Advanced Attack Groups Increasingly Threaten North American Electric Utilities

When it comes to critical infrastructure, there are few more essential than electricity generation and distribution. Without electricity, nothing else works. According to a report from cybersecurity firm Dragos, groups have shown that they have the capability to impact power operations and network connectivity detrimentally. "Electric utilities remain at risk for a disruptive – and potentially destructive – cyberattack due to the political and economic impact such an event may cause,” the firm wrote in its report North American Electric Cyber Threat Perspective.

"At this time, Dragos has observed adversary activity targeting utility enterprise networks, which may enable initial intrusion and reconnaissance at those entity sites. The data gathered and access achieved could facilitate preliminary steps for a potentially disruptive event within the OT environment. Dragos has also observed adversary reconnaissance inside ICS networks," the report continued.

The report concluded that while there hasn’t been a destructive cyberattack in North America, such attacks launched by capable adversaries have occurred in other geographies, such as Europe and with adjustments such attacks are possible within North America, Dragos believes.

Such disruptive attacks would require a lot of time and effort to be successful, and Dragos believes that the defenders of ICS networks still have the edge over attackers.

Key Findings from the report include:

• The threat landscape focusing on electric utilities in North America is expansive and increasing, led by numerous intrusions into ICS networks for reconnaissance and research purposes and ICS activity groups demonstrating new interest in the electric sector.
• Attacks on electric utilities can have a significant geopolitical, humanitarian, and economic impact. Thus, state-associated actors will increasingly target power and related industries like natural gas to further their goals.
• One significant threat includes active supply chain compromises by activity groups targeting original equipment manufacturers, third-party vendors, and telecommunications providers.
• Research into the 2016 CRASHOVERRIDE attack demonstrates the adversary’s intent and ability to target protection and safety operations to cause prolonged outages, equipment destruction, and human health and safety concerns.
• Utilities are slowly improving visibility in electric operational environments, and current regulatory standards in North America ensure the electric power sector maintains a minimum level of cybersecurity for all of the in-scope facilities. Further recommendations are included in this report for asset owners and operators to address cyber risk in their operations environment.
• The complete "energy infrastructure sector" (electric, oil, and gas, etc.) of all countries are at risk as companies and utilities are facing multiple global adversaries. Cyberattacks are an increasing means to project dominance using cyberattacks in the energy domain.

While North America has not experienced a disruption, the number of known successful ICS attacks is rising, and the risk is high that such an attack happens within North America, Dragos concluded. The Dragos report focused on several adversaries that currently have their sights set on compromising the critical infrastructure.

According to Dragos, of the adversarial groups, the firm is observing over 60% of them are targeting the North American electric sector. Further, as threats to industrial control systems are expanding more broadly into North American utilities, they are also growing in menace.

Dragos tracked activity in one group, XENOTIME, which they described as “the most dangerous and capable activity group.” According to their analysis, this group initially focused their efforts targeting n oil and gas operations and have more recently expanded into electric utilities. “Dragos also identified the MAGNALLIUM activity group expanding targeting to include electric utilities in the US. This activity group expansion and shift to the electric sector coincided with increasing political and military tensions in Gulf Coast Countries (GCC),” the report said.

According to the report, the Dragos research of the CRASHOVERRIDE attack also indicates ELECTRUM targeted recovery operations. “Such activity, if successful, could prolong outages following a cyberattack and cause physical damage to equipment or harm to operators. These findings suggest the group had greater ambitions than what it achieved during its 2016 attack, and represent worrying possibilities for safety and protection-focused attacks in the future,” the report states.

Dragos concluded that the increased risks associated with supply chain and third-party attacks are a growing concern. Such attacks make it possible for attackers to compromise environments and gain a foothold in trusted systems. And the weaponized USB, software updates and maintenance work will increasingly bypass security controls as hardware makers, maintenance engineers and managed services providers are treated as trusted entities. “NERC Registered Entities with in-scope systems can take advantage of the recent focus around CIP-013 to create robust supply-chain risk management programs focused on both security and compliance objectives across operations,” the report said.

While North America hasn't suffered a severe cybersecurity incident on its critical power infrastructure, that doesn't mean it can't or won't happen. The number of attacks on this critical infrastructure has increased in recent years and will likely continue to increase. And should a major physical war occur involving nations with significant offensive cyber capabilities, this critical infrastructure is a likely target. The Dragos report provides an interesting and wide-ranging look at the current threats to the North American electric sector and provides some insight for defenders, and it is worth a read and available here.