In January 2020, industrial cybersecurity firm Dragos released the North American Electric Cyber Threat Perspective, referred to as the Dragos report. This report summarized findings regarding threats and adversaries that focus on critical infrastructure and is intended to be a snapshot of the threat landscape in January 2020 and which is expected to evolve over time.
This article will detail five key findings from the Dragos report and will explore the vulnerability of power outages, the threat of supply chain compromise, solar generation utility communications outage in the United States, recommendations for asset owners and operators and the relative position of the United States. We’ll take a closer look at the report and leave you with a more solid understanding of the industrial cybersecurity threat landscape.
1. Power outages as opportunities for adversaries
A vulnerability that electric entities face stems from the fact that planned outages and maintenance periods can provide adversaries with opportunities to learn about the utility for a future disruption or attack. Examples of what they can learn about include the timing of planned outages, the utility’s operations, recovery procedures and knowledge regarding any anomalous activity during an outage with a high likelihood of not being detected during that time.
When natural disasters occur and the utility schedules a mass outage, this also provides opportunity for adversarial reconnaissance.
The problem is that when outages occur, external entities are allowed into operational environments of the electric entity to provide service. This gives them a prime opportunity to infect an operations technology (OT) environment, whether intentionally or unintentionally. For example, in 2018, Schneider Electric alerted customers of two possibly infected USB sticks that were shipped out to them. (No events caused by this were reported.)
2. Supply chain compromise and CIP-013
One of the most concerning findings of the Dragos report was the significant rising threat of supply chain compromise. Electric entities rely upon a supply to produce electricity and adversaries bent on attacking the entity may focus on it to cause disruption. An example of this supply chain attack is when natural gas pipelines are attacked to disrupt energy generation. While Dragos has not specifically observed a systemic attack like this at this time, it still remains a threat.
Disruption of the supply chain of the raw elements necessary for electric entities is not the only threat to the supply chain. Dragos specifically mentions third-party vendors, original equipment manufacturers and telecommunication providers as being other potential points of attack.
The Dragos report includes which activity or threat groups exist as of January 2020 and what their different potential actions may include. As of this time, Xenotime is the only activity group deemed to be a potential threat to electric entities. In 2017, this group disrupted a Saudi oil and gas facility, and in 2018, Xenotime expanded its capabilities to include North America.
The Dragos report puts the threat landscape for electric entities into perspective by referring to CIP-013 standard. This NERC CIP Reliability standard governs supply chain risk management and adheres to cybersecurity regulations mandating a minimum level of cybersecurity for electric entities. It holds that these entities must use best practices for cybersecurity, which is unique compared to the other areas of the world. Despite the relatively high level of vulnerability electrical entities in the United States face, CIP-013 leaves us with a beacon of hope against existing and future threats and is definitely encouraging.
3. OT communications gateways
Another key finding of the Dragos report is that adversaries have the ability to exploit vulnerabilities within OT communications to disrupt energy production facilities.
Recently, adversaries exploited firewall vulnerabilities for a solar energy utility in Utah. Attackers targeted a known Cisco firewall vulnerability in the firewalls between IT systems from the utility’s OT to impact operations by causing unexpected device reboots. This amounted to communications outages between sites, field devices and the control center and lasted for less than five minutes.
Dragos found that despite a minimal impact from the incident, the disruption resulted in a disruption in generation network connectivity. If this exploitation had been more severe and longer lasting, the incident could have caused disastrous consequences at the utility.
4. The state of threats to electric entities in the United States
The Dragos report highlighted concerning aspects about the threat landscape for United States (and North American) electric entities. Of the 11 activity groups that Dragos tracks, seven can potentially impact these entities: Xenotime, Parisite, Dymalloy, Allanite, Magnallium, Covellite and Raspite.
Xenotime is identified as being especially a threat because of its ability to cause supply chain compromise. The increased activity of Magnallium has been observed to match the escalation of tensions with Iran in the Middle East; however, it is not suspected of being a state-sponsored activity group.
These threats should not lead you to think that the electric entity threat landscape in the United States is in dire shape compared to the rest of the world. With the implementation of CIP-013, the supply chain compromise risk by Xenotime and other adversaries will lose its teeth; complying with the minimum level of cybersecurity mandated by CIP-013 may result in impactful improvement of the risk landscape.
The Dragos report provides an insightful look into the electric entity threat landscape as of January 2020. It highlights the vulnerabilities and activity groups faced by electric entities in the United States, looks at recent cyberattacks overseas and is peppered with both the rising risk from supply chain compromise and the coming relief that CIP-013 will provide.
All things said, many will be reassured by this report. While we can see that adversaries do pose a serious danger to electric entities, upcoming regulations may provide the necessary nudge towards a more secure critical infrastructure.