The 6 biggest cyberattacks against the Energy Industry
Spared until 2010, industrial energy systems are no longer immune to infiltration attempts like Stuxnet, which has made these systems a prime target for hackers. Companies and infrastructures in this sector, listed as critical infrastructures for most, provide essential services and goods for the proper functioning of the Nation. These sensitive industries must have fool proof security plans. Even if zero risk does not exist and many vulnerabilities persist, some recommendations can prevent a cyber-attack or reduce its impact. Cybelius will analyse the 6 biggest cyberattacks on energy systems around the world and will offer its expertise on the measures to be implemented.
Stuxnet creates a shock wave within the energy industry highlighting unknown vulnerabilities. Since then, attacks have been increasing.
The industrial systems’ vulnerabilities increased by 380% (Symantec-2016).
135 industrial vulnerabilities are discovered around the world.
Out of 245 attacks reported on industrial systems in the US, more than half were targeted and focused on the energy sector.
Sabotage, espionage, data theft.
Cyberattacks : Highlights
#1 : SLAMMER
The virus is detected in 2003.
Slammer is a worm that has spread on the Internet exploiting a flaw in Microsoft SQL servers. In a few minutes, it infected around 75000 servers. Among other things, Slammer attacked the supervision and the safety parameter display system (SPDS) of Davis-Besse nuclear power station in the USA, which shut down for several hours. This system used to alert in case of reactor’s fusion and give real-time information on the physical state of equipment.
The virus first infected the private network of a service provider before borrowing the broadband line that directly connected this provider to the nuclear power plant’s network. This line bypassed the firewall of the station but the latter correctly blocked the ports used by Slammer to replicate. Once on the network, the propagation was made via security breaches on Microsoft SQL Server 2000 servers (the patch was however available from the publisher for 6 months). The worm looked for other servers by randomly generating IP addresses, consuming the network’s bandwidth to block the safety system and the supervisions. This virus was surprising by its simplicity and small size (376 bytes).
Slammer caused a major denial of service: two control systems (one of them has the role to display the critical systems’ condition) unavailable for 6 hours and inoperative safety systems.
The plant was not targeted specifically but randomly infected by Slammer. The company had an unsecured connection to a third-party network while the rest of its network, protected by a firewall, could have stopped the virus.
Slammer demonstrates that critical infrastructures must secure their industrial systems. The plant could have avoided this denial of service by mapping it IS and applying an equipment and software updating policy of its information systems. This would have prevented the worm from getting on the servers and soaking the network. In addition, a key point lies in securing exchanges between the industrial IS and third-party networks, including service providers who can intervene on equipment. Securing these systems must involve identification and remote login authentication as well as data encryption. Finally, the firewall must fully ensure its role. To do so, a rules’ management by white-list ensures to pass along only the legitimate communications (CyFENCE, our solution, secures third-party connections on the system that has to be protected and secures the exchanges by following this whitelist principle of exchanges).
#2 : STUXNET
Reported for the first time in 2009, Stuxnet shook the entire energy industry by hitting in 2010. This virus remains the most complex and sophisticated malware.
The attack was launched to sabotage the centrifuges of the uranium enrichment plant in Natanz, Iran. Via an infected and unchecked USB key, the virus entered the operational network. This is the first targeted attack that required upstream preparation.
Previously, hackers have spied on several Iranian nuclear facilities and carried out extensive research and development works.
Second, to approach its target, Stuxnet exploited not less than four vulnerabilities 0day (today all corrected by Microsoft) targeting different versions of Windows, as well as the famous MS08-067 vulnerability (executing code remotely via a RPC request) patched several years ago.
Stuxnet has been able to attack complex Siemens WinCC / PCS 7 SCADA software systems (software for automation control and management, in this case the speed of centrifuge rotations). This allowed it to execute arbitrary code with administrator rights and install 2 concealment tools also called rootkits.
Stuxnet has recorded, once a month, the control system sensors values in a 21-second period. Then, during the attack’s execution, Stuxnet replayed these 21 seconds in a loop. Thus, for the control room’s operators everything was normal but during this time Stuxnet executed its malicious work. The virus took control of the machines (controling valves to increase the pressure of the injected gas and compromise centrifuges and computers regulating the speed of centrifuges via third-party).
Unusual information for a virus: the attack required knowledge of industrial processes, Windows vulnerabilities and different programming languages (C and C ++).
Stuxnet is the first attack that has hindered the functioning of an infrastructure and damaged industrial facilities. It is estimated that several hundred centrifuges have been destroyed or disabled by this process. The plant fell behind in its nuclear program. The worm also affected 45,000 computer systems, including 30,000 in Iran, PCs owned by employees of the Bashhr nuclear power plant. The other 15,000 computer systems are computers and power plants in Germany, France, India and Indonesia, all using Siemens technologies.
Several investigations have revealed that the creation of Stuxnet was mandated by the US, supported by Israel with the help of an internal accomplice for state spying.
No axis of defence can be neglected on such critical industrial systems. It is suggested to set up a cyber-attack detection system that monitors network exchanges up to the process. It is necessary to compare the values exchanged between the PLCs and the supervision and thus to detect the process’ drift and the supervision tool’s compromise. In addition, we advise to segment the networks, to code exchanges on the industrial process as well as a “patching” of all the industrial IS equipment and software. Moreover, we recommend taking cybersecurity good practices and requirements into account by design, in particular the software and equipment’s choice so that only a few vulnerabilities remain.
#3 : SHAMOON
Shamoon is detected in August 2012.
About 15 Saudi companies, including Saudi Amraco (Saudi’s largest oil company), fell victim to Shamoon. Most of them are multinationals specialized in the exploitation or the distribution of hydrocarbons (oil or gas) as well as several governmental agencies. Saudi Amraco produces approximately 2.26 million barrels of oil a day and operates 20% of the world’s reserves. This virus has been armed to steal confidential data, erase the traces and destroy in depth the operating systems and servers on which the data of the targeted groups are stored.
Via phishing, an employee of the company would have clicked on a link in a SCAM message. Once introduced on the network, the Shamoon virus (or Disttrack) exfiltrated logistical and commercial information from Windows PCs and servers and overwritten these files. Finally, the virus has rewritten the boot zones of the hard drives (master boot records) thus removing their access. After the infection, plug-ins called ‘wiper’ and ‘reporter’ have been activated to erase any traces left by the hackers. The naming of the ‘wiper’ plug-in was a concern, as it seemed to look like Stuxnet / Duqu / Flame sophisticated malware’s family.
For Saudi Amraco, several files were destroyed or deleted on 30,000 workstations and 2000 servers. The activity was impacted: orders management, inventory, delivery, invoicing … The employees had to go back to the fax. Oil production and technical operations responsible for organizing and distributing oil were not affected. It took 5 months for the company to return to normal business activity.
It seems that the hackers, a group of activists called “The Cutting Sword of Justice” wanted to sabotage the company and disrupt a part of the company industrial activities. The group threatened Saudi Amraco to reveal the information gathered. However, the virus did not contain any functionality designed to control or attack an industrial system even if maintenance or production operations could have been affected. The claims seem political.
Firstly, to avoid this sabotage, it is essential to make the employees of the company aware of the good practices of Internet use. In this case, human error is at the origin of the virus ‘intrusion. On the other hand, a Business Continuity Plan allows the company to recover quickly with minimal data loss. For a BCP adapted to the company’s requirements, it is essential to provide a risk analysis (see our APERO analysis method that brings together cybersecurity and safety facilities). Network segmentation helps to limit the spread of an attack. Finally, the implementation of an intrusion detection system (CyPRES) would have detect the abnormal behaviour of the IS, in particular the datas’ exfiltration.
#4 : ENERGETIC BEAR
The virus appeared in 2014. It was a remote access trojan.
More than 1,000 energy companies in the US and Europe (equipment manufacturers, power generators, electricity and oil distributors) have been attacked. The virus took control of the industrial equipment after contaminating 3 SCADA providers who then spread the virus through updates to their customers.
Hackers have used 3 complementary strategies to infiltrate the system. Their attack method focused on extracting and downloading data, installing malware, and running files on infected computers. They also used other tools to collect passwords, screenshots, etc:
- The spearfishing: from February to June 2013, a targeted emailing was sent to the executives and leaders of 7 companies of the energy sector with as attachment, a PDF file which once opened, infected the computer with the malicious software. Approximately 84 emails were sent from the same Gmail account with “Account” or “Delivery problem resolved” as subject.
- The watering hole: malicious links set on websites frequently visited by people working in the energy sector. Once opened, the links redirected the users to a seemingly legitimate site, but in fact compromised, allowing the virus to be downloaded on the machine. HTML tags have been inserted on each website. In addition, hackers used Hello and Lightsout exploit kits that worked on java and Internet Explorer and installed Oldrea or Trojan.Karagany backdoors on hacked computers.
- The compromise of SCADA software updates of 3 suppliers.
Hackers had access to highly sensitive information (numbers, protocols etc). No disclosure of the elements has been made to date.
The hackers named dragonfly, an identified Russian group, have been operating since the late 2000s. They are specialists in attacks on the industry, particularly the energy sector (gas, oil, electricity, and related equipment manufacturers) and known for data theft and cyber espionage.
Recurrent but important recommendation:
- The staff awareness about the cyber hygiene rules including the opening of e-mail attachment without knowing the sender.
- The establishment of white listing procedure of the supervisory PCs to exploit only software and services useful for the plant.
- Finally, the test of SCADA software update before the on-site deployment makes it possible to detect compromises that may come from the software publisher. In this context, the implementation of a DMZ (Demilitarized Zone) with an update test server is recommended. In this server, a VM of the critical stations of the system is reconstituted. This way, it is possible to test the update in VM before deploying it on the station (s) concerned (this solution is implemented in our IT / OT exchange security system: CyFENCE)
#5 : BLACK ENERGY
The Black Energy malware occured in 2015.
The Ukrainian power grid has been targeted. The hackers used “phishing” to introduce a malware into the computer system of 3 energy distributors in the west of the country.
Hackers used spearfishing by sending email with infected Word files to multiple target computers. To be readable, the document required the activation of macros. At the first contaminated PC, the virus spread on the network.
Upstream, they hacked the active directory to obtain credentials to remotely control the SCADA via internal VPN accounts. Thanks to the SCADA HMIs identified, they were able to access the circuit breakers and thus cut off the electricity.
Simultaneously, to avoid the restart of remote breakers or any remedial plan, they cut off the backup power and corrupted the Ethernet / Serial converters (located between the powergrid’s monitoring and control center and the field devices). They also used a “killDisk” to delete the data on the infected desktops to delete boot zones from PC hard drives and thus erase any trace of their operation.
Finally, they attacked via a denial of telephone service, the energy operators’ call-center. This way, customers could not declare power cuts.
The virus has totally disabled the industrial power generation machinery in Ukraine. More than 200,000 households were left without electricity for 3 to 6 hours in a row. The restart was done manually. This is the first time that such an impact has been seen on populations state-wide.
The hackers, specialists in industrial systems, wanted to prevent any restart of the infected computers operating system, erase data and destroy the hard drive to penetrate the systems and take control.
The attack could have been avoided if the company had partitioned its networks. An intrusion detection solution like the CyPRES probe could have detected the remote connections set up. The monitoring of the process operation would also have made it possible to detect a process drift on the circuit breakers.
As for many other cyber-attacks, the first failure is human. Thus, it is important to train your staff to the good cyber practices that can prevent the infiltration of viruses as it is the case when opening the Word files sent by the hackers. Improving crisis management (activity transfer, isolation of part of the network, saved data restoration) is essential here. Finally, it is necessary to set up procedures that block the macros and control users’ rights.
#6 : INDUSTROYER
Industroyer targeted Ukraine in December 2016. The biggest threat against industrial control systems since Stuxnet. This is the first virus designed specifically to attack power grids.
Just before midnight, the high-voltage station Pivnichna, north of Kiev (Ukraine’s capital), completely blown after a computer attack. A less severe black out than Black Energy created in the west of the country in December 2015, but still impacting.
Industroyer (aka Crash Override) used 2 backdoors, a module to launch DDoS attacks, a wiper and 4 protocol flaws (IEC 60870-5-101, IEC 60870-5-104, IEC 61850 and OPC DA) allowing communication with the electricity network. Its main component, a backdoor, has allowed hackers to control power grid systems via a highly complex software, capable of attacking any network of European power plants and relays.
By simultaneously using these protocols, this malware has been able to get on the network administrators PCs, scan the network, identify the different targeted devices and take remote control. The hackers were able to open the transformer’ breakers and generate a blackout. The goal was to distract from their primary objective the infrastructure communication protocols. Hackers have also added a module to remove their traces (data wiper).
The virus paralyzed a relay station and disrupted network operation for about an hour. To restore electricity, the technicians had to return to manual mode and intervene on the station concerned.
Industroyer is a threat that has to be taken very seriously. It has been designed to suit any type of plant. Due to its modularity and ability to easily monitor network operations, it could be exported to Europe, Asia and the Middle East.
The hackers had excellent knowledge of the attacked power grid, suggesting that they were either extremely organized or backed by a state. The goal was above all to sabotage and disrupt the electrical networks.
Regarding this complex attack, many aspects must be considered, including network segmentation, industrial processes coding and employees cyber training. Crisis management is also essential, especially on activity transfer, isolation of part of the network, restoration of saved data. Finally, the risk analysis allows to evaluate the obvious vulnerabilities of the IS and to work on its security (see our risk analysis APERO which combines safety and security). Finally, a cyber-attack detection system capable of analyzing the protocols specific to the energy sector ensures an efficient detection on these critical systems (our CyPRES probe ensures the analysis of energy protocols including the IEC61850 communication standard).