Could Hackers Turn the Lights Out?

Uploaded on 2017-03-15 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Production-Utilities

For a long-time computer security experts have warned about the threat hackers pose to the systems that help control the power stations, water treatment plants and transport systems we rely on.

Just before Christmas 206 that theoretical threat became all too real for more than 225,000 Ukrainians who were plunged into darkness by a sophisticated attack on one of the nation's power companies.

The attackers struck late in the afternoon on 23 December and used the remote access they had gained to computers in the control centre of power firm Prykarpattyaoblenergo to flip circuit breakers and shut down substations.

In total, about 30 substations were turned off, including those that served one of the control rooms for Prykarpattyaoblenergo, so staff struggling to get the lights back on were forced to find a fix in the dark.

Even now, months after the attack, computer systems at the Ukrainian energy company are not quite fixed because the "Killdisk" malware used in the attack deleted key files.

Uncovering holes

It would have taken significant time and effort to carry out this sophisticated attack, said Stephen Ward, a senior director at security firm iSight Partners, which has analysed the sequence of events leading up to the attack.

The good news is that remotely shutting down power stations or similar infrastructure systems is really hard, he said.

"To make something happen on any of these systems you have to gain information to understand their processes. Those processes are completely different from industry to industry and even facility to facility.

"The basic software may be the same but you have to write the logic to control and create the process and that's unique to the installation itself," said Mr Ward.

That was certainly true in Ukraine. Reports into the attack reveal that the hackers behind it spent months inveigling their way into Prykarpattyaoblenergo's computer systems so their co-ordinated strike would be as effective as possible.

The gang behind the Ukraine attack got in by tricking key staff into opening booby-trapped attachments on email messages crafted to look like they came from friends and colleagues.

Data Police

But, said Sergey Gordeychik, deputy chief technology head at Kaspersky Lab, there are other ways to get at industrial control systems (ICS).

Mr Gordeychik helps co-ordinate Scada Strangelove, a community of security researchers who seek out ICS systems openly exposed online. Scada (Supervisory Control and Data Acquisition) systems are used to oversee plant and machinery in industrial installations.

"We can discover more than 80,000 different kinds of ICS systems connected to the internet directly," he told the BBC.
That's bad, he said.

"If we are trying to compare the standard security of the logic controllers found in ICS systems with Windows or Apple laptops, it's like Windows 95," he said. "They are like a desktop operating system 10 years ago when the level of security was very low."

Scada Strangelove's scanning work to find these vulnerable systems has got many of them taken offline, said Mr Gordeychik. For example, he said, work that the group did on net-connected rail control systems means many of them are now inaccessible.

Its work has also prompted some hardware makers to update the software controlling their equipment to make it more secure. Some have even gone as far as uploading it to their devices to harden them even if customers do not ask for it.

Despite these successes, Mr Gordeychik said the group was not set up solely to police these vulnerable systems.

"The main idea is not trying to remove systems case-by-case," he said. "The main idea is to raise awareness and to force vendors to create more secure-by-design systems."

New Skills

That might be tricky, said Ian Glover, head of the Crest organisation that certifies ethical hackers for work on corporate and government networks.

Crest is currently carrying out research on the security of the computerised parts of the UK's infrastructure. The report is a survey of security practices at those essential plants and organisations to see if the ethical hackers who probe the digital defences will need new skills to make sure they find all potential bugs and vulnerabilities.

What had been a surprise, said Mr Glover, was the attitude of many companies who run the nation's infrastructure.

"That's what's been most disturbing to me," he said. "That people did not think they were going to be attacked."

This despite the fact that many security firms that investigate data breaches frequently find evidence that criminals and state-backed hackers are lurking in the networks.

But that danger to the systems directly connected to the net should not be overstated, a spokesman for GCHQ, the UK's intelligence and security base, said.

Digital Defences

"The single biggest vulnerability is connecting poorly protected corporate IT to operational technologies," he said.

Operational technologies (OT) refers to the machinery in the field or on an industrial plant that keeps processes going or helps manage that remote installation.

"The vast majority of attacks actually go after the corporate IT and then will act as if they were legitimate users to get the ICS or operational technologies to do something," he said.

There were good reasons why attackers chose this route, he added.

"It's much easier to exploit the corporate IT because there are so many tools you can download and use to do that," he told the BBC.

A firm with good defences against the threats that are aimed at its corporate systems will also help to defeat attempts to subvert that remotely operated plant and machinery.

GCHQ regularly advised the companies running the various parts of the UK's national infrastructure on better ways to organise their digital defences. And sometimes, he said, it helped them get ahead of potential attacks.

"As we go about prosecuting our intelligence mission and function if we get information that appears to show a threat to the CNI we will pass it on to the relevant company," he said.

These rare incidents showed that the threat to CNI was real and that there were people with the capability to launch cyber-attacks on the UK's national infrastructure. In addition, he said, there was no doubt that other groups had the intent to do the UK harm.

"Should we be worried? Yes," he said. "There are people with the capability. There are people out there with the intent. But at the moment we are not in the position where we are seeing groups with both the intent and capability.

"We are doing all we can to harden the UK should these two things, capability and intent, come together."

BBC

Critical Infrasctructure: UK and US Power Grids - Under Cyber Attack Every Minute:

A Threat No One Is Talking About - Attack On the Power Grid:

 

 

« The CIA Has Lost Control Of Its Cyber Weapon Documents
Italian Bank Cyber Spy Attacks »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Vera Security

Vera Security

Vera is a data security platform that provides 360-degree visibility and control over critical business data, anywhere it's shared or stored.

Quadrant Information Security

Quadrant Information Security

Quadrant Information Security is a consulting firm committed to supporting organizations in all vertical markets and protecting their sensitive data.

Visual Guard

Visual Guard

Visual Guard is a modular solution covering most application security requirements, from application-level security systems to Corporate Identity and Access Management Solutions.

Truepic

Truepic

Truepic provides technologies that prevent fraud, identity theft, misinformation, and disinformation caused by generative, manipulated, or deepfake digital content.

CyberMDX

CyberMDX

CyberMDX delivers proactive security built for hospital devices. 360° visibility, insight, and protection for all connected hospital technologies.

Red River

Red River

Red River is a technology transformation company, bringing 25 years of experience and mission-critical expertise in analytics, cloud, collaboration, mobility, networking and security solutions.

Gordian Networks

Gordian Networks

Gordian Networks offers complete managed IT services and IT support for small to large businesses.

Cyber Security Advisor

Cyber Security Advisor

Notice how sophisticated the cybersecurity market is. Think how would you pick the security provider, assess your company, and be sure of your security decisions? Cyber Security Advisor is the answer!

Tracepoint

Tracepoint

Tracepoint provide full-service cyber incident response, remediation and recovery solutions for the most time-sensitive situation your company may ever face.

NWN Carousel

NWN Carousel

NWN Carousel delivers AI-powered technology solutions for the modern workplace. From unified communications and intelligent infrastructure to robust cybersecurity.

Cyber Security Cooperative Research Centre (CSCRC)

Cyber Security Cooperative Research Centre (CSCRC)

The CSCRC provides frank and fearless research and in-depth analysis of cyber security systems, the cyber ecosystem and cyber threats.

BaaSid

BaaSid

BaaSid is next generation security technology for data security & security authentication based on De-centralized & Blockchain.

Tech Vedika

Tech Vedika

Tech Vedika has access to technical guidance, training and resources from AWS to successfully undertake solution architecture, application development, application migration, and managed services.

Technology Mindz

Technology Mindz

Technology Mindz is a leading provider of cybersecurity services. We offer a wide range of services to help businesses. Our services are Identity and access management, Governance risk and compliance.

Reach Security

Reach Security

Reach is the first generative AI platform purpose-built to empower enterprise security teams. With Reach, organizations measure, manage, and improve their enterprise security posture at scale.

RedLattice

RedLattice

RedLattice are at the cutting edge of tool development and AI-assisted vulnerability research in cybersecurity.