Cyber Warfare Targets Energy: And Nations Could Be Destroyed in Days
Cyber Warfare Targets Energy: And Nations Could Be Destroyed in Days
I used to work in a chemical factory, and the risks were all around. Basically you had a whole lot of mechanisms to trip circuits when there was a fault. But what happens when you override these controls, and where the system does not trip? Well, it may be possible to overload the circuits, and then cause a virtual melt down in the electrical supply, which can then cause a fire or explosion.
So last week we saw a fire at the Abada noil refinery in Iran. Luckily the fire did not spread and was brought under control:
Although it is difficult to trace the cause of the fire, there are some sources that say that it related to a cyber attack. So could this be the first signs of a new type of warfare? Basically if you were to trip the energy supply for a whole nation, it could cause large scale devistation, and cause them to fall within hours of a large-scale attack.
Not if
It is not “if” … but “when” … cyber warfare will happen, and it is likely to signal (or trigger) the first phases of warfare between two countries. Unfortunately, when the NATO Treaty was signed, there was no such thing as a cyber attack, and many countries are now debating whether a cyber attack could constitute an act of war. One most worry that in places that where there is already tension, a perceived attack could trigger warfare.
The recent #NotPetya ransomware attack had some analysts speculating why it seemed to mainly target Ukranian companies, and even the thought that it could have been nation-state drive could have led to finger-pointing for nation-state activity, and thus significantly increase tension between nations.
So while cyber espionage is commonplace, the legal system of most countries has not crystallised on the concept of cyber warfare. With cyber espionage, though, there is no physical damage and it does not do any physical harm, but cyber warfare could cost many lives. Many worry, too, that a perceived cyber attack from a rogue group could be mistaken for a nation-state attack, and then trigger a war between countries. A simple e-mail scanning attack, using simple tools, for example, on the UK parliament caused front-page headlines:
If this type of attack was linked in any way to nation-state activity, it could have major ramifications for increased tension between countries.
In traditional warfare, the first targets are often to disable the energy network, destroy transport routes, and disable the communications networks. Over the past year, we have seen of how this could play out in a cyber warfare scenario, with probing attacks on the energy network and in Denial of Service attacks against network infrastructures (such as with Dyn).
One thing we learnt from the recent BA and Capita outages, is that no electrical power leads to no IT. And so we must worry about the security of our power supplies, as they are probably the one thing that could bring a country to its knees.
Continual probing
Recently it was announced by the Wolf Creek facility in Kansas that at least 12 energy companies have been targeted by a cyber attack, and which included one nuclear power plant. While the attacks have been mainly on the administrative operation of the plants, there is a worry that attackers could target the control systems involved.
In a well-designed power plant, the control systems are strongly segregated from the administration network. Another report identified that intruders had tried to crack a Wolf Creek employee’s password and that there were traces of booby-trapped emails for password harvesting.
A large scale outage for a country could thus have devastating economic and social impacts. We often think that malware code will only affect software systems, but Stuxnet changed all this, with the opportunity of doing physical damage to equipment. With possible nation-state funded activities around the take-down of the power network, the risks have never been higher, especially in the creation of sophisticated and targetted attacks.
Ukraine attack
A cyber attack on the power supply network happened on an electrical transmission station near the city of Kiev (Ukrenergo), in December 2016, and resulted in a black-out for around 20% of the Ukraine population. Luckily it only lasted for one hour, but many think that it was just a test — a dry run — for a more sustained attack.
This attack has now been traced to the Crash Override (or Industroyer) malware. A previous attack on the Ukranian power infrastructure, in 2015, involved the manual switch off of power to substations, but the newly discovered malware learns the topology of the supply network — by communicating with control equipment within the substations — and automatically shutdown systems.
The company who analysed it (Dragos) think that it could bring down parts of the energy grid, but not the whole of it, and that the activation date of the malware sample was 17 December 2016. They also defined that the malware can be detected by looking for abnormal network traffic, such as looking for substation locations and probing for electrical switch breakers.
At present it is not known how the malware managed to get into the network, but many suspect it may have been sent through phishing emails (as with the 2015 attack). Overall Crash Override infected Microsoft Windows machines within the target network and then maps out control systems in order to locate the key supply points, along with recording network activity which can be sent back to the controls of the malware.
After the discovery phase, it is thought that Crash Override can load-up one of four additional modules, and which can communicate with different types of equipment (such as for Honeywell and Siemens systems). This could allow it to target other electrical supply networks within different countries.
Doing damage?
Another feature of the malware is that it could potentially damage to electrical equipment, and case a large-scale outage. With this the malware was seen to disable the Siemens Siprotec digital relay (see graphic on the left-hand side), and which is used to shut down electrical equipment if a dangerous surge is detected. The malware, though, sends a specially crafted data packet to the device, and then take it offline (where it requires a manual reboot to get it back online).
This shutdown would mean that if the electrical supply was overloaded, the system would not shut itself down, and could thus cause significant damage to the supply network. This type of damage could cause the whole of the supply network to trip, as it cascaded.
In the teardown process, the malware destroys all of the files it has infected and tries to cover its tracks.
Previously, in 2009, Stuxnet, thought to have been distributed by the US and Israel, was used to attack an Iran nuclear enrichment facility.
So what?
A study by Cambridge Centre for Risk Studies, for example, estimates that a large-scale power outage in the UK would result, in the worst case, of losses over five years of £442 billion from UK GDP. They conclude that the most plausible route would be to bring down the substations and cause blackouts for up to 13 million people, for several weeks at a time.
Tripwire recently surveyed 150 IT professionals in the energy industry and found that the number of attacks on their infrastructure were increasing, and that 77% of recent attacks had been successful in some way. Overall 68% said that rate of success in the attacks had increased by 25% as opposed to the previous month. For the source of the attack, 78% reported attacks from external sources, and 30% reported the attacks related to an insider (either someone working in the company or an ex-employee).
In conclusion, 83% of them thought that their companies were not confident in coping with a cyber attack. To create a balance they reported that 78% of them were confident that their organisations could detect sensitive and confidential information.
Jack Harrington, from Raytheon, tells it like it is, and that our electrical supply is:
critical is to our daily comfort and ultimately our survival
and that they are vulnerable to cyber terrorists. He states the cases of power supplies being affected in the Ukraine, and by white hat hackers in the Midwest, where RedTeam managed to gain access to a number of electrical power stations (often using social engineering methods):
You can see how easy it was for the RedTeam to gain access to supply stations, and you worry that others with a more malicious intent could cause chaos in other countries. With no electrical supply data centers, ISPs, and all the other key services would fall like dominos. The attacks on SCADA systems, for example, has risen by more than 100% over the past year. A large-scale black-out in the North-East US in 2003 caused considerable problems, and where the power network was tripped by a fault on the lines:
Phases of Cyber Warfare
So what might cyber warefare look like?
Stage 1: take-over
So the first thing that the network and security engineers will have to do on a cyber war attack will thus be to take-over the control of the traffic, otherwise its own citizens will crash the internal infrastructure. The challenge in this phase is to control the internal forces, while dealing with external pressures. In these days, many of the services use Cloud systems, so throttling back on external traffic could also disrupt the network.
Stage 2: Coping with threat
As Stage 1 happens, security analysts are likely to be analysing the external threats, such as coping with a large-scale Distributed Denial of Service, and try and understand how they could cope with an external (or internal attack), without actually affecting the internal network. The plans would then have to be carefully intertwined to make sure that any control on the external threat does not affect the internal operation of the infrastructure. A large-scale crash would be almost impossible to cope with, as servers and service normally interconnection, and the whole infrastructure would take a while to recreate itself. Like it or not, much of the infrastructure still requires a great deal of human intervention.
Stage 3: Observation and large-scale control
At this stage, we will see the Chernobyl Nuclear Power Plant effect where the most important alarm on the system was swamped by other less important ones. So at this stage alerts will be coming in on system crashes and problems, and thus plans will be in place to filter these alerts so that only the most important ones will be fed to analysts, and who can then try and put in place plans to overcome the problems before the infrastructure collapses. While many have tried to model the complex behaviour of our network infrastructure, it is almost impossible to predict, so security and network analysts will have to cope with the large-scale disruption and make decisions on how to keep the core infrastructure up-and-running.
A key focus of this stage would be to make sure that military, transport, energy, health and law enforcement systems were given the highest priority, along with financial systems (as the shock wave of a disruption to the economic infrastructure of the country could be long lasting)
Stage 4: Observation and fine-control
At this stage, we would move to a point that there was some stability, and where lesser alerts could be coped with. This might relate to services which were less important, but which need to be sustained. A key focus would be to protect the financial and commercial interests of the country.
Stage 5: Coping and restoring
The final stage is likely to be the restoring of normality, and try to recover the systems, and which may be damaged in some way. On a cyber warfare event, this could be an extremely costly process, especially if the country has not coped well with the attack.
Conclusions
The energy network has assumed that they had built their infrastructure with equipment which would not be attacked (as it was isolated from the Internet), but, unfortunately, vendors have created fairly open systems which do not have a strong backbone of security. So while electrical supply networks are often fairly well isolated from the rest of the Internet, once a piece of malware is inside the network, it can then overcome most of the barriers to its operation.