Both customers and regulators of energy and utilities firms demand a reliable, resilient service from suppliers. That means utilities must take special efforts to mitigate the impact of any IT outages, engineering challenges, bad weather and natural disasters. To this list we can now add cyber threats. A surge in reconnaissance attacks in recent years could be a potent warning of disruption to come.
Fortunately, there are things your organization can do to minimize the threat, starting with identifying risks at an early stage through advanced threat intelligence.
What are reconnaissance attacks?
A popular way to describe typical advanced persistent threat (APT) attack methodologies is the cyber kill chain. There are seven key stages:
- Reconnaissance: Initial harvesting of information on the potential victim.
- Weaponization: Combining an exploit with backdoor malware in a deliverable payload.
- Delivery: Ensuring the payload arrives in the victim's network via email, USB and so on.
- Exploitation: Exploiting a vulnerability to run code on the victim's system.
- Installation: Installing malware on a key asset.
- Command and control: Opening a communications channel to remotely control malware.
- Actions and objectives: Accomplishing the original goals of the attack, such as a power grid hack.
Reconnaissance is, therefore, the first in a multi-stage attack aimed at gathering information on the target system's weaknesses to ensure the best chance of success. The end goal could be anything from installing ransomware to stealing sensitive data or hijacking and sabotaging key assets. It's the cyber equivalent of a burglar scoping out which properties to rob.
Active versus passive reconnaissance
Reconnaissance attacks can be further broken down into two key types: active and passive attacks.
Active reconnaissance is the quicker and more direct option, although it also exposes the attacker to potential discovery. They will usually attempt to map your network, identify hosts and services, and conduct a port scan, typically using the powerful scanning tool Nmap. Any vulnerable services associated with open ports may be exploited during this process to clear an attack path into your network.
Passive reconnaissance is intended to provide useful information on your networks, hosts, security policies and employees without setting off any alarms. If active reconnaissance involves trying to open any virtual windows or doors, passive reconnaissance is about observing from a safe distance. This could be achieved by investigating source HTML files on your public-facing website and information on employees' social media sites or by searching public online records. They may even try to impersonate an authorized user by hijacking employee accounts.
Why are utilities at risk?
Verizon's 2020-2021 Cyber-Espionage Report highlights the utilities sector as one of the most frequently targeted by attackers. As a percentage of total cyber attacks, there were more breaches of confidential data (23%) here than virtually any other vertical over the past seven years.
According to McKinsey, energy companies are at risk across the whole value chain, from power grid generation and transmission to distribution and customer networks. It suggests three reasons why the sector is vulnerable:
- An increased number of threats and actors—ranging from financially motivated cyber criminals to nation-states.
- An ever-expanding corporate attack surface that includes operational technology (OT) as well as information technology (IT) systems spread across a large geographic area.
- The convergence of physical and cyber systems, which means that global attackers can use code to sabotage facilities.
In the real world
Unfortunately, these are no longer theoretical threats. A 2019 study of global utility professionals warned that over half (56%) had experienced at least one shutdown or data loss incident in the previous year, and 25% had been impacted by nation-state reconnaissance attacks. There are many more specific cases.
In December 2015, for example, power to 230,000 customers in Ukraine was interrupted for hours after a sophisticated attack following months of reconnaissance. The electric grid was also disrupted in 2016 and 2017 by the same state-backed attackers.
The US government issued an alert in 2018 warning of Russian reconnaissance attacks on the energy, water and other sectors since at least 2016. They performed detailed reconnaissance aimed at obtaining "network and organizational design and control system capabilities." This was done by compromising third-party suppliers and obtaining sensitive information from company websites.
The North American Electric Reliability Corporation warned in 2019 that notorious Russian threat group Xenotime had begun targeting the sector with reconnaissance attacks. It has been described as the most dangerous such group in the world due to its destructive attack capabilities and intent.
How can utilities better defend themselves?
The financial impact of COVID-19 is currently a top concern for the power grid and utilities industry. This makes it more important than ever that the sector be able to detect and snuff out potentially costly cyber attacks at the earliest possible stage.
Fortunately, there are various tools and tactics at your disposal to help reduce risk in this area. These include:
- Reviewing information publicly available via your website and other online resources to minimize accidental data exposure.
- Educating employees to minimize sharing of personal information online, be alert to phishing attacks and manage passwords securely.
- Rolling out multi-factor authentication to reduce the risk of account hijacking.
- Mapping all your network-connected devices, ensuring appropriate security controls are applied and disabling any not in use.
- Disabling any high-risk services and closing ports where appropriate.
- Conducting red team exercises to test detection and response capabilities.
- Conducting regular pen testing to find security gaps and patch any vulnerabilities.
- Considering firewalls and intrusion prevention systems to detect and block port scans.