When the Die Hard movie franchise got a reboot in 2007 the plot revolved around an attack on New York’s infrastructure, with our hero John McClane up against a gang of cybercriminals intent on gaining access to critical energy, water and transport control systems to wreak chaos and (naturally) make off with a load of cash. Fast forward less than a decade and the situation went from movie plot to stark reality, as in 2015 Ukraine battled a Russian-orchestrated cyberattack on its electricity control centre that caused massive power outages in the depths of winter. When an enemy can turn your lights off when you need them most, that’s a powerful statement of their disruptive potential. The concern for the energy sector is not just that it is under attack, it’s that the enemy is already inside its networks, gaining persistence and waiting for the opportunity to strike. Let’s take a look at the situation and how the sector can harden its systems to make sure we keep the searchlight squarely on our adversaries.
The evolution of the energy sector threat
Previously, the main concern for the energy sector was physical compromise of generators and power stations. The focus was on improving resiliency and maintaining system access and control in the event that on-site access and systems were affected. The sector turned to the finance industry for guidance, deploying remote access, wireless monitoring, back up data centres and cloud computing. Ironically, while this increased resiliency against physical events, the replacement of proprietary systems with commercial technologies and the mass deployment of IoT devices also dramatically increased the virtual attack surface for state-sponsored threat actors. As a result, the past few years has seen increasing incidents of attacks like that in Ukraine.
Geopolitical tension always serves as a harbinger of cyberattacks and the shift in primary risk from physical disruption to virtual infiltration was really brought home earlier this year when GCHQ, the FBI and US Homeland security made an unprecedented joint statement warning that, in response to airstrikes carried out in Syria, Russian-sponsored threat actors were attacking critical infrastructure providers. Cyberattacks on critical national infrastructure are ranked as a tier one threat to the UK, with the Cambridge Centre for Risk Studies estimating that the economic impact of a successful cyberattack on a UK regional electricity distribution network could reach £12.86bn.
Shouldering the burden of protecting energy networks
For all the warnings and advice that governments issue, they’re limited in what they can practically do to protect organisations from attacks; the real burden of defence falls upon energy companies. Those companies are facing the fact that the bad guys are engaged in a campaign of colonisation aimed at gaining and maintaining persistence in target networks through the clandestine use of legitimate tools.
It’s not only their own networks that energy sector companies need to worry about. As they leverage the economies of scale of global commerce, energy companies expose themselves to increased third party risk through the supply chain. We’re seeing increased incidence of island hopping through that supply chain with hackers using TTPs such as spear-phishing, compromised accounts and websites and credential gathering to gain a foothold in trusted supplier organisations. They then use this platform to hop into their target network.
Now attackers are being observed living off the land, using trusted tools such as powershell, WMI and even .net to make detection more difficult; penetrating windows-based systems and moving laterally and more deeply into victim organisations.
Evidence from recent attacks on the sector has also indicated that the main actors already had some level of infiltration into their targets prior to launching co-ordinated campaigns. This is a concerning signal of the potential disruptive power of adversaries and underlines the importance of strengthening security postures and rooting out these actors.
Cutting the power to cyberattacks
To arm against this complex threat we need to move on from the security standards that were developed 5-10 years ago. Those perimeter-based defences are ineffective against today’s fileless attacks. We need next generation security that is capable of suppressing the adversary by detecting, deceiving, diverting, containing and hunting them in real time. Effectively we need to deprive attackers of the oxygen they need to exist in our systems.
Critical to this is having the ability to identify instances where legitimate software tools display anomalous behaviour that could indicate an impending attack. This requires using endpoint detection and response to continuously monitor unfiltered data so we can detect and mitigate attacks before they can gain a foothold. All of this intelligence needs to be stored centrally so it can be analysed and contribute to the global knowledgebase. We also need the facility to go in the other direction to open a command line interface to the endpoint to suppress intruder activity.
Attacks are becoming more sophisticated and multi-faceted, too. In Carbon Black’s recent survey of incident response professionals 64% noted that they were seeing secondary command and control occurring as attackers launched hidden secondary payloads after the initial attack had been shut down. Furthermore, 46% of respondents had found evidence of counter-incident response from adversaries. On this point, I think our incident response methodology has become too loud in recent years. We have to be more clandestine in how we react to adversaries. It may not be in our best interest to immediately shut down command and control before we have intelligence on exactly how far laterally the attack has moved through our infrastructure, particularly when we are facing enemies who are intent not just on data theft, but sabotage of critical systems.
Proactive threat hunting is another essential activity in today’s environment – and it can’t just be limited to incident response. A multidisciplinary team should be anticipating the potential weaknesses and viable attack paths not just within the organisation but across the information supply chain to get a step ahead.
Microsegmentation is also an important part of defence that more companies are getting to grips with. If we can create a prison-like environment inside our network we can limit viable lateral movement between subnets and systems, to reduce opportunities even if hackers succeed in gaining a foothold.
Finally, if you feel you can’t harden a viable attack path any further you can take the fight back to the enemy with deception grid technology, effectively planting decoy honeypot targets in your network to attract attacks and force hackers into the searchlight.
For today’s digital John McClane protecting the energy sector is less about muscle and more about network visibility, innovative threat hunting and intelligent incident response, plus ensuring that we are deploying the next generation anti-virus that is up to the challenge of detecting fileless attacks to keep enemies out and the lights on in the energy sector.
