MY TAKE: Rising hacks on energy plants suggest ongoing global cyber war has commenced

By Byron V. Acohido

We all fret over the smorgasbord of cultural and geopolitical controversies complicating our daily lives. That being the case, not enough public attention is being paid to the increasingly plausible scenario of an ongoing global cyber war.

I say this because in recent months there has been a series of public disclosures about progressively more sophisticated hacks into power plants and other critical infrastructure. These intrusions clearly are nation-state sponsored, as they require significant resources to orchestrate, and there is no clear financial motivation behind them.

Related podcast: How Russia’s election meddling relates to plant hacks

And one more important thing: each of the power plant hacks we know about to date seem to be mainly about testing weak points, probing for footholds and generally maneuvering to get the strategic upper hand against a rival nation-state.

The ‘Triton’ hack is a case in point, disclosed on Dec. 14 by security vendor FireEye, a global security company with an extensive threat intelligence team (obtained via its acquisition of Mandiant) and a long history of tracking nation-state cyber groups.

Hackers caused an operational outage at a critical infrastructure site by deploying a new form of sophisticated malware. They were able to stealthily – for a while at least — take control of the plant’s Schneider Electric Triconex Safety Instrumented System (SIS). Such systems are used to automatically shut down industrial processes when operating parameters approach a dangerous state.

Inadvertent hack

Notably, it now appears that the Triton hackers inadvertently triggered the plant’s SIS system in what may have been a botched cyber reconnaissance operation, says Phil Neray, vice-president of industrial cybersecurity at a Boston-based startup called CyberX, which has deployed its network security monitoring and vulnerability management systems across hundreds of OT networks worldwide.

CyberX says the malware was used to target a facility in Saudi Arabia. “It’s widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary corporate PCs. This would definitely be an escalation of that threat because now we’re talking about critical infrastructure — but it’s also a logical next step for the adversary,” Neray told Last Watchdog.

Stuxnet and more recently Industroyer, which was used in the 2016 Ukrainian grid attack, showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and Triton appears to be simply an evolution of those approaches.”

CyberX threat intelligence analysts have scrutinized the malware, leading them to conclude that the hackers seem to have made a coding mistake which inadvertently triggered the safety system to shut down the plant, Neray told Last Watchdog.

Neray surmises that the hackers’ true goal may have been to fully control the safety system, so as to override it, at will, at some point in the future. That would have put the hackers in position to cause physical damage to the plant itself — as well as environmental damage and even fatalities — if and when they chose to do so.

Cyber cold war

This is precisely the type of reconnaissance activity one would expect from rival nations maneuvering to ensure they get the upper hand in a cyber Cold War campaign. And 2017 was a year full of such activity. Thanks to Washington Post reporter Ellen Nakashima, we learned last June how Russian hackers succeeded in accessing the corporate IT networks of U.S. nuclear power and other energy companies, prompting the FBI and the Department of Homeland Security to issue a joint alert.

Based on previous examples such as the Ukrainian grid attacks of 2015 and 2016 — widely-believed to have been orchestrated by the Russian-backed hacking group called Sandworm — compromising the IT network is usually the first step in gaining access to the Operational Technology (OT) network. OT networks are comprised of Supervisory Control and Data Acquisition (SCADA) systems and industrial control systems (ICS) that control large-scale physical processes such as generators, pumps, and fuel storage tanks. In comparison, IT or Informational Technology networks consist of traditional information systems such as web, email and database servers.

In September, Symantec issued a report describing another Russian campaign, dubbed Dragonfly 2.0, targeting some 20 energy companies in the US and Europe; in a few instances, Symantec reported, the attackers secured access deep enough inside OT networks to be in a position to switch off circuit breakers.


“There’s a difference between being a step away from conducting sabotage and actually being in a position to conduct sabotage … being able to flip the switch on power generation,” Symantec security analyst Eric Chien told Wired magazine. “We’re now talking about on-the-ground technical evidence this could happen in the US, and there’s nothing left standing in the way except the motivation of some actor out in the world.”

The Symantec report reinforced an earlier report from Cisco’s Talos research unit about a phishing campaign targeting the energy sector, including nuclear plants. One likely objective was to harvest administrative credentials of privileged users such as control engineers, who have trusted access to OT networks in critical infrastructure and manufacturing organizations. A successful targeted phishing campaigns puts the hacker in position to “pivot from the IT network to the OT network, using a control engineer’s VPN connection for which they now have the credentials,” Neray says.

And Russia and Iran aren’t the only nation-states targeting critical infrastructure. About a month after Symantec’s Dragonfly disclosures, NBC News’ broke a story linking North Korea to spear phishing attempts targeting the control networks of U.S. electric power companies.

Security by obscurity

In preparing for cyber warfare, it makes perfect sense for the chief combatants to focus on disrupting the other guy’s critical infrastructure environments. In fact, it appears that our OT networks have come under cyberattack for many years. In 2014, for example, the DHS published an alert asserting that attackers have compromised our ICS environments with sophisticated malware, such as BlackEnergy, since at least 2011.


Keep in mind that OT systems, by and large, were set up during an era in which OT networks were physically separated – known as being ‘air-gapped’ — from corporate IT networks and from the Internet. This reduced the risk of compromise by external attackers. Additionally, for many years organizations believed that OT networks were essentially protected by their inherent complexity — sometimes referred to as “security by obscurity” — stemming from their use of non-standard protocols (MODBUS, etc.) and proprietary embedded devices such as Programmable Logic Controllers (PLCs) and Distributed Control Systems (DCSs).

Then came the emergence of the Industrial Internet of Things (IIoT) and the need to collect real-time intelligence from production operations and Smart Machines. This has resulted in the convergence of IT and OT networks — and evaporation of the air-gap, says Neray. But he adds that “the air-gap was probably always a myth because engineers have always needed an easy and convenient way to remotely control OT systems without leaving their offices.”

And regarding “security by obscurity,” technical information about OT systems is easily available on the Internet, and OT devices can readily be purchased on eBay for testing purposes. In fact, in a recent New York Times article about the recruitment of Iranian hackers, we learned that asking candidates about their knowledge of SCADA systems is now a standard part of the Iranians’ interviewing process.

Long strange trip

The profoundly hackable state of industrial controls has been under heated discussion for at least a decade in cybersecurity circles. It’s a topic I’ve run into at RSA, Black Hat and other industry events I’ve attended over the years. A good example is a panel discussion I sat through in 2014 at a Kaspersky conference in Punta Cana at which a penetration tester named Billy Rios gave an eye-opening demonstration of how easy it was for him to compromise airport security OT systems.

Yet, improving the general state of OT security has not seemed to rise above technical and theoretical discussions, for whatever reasons. And skepticism still pervades. I did not fully understand why this is so, until Paul Myer, co-founder and CEO of Veracity Industrial Systems, recently shared his view.

Myer observed: “The first thing on the list of the industrial asset owners is the need to keep producing widgets. The secondary focus is safety. The third thing they think about is operational efficiency. And a distant fourth is security. It’s still not high on their list.”

So what’s it going to take to make locking down industrial controls a higher priority? Are we doomed to leave the ultimate outcome entirely in the hands of nation-state hacking collectives, and just hope our guys best their guys?

Hopefully not. The good news is that the market is responding. Entrepreneurs and venture capitalist are moving to deliver cost-effective solutions, using new technologies such as Network Traffic Analysis (NTA) and machine learning to improve their efficacy.

Startups like CyberX, Veracity, and Tempered Networks are hustling and competing against established players branching into this field, including Cisco, Palo Alto Networks, and FireEye. This is a good sign that things will improve. I’ll keep reporting on the progress.

(Editor’s note: Last Watchdog has supplied consulting services to CyberX.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone