Author: Frédéric GUYOMARD – Electricité De France R&D, Paris-Saclay Labs, France - June 2024.
Current Cyber Risk Landscape that could affect critical Facilities
“Ransomware as a Service”, this is what we usually read on many news media, illustrating the observation we can find in many articles discussing dealing the threat in industrial sectors. Unfortunately, the energy and the electricity sectors are also targeted.
As critical infrastructure becomes digitized and networked with different facilities, it becomes more vulnerable to multiple threats including physical and cyberattacks by terrorists, activists or hackers. The attack surface is increasing due to digital transformation and because of communication systems giving more and more connectivity, but also because of maintenance and supply chain issues. An attack on critical infrastructure can inflict major damage and ‘cascading effects’ into other essential services, bringing cities and citizens to a standstill. Damage control requires a sophisticated interconnected protection, alert and response system.
Threat environment and geopolitics considerations
The Russian-Ukrainian war show that the energy domain is an important target and before the beginning of the invasion many incidents were detected. Power systems and the electrical grid and components have been targeted, and the first massive attempt took place in December 2015 (Black-Energy) and December 2016 (Industroyer) followed in 2017 with Notpetya[1]. The “Dragos-2023-Year-in-Review-Full-Report” discuss the Operational Technologies cybersecurity landscape with this assessment:
“The OT (Operational Technology) cyber threat landscape continued to evolve in 2023, with an increase in tracked threat groups, ransomware events, and other threat activities driven by global conflict. The adversaries involved in these activities varied widely in terms of their level of sophistication, deployed capabilities, and intended targets. On one end of the spectrum, some threat groups used advanced techniques, such as leveraging native functionality, including living off the land (LOTL) techniques, to conduct reconnaissance and intelligence operations. Conversely, some adversaries targeted low-hanging fruit such as internet-accessible devices that lacked proper hardening, thus making them easy to damage and cause operational disruptions.
Threat groups continued to use publicly disclosed vulnerabilities and discover and develop their own capabilities. The identified vulnerabilities have the potential to result in loss/denial of view, denial/manipulation of control, theft of operational information, and loss of productivity and revenue.”
Vulnerabilities: lack of sufficient security controls
To evaluate the risk level, it is necessary to consider advanced persistent threats (APT) that could be planned or carried out by terrorists, activists, or even by state actors. Attacks could be carried out using specialised digital tools — malware, hacking, intrusion, or any attempt to penetrate the systems; or due to physical threats, including drones for spying or carrying bombs. The two types of attacks — digital and physical could be combined, taking advantage of a disaster situation, natural or not. Despite security efforts in certain sectors, attackers continue to exploit the same technical weaknesses to gain access to networks. Exploiting 'day-zero' and 'day-one' vulnerabilities remains a prime entry point for attackers, who all too often still have benefit from poor administrative practices, delays in applying patches and the absence of encryptions mécanismes. Many CVEs are published and the severity scores have to be considered to estimate the urgence of remediation action. See the “Dragos ICS Report 2023”1.[2] and the severity scores have to be considered to estimate the urgence of remediation action. See the “Dragos ICS Report 2023”2.
To fulfil the link with the PRAETORIAN European project, the strategic goal is to increase the security and resilience of European CIs, facilitating the coordinated protection of interrelated CI against combined physical and cyber threats. To that end, the project provides a multidimensional (economical, technological, policy, societal) yet installation-specific toolset comprising: (i) a Physical Situation Awareness system, (ii) a Cyber Situation Awareness system; (iii) a Hybrid Situation Awareness system, which will include digital twins of the infrastructure under protection; and (iv) a Coordinated Response system. The PRAETORIAN toolset will support the security managers of Critical Infrastructures (CI) in their decision making to anticipate and withstand potential cyber, physical or combined security threats to their own infrastructures.
From the ENISA 2023 report we learn that in 2022, following the invasion of Ukraine, Industroyer2 was discovered targeting energy substations. This is a variant of Industroyer malware that was used by the Sandworm APT group to cut power in Ukraine in 2016367. Another malware strain detected was INCONTROLLER (aka PIPEDREAM) that was built to manipulate and disrupt industrial processes368.
In May 2023, novel malware targeting OT and ICS was discovered and tracked as COSMICENERGY. The purpose of this malware was to disrupt electric power through interactions with devices, such as remote terminal units (RTUs), used in electric transmission and distribution operations in Europe370.
Further code analysis of the malware and its components showed it lacks maturity, contains errors and is far from having a full-fledged attack capability like Industroyer2 or CRASHOVERRIDE. It was concluded that COSMICENERGY is not an immediate threat and that is likely part of a training exercise or for use in detection development371. However, these incidents show that industrial protocols are susceptible to attacks and served as a wake-up call for the critical infrastructure sector, emphasising the need for continuous vigilance and proactive measures to safeguard operational technology and industrial control systems.
Impact/consequences
Malware and threats against data or availability via supply chain processes have consequence on the critical entities’ essential functions (for example XZ backdoor attack3) . But hybrid threat could produce stronger consequence because of the opportunity to use some temporary weaknesses, completed with prepositioned point on the digital domain. The “ENISA threat landscape 2023” document does clearly the link with the geopolitical context: “Cyber threat actors and their modus operandi are inevitably influenced by geopolitical events. A sizeable number of operations have been monitored, during the reporting period, where the actions of some cybercriminals, state-nexus threat groups and hacktivists have their roots in geopolitical developments. In general, at least state-nexus groups and hacktivists, regardless of motivation or agenda, can be triggered into action by these events.”
Plant management and engineering activities are directly linked to industrial IT and provide sensitive services for the company. What's more, the centralisation of these activities requires particular attention in terms of IT security. Guaranteeing availability and integrity is therefore of paramount importance.
The threat is constantly evolving, and attacks can have major consequences. They can cause a deterioration in system performance (e.g. increased response times) or lead to a loss of integrity (e.g. modification of data, modification of application functions). They can also lead to information leakage, data loss and even the loss of critical services. For a company, there may be impacts on its operations, financial impacts, impacts on intellectual assets (loss of knowledge, theft of know-how or innovative capabilities). In some cases, damage to critical systems can have a strong human or environmental impact. Another significant issue concerns the brand image, possible interference and destabilization of companies and states. For example, the media coverage of the various energy sectors often puts these activities in the spotlight. The stakes are high, and the security measures to be implemented at the level of a complete system must ensure the right level of protection, for reasons of operational safety and availability, as well as efficiency.
Relationship with Resilience: Governance
In 2023, we saw major regulatory changes for critical infrastructure asset owners, leading organizations to spend more time and resources preparing for a cyber security event. This included updates for US pipeline operators in North America with TSA Pipeline-2021-02D (SD-02D). In Europe, it was the Networks and Information Systems Directive (NIS2); in Australia, the Critical Infrastructure Security SOCI Act; and the Kingdom of Saudi Arabia's Essential Cyber Security Controls (ECC) ECC. One of the most significant changes was not aimed at critical infrastructures, but at listed companies in the United States: the new cybersecurity risk management rules of the Securities and Exchange Commission (SEC). These rules apply to many IoT asset owners, including investor-owned utilities and manufacturing. Companies.
To support the resilience needs, regulatory framework and compliance in the Power Sector have been established. The US Cybersecurity and Infrastructure Security Agency and the EU NISv2 (DIR 2022/2555) establish cybersecurity requirements for operators of essential services, including power companies. The NERC (North American Electric Reliability Corporation) and IEC (International Electrotechnical Commission) are also providing strong recommendation with NERC CIP and IEC 62443 standards. Another major document is the “NIST Releases Version 2.0 of Landmark Cybersecurity Frameworki” where after the magic ‘Identify, Protect, Detect, Respond, Recover’, the Governance is becoming central and everywhere
[1] https://obr.uk/box/cyber-attacks-during-the-russian-invasion-of-ukraine/
[2] https://cve.mitre.org/
