While in Austin, TX for Exchange 2017, Landis+Gyr’s annual users conference, I attended a breakout session about security. Having worked in enterprise software and hardware, before switching over to energy management, I’m well aware of the importance placed on security. Any time one of my previous employers launched a new product, the very first question was always about security. Is it safe to put in my environment? Does this product open any security risks? The same is also said about the utility industry. This was evident by the standing-room-only audience. Speaking at the session was Stephen Chasko: A Certified Information System Security Professional (CISSP) and Solution Director with Landis+Gyr. Stephen’s session was very well received and sparked a lot of conversation and questions. I thought about the need for security and what kind of person would cyberattack a utility. I sat down with Stephen after the event, trying to get into the mindset of a security criminal.
How important is cyber security to the utility industry?
Cyber security is immensely important to the utility industry. There were a series of breaches in the last couple of years and they have really crystalized the attention of executives. According to Black & Veatch, 4.37 is the ranking US utilities give cyber security on a scale from 1-5 of importance, making cyber risks the second most important issue for electricity providers after grid reliability. Of all the concerns executives face, security shows up a lot.
Additionally, 70% of the world's power, water and critical infrastructure providers reported a breach in the past year which led to a loss of confidential information or a disruption in operations. A Unisys & Ponemon Institute survey showed that 78% of providers expected a successful breach of their ICS/SCADA systems within the next two years. It definitely has the attention of executives, resulting in sizable investment in security. It also has the attention of the regulators of utilities.
How often do security breaches happen and what is the expectation of a potential attack in the future?
We’re kind of used to attacks in other industries. We see banks or retailers get attacked regularly. There is successful breach after successful breach. There are mitigations against it, but attacks continue to accelerate. In the utility space there have been a couple of attacks, mainly on the IT infrastructure. The expectation is these attacks will increase and the attack space is very wide. It goes beyond advanced meter intelligence. Utilities are not just sitting passively watching this; they’re working hard to mitigate this.
Why are attackers doing this? What’s the point?
This question comes up a lot. The answer has changed over the years. It came from a perceived hacker ethic. The idea was if a hacker can demonstrate an attack, it will force the entity they’re attacking to mitigate it. The idea is to force the change. My doing something bad, is ultimately causing something good. I don’t agree with this mindset. The main reason I disagree is because the hackers would often disclose these attacks while the mitigations were not yet present. They would publish and demonstrate how to shut off someone’s power while the utility would struggle to solve it. This would leave an open and public vulnerability utilities were working to close, while people were attacking at the same time. Other hackers now had the blueprint.
In the past five years, however, it’s become a criminal enterprise. There are multi-billion dollar entities that are making money off these attacks. They have a completely different motivation. In the utility space, you’re primarily talking about nation-states and entities which want to hold utility enterprises ransom. They would somehow put threatening software inside the utility enterprise and for a fee they would recover the damaging software – a typical ransomware attack. There is increasing talk that 2017 will be the year of ransomware. Utility enterprises are going to be an attractive target.
How does an attack usually work? Generally speaking, is there a pattern or sequence attackers usually follow?
There are various approaches and taxonomies to structure an attack.
- Lockheed-Martin puts out what they call their Cyber Kill Chain, which boils down to seven steps: reconnaissance, weaponization, delivery, exploit, installation, command & control, and actions.
- ICS-CERT has it narrowed down to just three: discovery, attack, and intrusion.
- Pen Testers use a four-step approach: reconnaissance, initial analysis, deep analysis, and exploitation.
For me personally, I see it broken down into three steps:
- Learning phase – Where an attacker is learning about your system — the precursor to an attack.
- Attack phase – The attack takes place.
- Clean up phase – What has happened? How do you recover? What can you recover?
There have been a lot of false rumors about cyberattacks. Why is this?
There have been a series of power outages which have been attributed to a cyberattack. Recently there was a write-up in the news about power outages in Los Angeles and San Francisco resulting from cyberattacks. From every indication, there were no cyberattacks. There has been false reporting where perceived cyberattacks took place, showing there’s a lot of fear about attacks.
Another which has receive a lot of attention was in Turkey. Turkey had a major power outage and they blamed it on an Iranian cyberattack. Then they had a second power outage which they claimed was an American cyberattack. However, nothing they have published proves this claim. All of this leads to more heightened cyberattack fears, but these fears are rooted in reality. Attackers use various attack trees and structure to gain access. The fears stem from real events, like the Ukraine attacks.
Can you talk a little bit more about the Ukraine attacks?
A major attack occurred in Ukraine in December of 2015. The power went out in a very large segment of Ukraine. A large portion of the population was without power, but the utility reacted fast and brought in a lot of outside experts to assist. They did a very good job of coordinating with the global community. Unlike the alleged Turkey attacks, there has been a lot of information sharing and it was very clear to see what the steps to the attack were, what happened, and what caused the outage.
In fact, two different attacks took place and in December of 2016 Ukraine was attacked again. Power was out for a large portion of Kiev. It’s widely believed to be an attack from a foreign military or someone sympathetic to a foreign government. It all started with an email and a spear phishing campaign, meaning someone was sent an email and the reader opened an attachment which allowed an outsider to control a system remotely.
- They attackers simply watched and learned, running reconnaissance for months. They started to learn how the internal infrastructure of the utility worked, how the SCADA gear was set up, and how the phone systems worked.
- Harvested credentials – to gain access to different parts of the infrastructure.
- Targeted and reconfigured the UPS systems – the power supplies for the IT system.
- Loaded new firmware into the ethernet-to-serial port converters at the substations.
- Started a telephone denial of services – to shut down all the phone systems.
- Disabled the UPS systems and the IT infrastructure.
- Opened the breakers in the substations.
- Overwrote the firmware on the ethernet-to-serial port converters.
- Ran a KillDisk on all the operator stations – destroying as much of the IT infrastructure as they could.
Throughout all this, the utility did a phenomenal job. They had fairly mature policies and procedures to recover their systems. They had the power back on within 24 hours by manually closing all the breakers. They also had their IT infrastructure restored in a relatively short amount of time. As utilities go, they were very mature and did a very good job post-attack. The details on the December 2016 attacks are still a little vague though. We’re not sure if they used the same attack vectors or not.
You previously mentioned an attack tree. What is that and how do attackers use it?
An attack tree is a conceptual diagram and it shows how an asset or target might get attacked. For example, if I’m trying to attack your PC and take control, these are they ways I might accomplish that. The attack tree starts to leaf out and show all the possible ways an attack may be done.
Similar to a tree, all the branches connect at singular points and there are common areas you can mitigate. The higher up the tree you can perform the mitigations, the wider the coverage will be. It helps define where you can implement your preventions. You try to make your preventions additive or multiplicative. Meaning, if I have two mitigations side-by-side, it takes me twice as long to preform my attack. With the attack tree, you can see a mitigation will be covered for most attacks and will take twice as long. Two mitigations multiply each other so now it takes 10x as long, and if you add another it will take 100x as long; that is the preference. Knowing an attack tree helps build up your confidence in how long it will take an attacker. You want to increase their cost in a monetary sense, time it takes, and expertise. Then it becomes too expensive to accomplish the attack.
You also talked about reconnaissance. What should utilities look for and where should they take the most caution?
Going back to the Ukraine attack, it’s on the policy and procedure side. Specifically, it’s on the people part – social engineering is the entry point. It’s low-tech, low-cost, and usually how attackers get in. This also include insider attacks. Maybe it’s someone within the utility who has been paid off, held for ransom, or part of the attack itself.
A couple of good steps you can take to prevent these attacks are to hire people to socially-engineer your own infrastructure, often called red-teaming. Their goal is to try and gain access to whatever you’re trying to protect; then learn where you need to improve and take mitigations. Most organizations are shocked at how easy it is to see how much information a red team can collect through social engineering. Often the solutions are low-tech and simply educating staff will help. When staff realize the targets, they usually shore up vulnerabilities fast.
Can you please go more in-depth on these attacks? How can utilities safeguard themselves against attacks?
In terms of attacks themselves, attackers usually go after the hardware first to gain an education. They’ll take them apart and look for any possible ports or vulnerabilities, any diagnostic modes, I/O, serial ports, USB, ethernet, radio frequencies, etc. – wherever they can gain access.
- They’ll also dump the memory, searching for any cryptographic keys. Keys are fairly easy to find if there aren’t any basic mitigations in place. In memory, generally everything is organized but then you’ll see this random string of data, which is almost always a key. They’re going to look for a 256-stream of random data, which is probably a key.
- They’ll try to reverse-engineer the code. They’ll decompile it, searching for obvious flaws. A classic is a buffer-overflow-flaw. The attackers can then send a block of data larger than a port is programed to receive, essentially overloading the port which doesn’t know to reject such large blocks.
- They’ll also use advanced, persistent threats. A PC may be found with malware, where an attacker had compromised the utility and sat for a long period of time learning and stealing.
How can Landis+Gyr help protect utilities?
From a utility perspective, they need to define what it is they’re protecting; information, assets, etc. They start to think about mitigations to protect them. If you’re new to this and don’t know where to begin, I’d suggest the NISTIR 7628 Guidelines for Smart Grid Cyber Security. Landis+Gyr, along with industry experts and utilities, have contributed to providing guidance and recommendations to protect and secure your grid. That is the starting point.
At the top of that list is mitigations for software modification – someone trying to make unapproved changes. Some of the steps we take:
- Verify signatures and message integrity checks
- Endpoints - disable test ports, flash encryption, and endpoint software cryptographically signed by Landis+Gyr
Additionally, we want to take mitigations for interrupting electricity flow – someone trying to shut off power. Some of the steps we take:
- Velocity check
- Signed messages
- Privileged usage
- Verify signatures
- Message integrity check
- Broadcast restrictions
- Disable test ports
- Flash encryption
Landis+Gyr takes additional steps to protect both your system and ours:
- Understanding different attack vectors is helping us defend our systems – we attack our own systems and we hire third-party agencies to attack us, searching for weak points.
- Utility security teams continually improve the security of their environments. Landis+Gyr is providing AMI mitigations designed to complement our customers' systems.
- Landis+Gyr is helping utilities maintain trust, keeping the lights on and protecting the utility customers' data.
Learn more about Landis+Gyr Security here.
More on Stephen Chasko:
Stephen is a proud “Criminal” himself, but only as a graduate from Yuma Union High School in Yuma, AZ. Yuma Union High School is the “Proud Home of the Criminals”. To learn more about how they got their mascot nickname, read their history.
Stephen is responsible for AMI solution delivery to Landis+Gyr customers and continues to work with customers directly regarding their communications software and security architectures. Stephen has experience working on security issues for advanced metering, RFID, secure microcontrollers, stored value, smart card, retail, and financial systems. His employment experience includes NCR, ACI Worldwide, and Texas Instruments. His special fields of interest include data communications, smart card systems, secure microcontrollers, and Smart Grid security. Stephen has spoken at numerous security conferences and panels including the RSA Conference, the Smart Grid Security conference, DistribuTECH, and IEEE PES.