The U.S. Department of Homeland Security confirmed in a briefing that Russian nation-state hackers successfully attacked hundreds of trusted vendors with relationships to energy and other critical infrastructure organizations as part of, what is believed to be, an ongoing campaign to breach U.S. electric utility control rooms. Some vendors may still be unaware that they have been compromised, as these hackers used employee credentials to infiltrate utility networks.
History has an interesting, and scary, way of repeating itself. While it may be different actors on a different stage, the stories tend to unfold in similar ways or with similar results. This story in the U.S., which will inevitably continue to unfold, brings to mind another instance in which critical infrastructure fell victim to malicious attackers.
The Ukraine Power Grid Hack That Left More Than 200,000 Residents in the Dark
On Dec. 23, 2015, more than 225,000 residents of Western Ukraine were left in the dark—and without heat—for as long as six hours. They were the victims of a first-of-its-kind cyberattack on the region’s power grid, conducted by hackers who spent months familiarizing themselves with the systems and planning an exhaustive, seemingly choreographed, attack. According to a report in Wired, attackers were able to overwrite the firmware on critical devices in 16 of the substations, rendering operators powerless to manage them remotely.
How did they do it? It began with a spear-phishing campaign targeting IT staff and system admins who worked at power distribution companies to obtain access to worker credentials from VPNs grid workers used to remotely access the Supervisory Control and Data Acquisition (SCADA) network. Sound familiar?
What’s even more fascinating is the comparison to what the situation could have been like had this occurred in the U.S., because despite control centers not being fully operational more than two months after the initial attack occurred, operators were able to control the breakers manually. At the time of the event, many U.S. power grid control systems did not have manual backup facilities, which would make it much harder for workers to restore power.
A Lesson in Security for Critical Infrastructure Organizations Around the World
There is a lot to learn from the incident in the Ukraine, ranging from understanding the sophistication in the way that hackers plan and execute attacks, to encouraging organizations to take a closer look at the systems and process they have in place to keep themselves—and their customers—secure. It’s very likely that the Ukraine power grid hack helped U.S. officials to identify weakness and activity occurring in their own systems, preventing similar (or potentially more disastrous) results.
The truth is, security is a tricky and robust creature with many moving parts to consider. It didn’t matter that the control systems were set up with robust firewalls because remote workers were not required to use two-factor authentication. But there are plenty of other ways to create chaos in critical infrastructure. Take for example the pseudonymous Kemuri Water Company. In 2016, a Syrian hactivist group reportedly infiltrated the SCADA industrial control system of the company. During the attack, the group changed the levels of chemicals used to treat drinking water by exploiting a vulnerability in the internet-facing web server for the utility’s customer payment app, which was also connected to the SCADA system.
Houston, We Have a Supply Chain Problem
When the WannaCry and Petya ransomware attacks occurred last year, hundreds of hospitals, retail outlets, and critical infrastructure were breached—impacting commerce, patient care, and innovation. These attacks could certainly have been a sign that hackers are testing the fences to see how savvy critical infrastructure organizations are in securing their assets, detecting an attack and how quickly the issue is controlled. As we’ve seen, we live in an age where an attack in the digital world can and does have tangible effects on the physical world. The truth of the matter is that the growth of the digital economy has necessitated that digital transformation move full steam ahead whether or not IT, development, and security teams are ready for it.
When it comes to security, there are so many factors to consider—attack prevention, authentication, and application security for starters—that many organizations opt not to let perfection be the enemy of good. But it isn’t just what happens in your own organization that counts, because not every application or service will be homegrown. This means that organizations need to be more discerning about the vendors and software they select. One best practice is to look for security certifications, or to at least ask vendors and suppliers better questions about things like secure development processes and authentication practices. Business has come a long way in terms of having a global view, but there is still work to do when it comes to securing the digital economy and building consumer trust.