A recent Radware report on application and network security has revealed that the power generation industry has finally come to acknowledge the increased risk that cyber threats pose to service delivery.
Critical infrastructure is arguably one of the biggest areas of concern to cyber security today, due to the absolute control that can fall within the attacker’s hands.
The report cites the ‘Energetic Bear’ malware incident, exposed in July 2014, where over 1,000 energy firms globally were infected with malware that gave hackers access to power plant control systems. The malware allowed operators to monitor energy consumption in real time, crippling physical systems such as wind turbines, gas pipelines and power plants at the click of a mouse.
The attack is believed to have compromised the computer systems of more than 2,000 organisations in 84 countries over a period of 18 months. Symantec reported that the targets were energy grid operators, major electricity generation firms, petroleum pipeline operators and energy industry industrial equipment providers. The majority of victims were located in the United States, Spain, France, Italy, Germany, Turkey and Poland.
The attackers initially targeted defence and aviation companies in the US and Canada before shifting their focus mainly to US and European energy firms in early 2013.
The motive for these infiltrations seems to have been espionage. Symantec reported that spear-phishing and waterholing attacks were the initial route to infection, as well as compromised SCADA software updates.
The Radware report lists other threats that have already affected critical infrastructure around the world, such as Stuxnet, Night Dragon, Shamoon and Dragonfly.
If utilities organisations were targeted on such a scale, with such far-reaching implications, one has to wonder how easy it is for an average utilities company to fall victim to such an attack. Hacktivists may disagree with the company’s methods of power generation, or the company could be part of a greater campaign to exploit a nation’s power grid infrastructure.
Following the Energetic Bear incident, the Guardian reported that “It seems inevitable that this type of threat will rise. Just because these are specialised systems that need a high degree of skill to attack, does not mean well organised groups are not going to invest the effort in disrupting such critical resources as power generation or transmission.”
Incidents like these highlight the critical importance of cyber security employee awareness programmes, in addition to performing sufficient due diligence on the security controls of vendors and software suppliers.
The report states: “The threats are real. The challenges are complex. But the klaxon is sounding— and we must take meaningful action to avoid catastrophes.”
A risk assessment regime that focuses on people, process and technology is imperative for cyber security. vsRisk provides an effective solution for automating the risk assessment process, enabling compliance to the international information security standard, ISO27001.