Security Experts:

Protecting Critical Infrastructure When a Dragonfly Beats its Wings

The Threat of Cyberattacks on Power Networks is Real, But We Have the Ability to Build Defenses That Minimize The Disruption to Services

News that a sophisticated and long-established cyber espionage group may have the ability to infiltrate and do serious harm to critical energy supply infrastructure doesn’t come as a complete surprise. It does, however, provide an opportunity to reflect on how such systems are protected and what we as an industry can do better in the future.

Anyone who works in security quickly gets used to the dilemma at the heart of what we do. It’s vital for us to communicate openly, clearly and with transparency about the threats faced in today’s networked world. Yet all too often, we run the risk of creating an unnecessary public panic which still doesn’t have the required effect of motivating those responsible for protecting critical systems into following good security practice.

The recent revelations were published by researchers at Symantec and concern a cyber-attack group known as Dragonfly. They found that over a two-year period Dragonfly-affiliated hackers have been stepping up their attempts to compromise energy industry infrastructure, notably in the US, Turkey and Switzerland. The Symantec researchers found that the behavior of the Dragonfly group suggests they may not be state-sponsored, but that they have been conducting many exploratory attacks in order to determine how power supply systems work and what could be compromised and controlled as a result.

Dragonfly, it is believed, has been operating on and off since 2011. This recent report is just one among many cautioning infrastructure providers that industrial control systems are targets for attack by many different actors. Similar warnings that power stations and energy supply chains may have been compromised have been issued in the past by the US Department of Homeland Security, the FBI, the UK’s intelligence centre GCHQ, and the Dutch National Cyber Security Centre.

An obvious target

This shouldn’t come as a shock. Even the most innocuous web server will face dozens, if not hundreds, of attacks every day. Industrial control systems and critical national infrastructure have always been prime targets. Everyone from bedroom hackers to state sponsored spies have wanted to breach critical systems since the dawn of the networked era, whether that be for monetary gain, secret information, or just pure curiosity.

What’s important in the Symantec report is not that energy systems are under attack, but that the methods detected – email phishing, Trojan malware and watering hole websites – are all well understood and can be mitigated against. 

Symantec was keen to point out that it has already integrated protections from the known Dragonfly attack methods into its software. Even so, it would be foolish to underestimate Dragonfly. It’s clearly a sophisticated group with a clear purpose, and while Dragonfly’s primary mechanisms at present appear to be based on social engineering, there are plenty of other state and non-state sponsored groups who have yet more sophisticated tools at their disposal.

What’s more, the industrial internet of things (IIoT) continues to expand and our power infrastructure is diversifying to include smart grids and new, decentralised generation and transmission technologies. These may be beyond the control of traditional energy companies, but are still connected to their networks, introducing many more potential points of weakness to protect. We already know that there are many hundreds of thousands of consumer devices out there that are poorly secured against malware such as Mirai and its successors . The risk is that the same weaknesses may be unwittingly introduced to critical infrastructures.

This goes beyond issues within the energy industry, too: similar problems face almost all industrial control system environments. The lesson for those protecting industrial infrastructure, then, is not that power stations are at risk. It’s that a complex environment is likely to become even more difficult to protect, and there must be renewed focus on in-depth defences and “secure by design” practice.

This starts, of course, with end-user education. Dragonfly has proved itself very effective at spear-phishing credentials via email, for example, and using them to access servers. It’s important for security specialists to work ever more closely with organizations to implement good, basic practice at every level. Together, infrastructure providers and their security partners must make awareness of the dangers of such attacks part of a positive, proactive company culture, and not an onerous checklist for already over-burdened employees.

As much as we’d like to live in a world where no-one clicks on the wrong email, the reality is that someone always does, and someone always will. That said, end-user education can only go so far, and must be reinforced with layered defense in-depth.

Building our defenses

What does defense in-depth mean for the power supply industry? For a start, more work needs to be done to convince utility companies that security spending must be an absolute business priority. Proactive regimes that include regular retraining and offensive exercises, such as penetration testing and “red teaming”, require ongoing investment and a commitment at all levels, but are essential to keeping defenses honed.

On a practical level, it should be a given for even the smallest business in this day and age that application and client software is regularly patched and up-to-date, but as recent ransomware outbreaks have shown, this is not something we can take for granted.

For power companies, the challenge here isn’t just about rapid deployment of desktop and server software security patches, there are myriad field devices and control systems that need protecting too, which requires careful consideration. The update-and-patch ethos applies just as it does in the server world, but many of the MTUs, the RTUs and the IEDs may be legacy units for which security was an afterthought. They must be supplemented with intelligence in the network that can spot anomalies and improve the ability to detect new threats and signatureless malware.

Improving capabilities for prevention and detection of attacks, however, won’t be effective without similar investment in the ability to respond to incidents. This requires the development of specialist forensic skills and knowledge within the ICS and SCADA environment, so that once an incident is detected, it can be quickly neutralised and identified with the least possible disruption to operations. To further minimize disruption, solid plans for business continuity also need to be drawn up and prepared. 

All of this presents a complex set of challenges that are insurmountable for any one organization, or part of an organization, to meet on their own. Internally, clear areas of responsibility and lines of communication between departments who oversee IT, risk management and operational technologies must be drawn up. Externally, better collaboration between partners and peers need to be established to ensure the right skills are available, and we are sharing best practice and threat awareness as best we can.

None of this should come as a surprise. As the Dragonfly report shows, the threat of cyber-attack on power networks is very real, but we do have the technical abilities and the knowledge to build proactive, preventative policies and tools to reduce risk, mitigate damage and minimize disruption to services. We must act to implement them now.

view counter
Jalal Bouhdada is Founder and Principal ICS Security Consultant for Applied Risk. He has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security. Jalal has led several engagements for major clients, including many of the top utilities in the world and some of the largest global companies in industry verticals including power generators, electricity transmission providers, water utilities, petro chemical plants and oil refineries He holds a B.S degree in Security Assurance from Amsterdam University of Applied Sciences and is an active member of the Industrial Internet Consortium (IIC), ISA99, NEN, CIGRE and other professional societies.