But, what are the energy-sector cyber threat experiences so far?
- The joint U.S. and Israel Stuxnet Project – which successfully infiltrated and damaged Iran’s Natanz Uranim Enrichment Facility in April 2008 after being delivered to the plant through an employee’s thumb drive – was perhaps one of the most famous cyber threat-demonstrations on energy-related infrastructure.
- More recently, the 2015 purportedly Russian attack on Ukraine’s power sector represents one of the first known physical impacts to critical infrastructure resulting from a cyber attack.
On December 23, 2015, Ukrainian power companies experienced unscheduled power outages caused by a coordinated and synchronized cyber attack on three regional electric power distribution companies cutting off power to 225,000 customers. In addition to targeting remote infrastructure facilities, the company’s networks were also infected with malware delivered through spear phishing email, though it is unclear if the outages were connected to the malware infiltration.
Spear phishing is typically a fraudulent email appearing to be from a known entity that targets a specific individual or organization, seeking to obtain sensitive information or install malicious software.
- In January 2016, the Isreali Public Utility Authority (IPUA) fell victim to a ransomware scheme when an employee opened a spear phishing email, allowing a harmful ransomware virus to infect other computers on the network. Energy infrastructure was not impacted in the IPUA attack.
Ransomware schemes usually involve insertion of a virus that encrypts files and locks up systems, and the virus developer demanding money in exchange for restoring the files or systems.
State-side, the threats are also very real.
U.S. Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) tracks, assesses and responds to cyber incidents in the nation’s critical infrastructures, which includes energy and nuclear power assets.
In FY 2015, ICS-CERT responded to 295 cyber incidents, a 20 percent increase from FY 2014 with 97 incidents in the critical manufacturing sector, followed by 46 energy sector incidents and 25 water and waste water system incidents. Spear phishing represented 37 percent of total incidents reported to ICS-CERT, followed by network scanning and probing. For FY 2014, the energy sector topped DHS’ list of industrial sector cyber attacks with 79 of the 245 total reported incidents.
Tripwire, a digital security firm, commissioned a 2016 survey of 150 energy sector information technology (IT) professionals in the oil, natural gas and electricity sector, which found more than 75 percent has experienced at least one successful cyberattack in the past 12 month.
DHS believes low-level cyber-crime is the predominant activity against the energy sector, costing the sector billions in cybersecurity and insurance spending annually. Some examples include:
- In 2013, Russian hackers targeted Clay Center Public Utilities’ computers with ransomware via a spear phising email, demanding $300 to unlock the system or important files would be destroyed. Energy operations were not impacted, but the company’s complete customer accounting system had to be shut down.
- In April 2016, the third largest electric and water utility in Michigan, the Lansing Board of Water and Light (LBWL) was the victim of a ransomware scheme after a spear phishing attack. An employee opened an email with a malicious attachment, allowing files to be encrypted throughout the network. Although the attack did not interrupt water or electricity service, LBWL had to shut down its corporate network for more than a week to resolve the problem.
On the other hand, there have been examples of hackers gaining control of critical (non-energy) U.S. infrastructure operating systems, keeping the energy sector fearful.
- In March 2016, the U.S. Department of Justice issued indictments against seven hackers linked to the Iranian government that attacked critical infrastructure in the U.S., including the control system of the Bowman Avenue Dam near New York City. The hacker was able to infiltrate the dam controls, changing water levels and forcing operators to manually disconnect some of the control systems during the attack. This marked the first time the U.S. is charging nation-state hackers with attacking critical infrastructure.
DHS intelligence assessment concludes the threat of a cyber attack that damages or disrupts critical energy infrastructure is low. Placing greater emphasis on what they label “cyber espionage”, such as insertion of malware (e.g. spear phishing and ransomware) to infiltrate systems and gain information that can be leveraged in the future.
Next up, I’ll be providing a brief look into U.S. efforts to combat these energy sector cyber threats.