It’s Christmas Day in Australia. It’s 40 degrees – and power fails across several Australian cities. Air conditioning units seize, fridges stop working. Chaos ensues. Several power networks have been compromised by phishing emails containing ransomware. It takes all day – and the payment of extortionate ransoms – before power is restored to major cities.
Fiction? Well, maybe – but only just. This is essentially what happened in the Ukraine, Christmas 2015. Attackers used spear phishing emails and variants of the BlackEnergy 3 malware to gain a foothold in the technology platforms of electricity companies – and knock power systems offline for six hours.
In the five years since the Ukraine attack, hackers and malware have become even more sophisticated - while, arguably, energy generators and network companies are facing heightened threats as Operational Technology (OT) systems are increasingly integrated with IT.
There is increased recognition that we need to be proactive about protecting our nation’s critical infrastructure, with the federal government’s 2020 Cyber Security Strategy (and Accenture’s contribution to the piece) a clear indicator of this emerging trend.
Grid digitisation ramps up cyber-attack risk
As we modernise power plants and grids to enhance reliability and support demand management, OT systems are being integrated with IT platforms – presenting a risk that attackers may move from one to another. This is:
1. Creating increased vulnerabilities – Energy companies now have a converged IT-OT attack surface. OT platforms tend to be replaced with a lower frequency than their IT equivalents risking out-of-date OT infrastructure. Without appropriate lifecyle management OT can be “left alone”. However, a failure within an OT environment can result in a power system interruption, whereas a IT failure may be a simple inconvenience.
The presence of legacy systems with OT environments means that ancient vulnerabilities that were patched and remediated years ago in IT systems can still exist.
No wonder a global Accenture survey found 54% of utilities executives said one of their biggest security challenges was legacy components. They also estimate that only 55% of a utilities company is actively protected by its current cyber security program.
2. Risking cyber attackers gaining access to control systems – The integrated attack surface also increases the opportunities for malicious actors to wreak havoc if they can penetrate cybersecurity defences anywhere in the system. For example, in the Ukraine, the malware was able to reach the grid’s control system from the normal corporate network as control system interfaces had been connected directly to the local LAN.
3. Increasing ‘indirect’ attacks on enterprises – Our global survey also found that 40% of breaches in 2019 have originated from indirect attacks through a supply chain or business partner eco-system. The most concerning scenario here would be attackers using a compromise on one energy provider to gain wider access to the wider energy grid.
How should utilities respond?
In our global survey, nearly three quarters of utility executives said that staying ahead of attackers is a constant battle and the cost is unsustainable. In this environment, continuing with business as usual is not an option. How can utilities make better use of their cyber security investment?
- Understand your adversary – Utilities need to draw on shared and actionable threat intelligence contextualised not only for their operating environment, but also for the business partner ecosystem they belong to. Any actions taken on this intelligence can then be targeted to the tactics, techniques and procedures which are likely to be used against the organisation’s environment. Using former national security analysts proficient in multiple languages, these services will track the dark web for ‘chatter’ that suggests threat actors may be targeting a particular utility – and then gain intelligence about their plans.
When threat intelligence is deployed, boards receive security reports and analyst briefings on a threat and its context, the adversary’s intent and target – and the business risk. At the same time, security operations receive details of how the threat operates, so they can begin hunting for threats that may have evaded detection by existing automated tools, and are also briefed so they can prioritise security incidents and monitor for malicious activity.
- Test OT security – When an Accenture team conducted vulnerability testing for an energy provider, it was able to gain administrator access to the client’s network, including the web console for managing the power supply to a metropolitan area, through common techniques used by adversaries.
- Bridge the gap between IT and OT teams – OT and IT security leads need to work hand-in-hand and share resources and learnings. IT may be ahead in cyber security maturity, but OT engineers are experts in the physical and virtual OT environment. It’s vital that OT is part of the security governance cycle and included in all security conversations and solutions.
- Eliminate blind spots – Many utilities lack visibility of the conversation streams between IT and OT equipment, especially control system cyber assets. Joint security teams need to map the OT environment and make sure everyone knows when something starts talking to an OT component from outside the security zone. Interactive dashboards can help all parties to understand the complete attack surface, offering full visibility of intelligent electronic devices, remote terminal units, programmable logic controllers, breakers, meters and drivers.
- Increase OT awareness of security risks – People are often the weakest link in cyber defences. Increasing security awareness is not just about training people not to click suspicious emails or plug in random USBs – although that’s important. Most OT technicians have a “get it running, keep it running” mindset. Whether an action could cause a security breach is way down their priority list. This needs to change.
Digitising the grid offers considerable resilience and sustainability benefits, but it’s also ramped up a utility’s risk footprint. And many utilities are not equipped to respond. Three in five utilities report cyber security costs have risen in the last two years. Yet, despite this increased investment, at just 56%, detection rates in the industry remain low.
To minimise the risk of denial-of-service attacks, Australia’s electricity and water providers need to beef up IT/OT cyber security in a joint effort that draws on threat intelligence.
Get in touch to find out more: Ray Griffiths (OT Security Lead, Australia & New Zealand), Tony Histon (Transmission & Distribution Lead: Africa, Asia Pacific, Middle East).