The DDoS threat for energy and utility companies
Protecting our critical infrastructure from cyber attacks has become a top priority for governments around the world - largely as a result of the IoT. Within the energy sector, the increased connectivity brought about by IoT has improved how we manage our power distribution and consumption, enabling a more flexible and efficient energy grid.
By: Scott Taylor, VP at Corero Network Security.
This has introduced a range of benefits, including a greater flexibility to accommodate new energy sources, better management of assets as well as greater reliability of services. But as operating systems have become increasingly connected to the Internet, it has also increased the potential for damaging cyber attacks such as Distributed Denial of Service (DDoS).
Modern DDoS attacks represent a serious security and availability challenge for infrastructure operators because even a short amount of down-time or latency can significantly impact the delivery of essential services.
When it comes to cyber attacks against the energy and utilities sector, it isn’t just customer data or corporate reputation at risk, but the safety of citizens. After all, if a successful attack was launched on an electricity grid, swathes of the country could be left in darkness and cold, for months. As the successive attacks on the Ukrainian power grid demonstrate, electricity operators are at significant risk from a potential adversary with malicious intent.
Days before Christmas in 2015, remote hackers took control of Ukrainian grid operators and digitally commandeered substations, allowing them to shut off power for 225,000 customers for several hours. Then in December 2016, hackers developed a malicious code that disrupted a Kiev transmission station and caused a substantial blackout lasting over an hour in the capital, in the first fully automated grid attack ever seen.
While many believe these attacks to be part of the ongoing political conflict between Russia and Ukraine, the same risks apply to energy grids around the world. Irrespective of motive, a successful attack could see large populations suffering major power outages, as well as causing enormous business disruption and economic damage.
A sustained failure of the electricity grid could also have potentially devastating consequences on the other industries that are dependent on it. From transport, to health services, to food security, virtually every element of critical infrastructure is dependent on the grid.
Yet according to a recent international Accenture report, almost two-thirds (63%) of utility executives believe their country faces at least a moderate risk of electricity supply interruption from a cyber attack on electricity distribution grids in the next five years. And in July, leaked reports from the UK’s National Cyber Security Centre suggested that hackers may have already compromised Britain’s energy grid as part of a concerted series of attacks on the country’s energy sector.
The cyber threat for energy systems is becoming more apparent because of the trend away from well-protected, centralised power stations and towards decentralised power, such as lots of smaller, flexible gas power plants and a growing trend for the use of solar panels on homes.
In August, Dutch researchers found that hackers could potentially target the electricity grid by exploiting vulnerabilities in solar panel equipment. These tests showed that it might be possible for an attacker to remotely control solar panel inverters – which convert electricity produced by the panels so that it can be used on the grid - and interrupt the flow of power on the grid.
Another serious concern is the growing number of web-connected devices being used in energy technology. Distribution utilities are increasingly exposed by the growth of IoT domestic devices, such as connected home hubs and smart appliances. Smart meters are due to be installed in every home by the end of 2020, in order to automate meter readings. As these systems become increasingly connected to the Internet, it also increases the potential attack surface for damaging cyber attacks such as Distributed Denial of Service (DDoS).
Of course, energy isn’t the only sector experiencing an increased threat of cyber attacks. Across all parts of national critical infrastructure, we are seeing a greater number of sophisticated and damaging cyber threats which are often believed to be the work of foreign governments seeking to cause political upheaval or a tactical advantage in the growing theatre of cyberwar. DDoS attacks against the transport network in Sweden recently caused train delays and disrupted travel services, while the WannaCry ransomware attacks in May demonstrated the capacity for cyber attacks to impact people’s access to essential services.
In this light, the UK government’s plans to issue fines of up to £17m to providers of infrastructure services that fail to protect against cyber attacks on their networks is an important step. It's welcome and critical to see the Government prioritising the issue of cyber security and forcing operators of essential services to become more resilient.
Despite the significant risks involved, there seems to be a culture of complacency about the dangers of cyber attacks within some critical infrastructure organisations. This probably stems back to the way these organisations were set up - with industrial control systems segregated from other computers and network devices, incapable of connecting wirelessly or physically - and therefore considered to be exempt from the risks of cyber attacks. However, as these operating systems have become more connected to the internet, it also makes them potentially vulnerable to a variety of damaging cyber attacks.
To investigate the risks involved, we carried out a Freedom of Information study earlier this year which found that over a third (39%) of UK critical infrastructure operators have not completed basic cyber security standards issued by the UK government. Alarmingly, the requests also found that 51% of critical infrastructure organisations are potentially vulnerable to stealth DDoS attacks - those of short duration and low volume - due to failures to deploy technology which can detect or mitigate such attacks.
Many people mistakenly associate DDoS attacks with the simple, volumetric tactic that gave the technique its name. However, DDoS threats are constantly evolving, and many hackers now use them as a pre-cursor to launching a more sophisticated attack. The vast majority of DDoS attempts against our customers are less than 10Gbps in volume, and less than ten minutes in duration.
Due to their small size, these stealth DDoS attacks usually go undetected by IT security staff, but are just disruptive enough to knock a firewall or Intrusion Prevention System (IPS) offline, so that hackers can target, map and infiltrate a network to install malware or engage in data exfiltration activity. Given that most companies now take more than 191 days to detect a data breach on their networks, this can give attackers a significant head-start on security teams when they plan to launch more serious attacks.
The risks are real and the threats are increasing each day. But fortunately the energy sector is well placed to improve its cyber defences. Due to the health and safety considerations within energy systems, most people in the industry are well-versed in terms of risk management, and the term ‘situational awareness’ is commonly accepted and understood. It’s a relatively short cultural leap to expand this consciousness to include ‘cyber situational awareness’ and to take the necessary steps to protect energy networks from potential attacks.
To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it’s essential that organisations maintain a comprehensive visibility across their networks to spot and resolve any potential incursions as they arise. Within energy organisations, the responsibility for mitigating DDoS attacks has often fallen to networks teams, rather than IT teams.
Due to the trend for DDoS attacks to be launched in combination with other sophisticated attack methods, like ransomware or APTs, it’s vital that the utility network and IT teams work together to stay ahead of any potential threats. A strong security posture involves having a single pane of glass over the problem where different teams can work together by correlating the DDoS activity with any other threats they are seeing.
It is also expected that, under the NIS Directive, operators of essential services will also have a responsibility to drive compliance into their supply chain. The guidance states that there should be confidence that the security principles are met, regardless of whether an organisation or a third party delivers the service.
As a result, while suppliers to operators of essential energy services may not themselves be under an immediate compliance obligation, it is wholly foreseeable that, if their services touch an essential operator’s network and information systems, they will be contractually obliged to comply.
However, to really bring about change, organisations need to look beyond the compliance tick box, and focus on providing the security required to maintain service availability and protect data. Organisations any at point in the energy supply chain need to take a serious look at their own operating model and the corresponding risk profile, and build robust protection.
It is not acceptable that service and data loss should be excused under any circumstances when the technology and services to provide proper protection is available today. It is only by deploying an in-line DDoS mitigation system that is always-on, and can detect and mitigate all DDoS attacks as they occur, that security teams can protect themselves from hackers fully understanding all possible vulnerabilities in their networks.