experience on our website, including determining to show you the most relevant content and advertisements, and monitoring website traffic and performance so that we can improve our website and your experience. You can use this toggle switch to choose not to use such cookies (and the related "selling" of your personal information). No matter what you choose, you will still see some ads. Since we will not track you across different devices, browsers, and GEMG assets, your choice will only take effect on this browser, this device, and this website.

We also use cookies to personalize your experience on our website, including determining to show you the most relevant content and advertisements, and monitoring website traffic and performance so that we can improve our website and your experience. You can use this toggle switch to choose not to use such cookies (and the related "selling" of your personal information). No matter what you choose, you will still see some ads. Since we will not track you across different devices, browsers, and GEMG assets, your choice will only take effect on this browser, this device, and this website.

Help us tailor content specifically for you: