industrial cyber threats

Securing the Energy Sector against Industrial Cyber Threats

Dec 08, 2016 By Paul Curran

Late in 2015, just over a month before hackers plunged over 230,000 residents in the Western Ukraine into darkness for 6 hours, Forbes forecasted what they considered to be the biggest cybersecurity threat: The Energy Sector.

 

They were right, and remain correct as the exploits and vulnerabilities of 2016 become the major challenges of 2017.

 

Due to prevalence of unpatched legacy systems, the high cost of proper security along with the fact that many energy providers cannot afford the downtime to update their systems, the energy vertical is becoming an increasingly attractive target for hackers.

 

In early 2016, Tripwire surveyed 150 information technology workers and more than 75 percent reported that their companies in the oil, natural gas and electricity sectors had experienced at least one “successful” cyber attack over the last year. In these attacks, malicious parties were able to breach one or more firewalls, antivirus programs or other protections.

 

Read: What Went Wrong & Key Takeaways in the Department of Energy Breach

● Watch: Zero-Day Vulnerabilities in the Industrial World

 

Hacks against the energy sector, such as the large-scale blackout that froze electricity for Ukrainians in the dead of winter, can have devastating consequences both on and offline. The fallout from prolonged hacks against the energy grid is catastrophic and, when weaponized, can present clear existential threats to nations who need to be doing much more to secure their energy infrastructure.

In 2008, when the EMP Commission (the body designed to assess the threat to the United States from electromagnetic pulse attacks) met to examine the vulnerability of United States military and especially civilian systems to an EMP attack, the concluded that a prolonged blackout could result in up to 90% of the population perishing from starvation, disease and societal breakdown.

While nations have spent billions developing the technology to overtly detonate EMP devices, highly sophisticated hackers, or malicious partied backed by nation-states are developing the covert skills needed to wreak a similar kind of havoc, with much less fanfare, as seen in the attack on the Ukrainian power grid which has sent a dangerous precedent for future attacks.

Dangerous International Precedents

In the Ukraine, hackers targeted electric control centers, some of which were still not operational two full months after the attack, however, other industrial cyber attacks have focused on riskier forms of energy production and distribution.

industrial cyber threats facing Ukraine

Eastern Ukranian Power Plant Source: IBtimes.com

In August 2012, hackers attacked the Saudi based oil giant Saudi Aramco with the virus Shamoon which infected over 30,000 workstations. While the company acknowledged that none of the infected computers were part of the network directly tied to oil production, operations were interrupted.

This virus is capable of both wiping files and rendering computers on the network unusable which, while not causing direct destruction, can cause severe delays in production and distribution.

Just over two years after the Saudi Aramco hack, South Korea’s nuclear power plants were targeted by malicious parties (most likely North Korean) who were able to leak personal details of over 10,000 Korea Electric workers as well as the manuals for the reactors, electricity flow charts and more.

In Ukraine, Saudi Arabia and South Korea, all attacks have been loosely attributed to retaliatory strikes by state-sponsored hackers (Russian, Iranian and North Korean) which shines light on the growing trend of weaponizing cyber threats to a potentially devastating scale.

Industrial Sized Hacks

Unlike the attack on the Ukrainian power grid, the hacks against Saudi Aramco and Korea Electric did not affect any of the industrial components which control the operational deployment and functioning in the targeted plants.

Industrial Hacks

South Korean Nuclear Power Plant

While the hacks against South Korea and Saudi Aramco appear similar to the unfortunately frequent exploits, breaches and leaks that we have come to recognize on a near weekly basis from some of the most popular websites and services, there may be a darker motive lurking behind their exploits: the search for an entry point to the networks that do control the critical industrial firmware.

Energy Sector Flaws

While many find comfort in knowing that the networks controlling components of critical energy infrastructure are isolated or air gapped from unsecured public or local area networks, there are still attack vectors which malicious parties can use to get inside industrial networks to wreak havoc.

Threats to industrial infrastructure include the risks brought on by the use of legacy systems which, to update, would cause severe downtime. Additionally, application and network vulnerabilities also exist which are a result of the emerging market status of cybersecurity in critical infrastructure as many manufacturers only had to focus on ensuring that their industrial systems were reliant.

Now these manufacturers must also ensure that the firmware running on their physical components is also secure.  

How Can Researchers (and Hackers) Locate Attack Vectors for Industrial Cyber Threats?

Anyone who wants to either research potential vulnerabilities or find exposed attack vectors in the industrial world has a significant amount of work to do. The complexities that pave the way into the physical components that control power grids, energy production facilities and energy distribution systems are numerous and mostly out of the reach of “script kiddies” and other attention-seeking nuisance hackers.

The knowledge needed of both the physical and cyber components that make up the targeted asset as a whole is immense, but not out of the reach of state-sponsored groups, expert “patriotic hackers” or international criminal consortiums with a high level of sophistication.

When the security researchers at Cyber X took on the challenge of identifying threats in the Allen Bradley Micrologix (an industrial network communication device), they began by downloading the firmware from the vendor’s website in order to markup threats and look into the protocols which would show them where the interfaces are as well as the shared functionalities within the firmware itself.

They used a profiling algorithm to map out functions and identify patterns where the buffers and strings were not limited. Once they suspected a vulnerability existed in the immense amount of code, they needed to test their theory in order to confirm the vendor that the risk that they found is actually executable.

To accomplish this, they first needed to reverse engineer the firmware and then upload it to a target device in order to properly confirm that a vulnerability existed. This lengthy process is described in detail by the CEO of Cyber X in this video.

Once confirmed, they exercised responsible disclosure and warned the vendor as well as the Department of Homeland Security (DHS).

WATCH:  Cyber X CEO Omer Schneider describe in detail the research that led up to validating both industrial CVE’s

In this case, their tests were successful and they found two high risk vulnerabilities which existed in a physical component which was in use at thousands of sites around the world wide.

The vulnerabilities, listed below, that they found in this industrial device, are now listed on the United State’s National Vulnerability Database.

CVE – 2015-6490 RCE (remote code execution)

CVE – 2015-6492 DOS (denial of service)

These vulnerabilities, when maliciously executed, could have a devastating impact on the systems that are dependent on the affected controller to function.


Securing your Source Code

The networks that control industrial networks are much less isolated than we think. While they are disconnected from insecure public networks and local area networks, gateways exist for vendors to provide maintenance which firewalls and one directional diodes won’t stop full access to and these gateways may include security risks that could jeopardize operations.

As more and more vendors and government agencies push faster towards a connected world, more and more attack vectors will be introduced to the critical components, such as the energy sector, which keep our countries, and economies, functioning.

Along with this inevitable connectivity comes the introduction of application layers which increase the threat landscape. Using a source code analysis tool to ensure that the applications which provide access to critical infrastructure components, such as those in the energy sector, are vulnerability free in the earliest stages of the development cycle will help ensure that your code is secure, even before it is compiled.

jumping 1

Explore the zero-day vulnerabilities found in the industrial world as discovered by CyberX by watching This webinar .

The following two tabs change content below.

Paul Curran

Content Specialist at Checkmarx
With a background in mobile applications, Paul brings a passion for creativity reporting on application security trends, news and security issues facing developers, organizations and end users to Checkmarx's content.

Latest posts by Paul Curran (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.