7 minute read
Snapshots of Energy Industry
NATIONAL POWER GRIDS AND ENERGY SECTOR TARGETS ARE UNDER THREAT DURING THE ON-GOING GEOPOLITICAL TENSIONS
The New York Times (NYT) reported back in June 2019 that the United States had installed malware on Russian power grid as a warning and to demonstrate US capabilities and motivation to use more aggressive cyberattacks. Russia, in turn, told that it has detected and rejected the cyberattacks in the United States. #1, #2
Advertisement
These operations and statements of superpowers reflect global politics. By publicizing the US penetration of the Russian electricity grid, the US tries to establish a cyberdeterrent in a fashion vaguely similar to nuclear age mutual assured destruction – any attack on American targets, such as elections, may lead to counterattack against Russian electric grid. Such attack could also be used in an asymmetric way, for example as a response to a kinetic attack against the US, or its allies.
Moreover, making such information public gives out also a message that Russia is not safe, even if it tries to establish an ability to detach itself from the worldwide internet at will. Lastly, being more open about the cyber capabilities can be traced back to the recent changes in American cyber posture, them becoming more proactive in the domain. #3
It is also good to keep in mind that similar activities against the US power grid has been reported by the US intelligence community for years, latest in January 2019 in the Office of Director of National Intelligence’s (ODNI) Worldwide Threat Assessment of the US Intelligence Community. #4
The threat is not an illusionary one, as was clearly demonstrated by actors, namely Sandworm, linked to Russian state in Ukraine back in 2015 and again in 2016. #5
To heighten the risk in 2020, cyberattacks, such as using wiper malware, against critical infrastructure and energy sector targets has also been demonstrated by Iran. The recent elimination of Maj. Gen. Qassem Soleimani might embolden Iranians to act more aggressively, such as launching disruptive and destructive attacks, in cyber domain against Americans and their allies with potential for unanticipated second and third order effects. #6 These current developments were also reflected in the latest insights released by the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), where Iranian threat profile was covered together with risk mitigation measures. #7, #8
RANSOMWARE ATTACKS CONTINUE TO THREATEN ALSO ENERGY SECTOR
Ransomware attacks continued worldwide having also impacts on critical infrastructure, such as electricity distribution. In Johannesburg, South Africa, a ransomware program that hit City Power company’s systems in July 2019 caused power distribution problems and regional power outages. The problems caused by the ransomware attack included the paralysis of systems used for the procurement of electricity by consumer clients, and the systems used in solving the regional electricity distribution problems. The company estimated back in July that up to a quarter of a million people in the Johannesburg area may have been impacted by the information system problems linked to the attacks. #9, #10
IN ADDITION TO EXTERNAL AND INTERNAL THREATS NUCLEAR POWER PLANTS ALSO SUFFER FROM BAD SECURITY CULTURE
In September 2019, India’s Russian-made nuclear power plant (Kudankulam Nuclear Power Plant, KNPP) was infected with a malware. The malware attack was confirmed by the Indian power company, Nuclear Power Corporation of India Ltd (NPCIL). The Russian state nuclear company, Rosatom, which has been selected to deliver the nuclear power plant also for Finnish power company, Fennovoima, owns Atomstroyexport, the manufacturer of the attacked Indian power plant, KNPP.
According to the company, the malicious program only infected its administrative network, but did not reach its critical internal network, the one used to control the power plant’s nuclear reactors. NPCIL said the two networks were isolated, or in other words air-gapped. #11, #12 According to some sources, the malware used in the target-tailored attack was DTRACK, which has been linked to the North Korean Lazarus hacker group. The Dtrack malware have been usually spotted in politically-motivated cyber-espionage operations, and in attacks targeting financial institutions, including those in India.
Reports suggest that large amounts of data were transferred from the administrative networks of the nuclear power plant, which could serve numerous purposes, including gathering intelligence on power plant’s design, or intellectual property theft, or in support of planning more attacks. The political intent of the attacks cannot be ruled out, as the attack could have been done in service of India’s regional competitor, Pakistan.
Malware attacks on nuclear power plants are always critical. Since the KNPP is a new power plant, the significance of the malware attack increases. An additional worrisome aspect of the attack was the severely outdated belief by Indian authorities implicit in their press releases on protective nature of network isolation by air gapping, which has been proven an ineffective and insufficient approach against targeted attacks conducted by nation state linked actors.
On a separate incident involving nuclear power plant, in July 2019 employees of a Ukrainian nuclear power plant, South Ukraine Nuclear Power Plant, connected a part of the internal network of the power plant into the public network in order to mine cryptocurrencies. #13 Connecting an internal network to a public network may have endangered the plant’s security, even though the critical industrial network was apparently not affected. Nevertheless, the Ukrainian security service, SBU, investigated the event for possible leak of information. The case shows how an individual employee, or so-called “Insider risk”, can pose a high risk for the critical infrastructure of the state.
The United States and the Baltic States agreed to co-operate in order to protect the Baltic energy grid from network attacks during the upcoming decoupling and desynchronization of Baltic grid from Russia’s electricity network. #14 Estonia, Latvia and Lithuania have been members of NATO and the European Union since 2004, but are still due to historical reasons synchronized with Russian electricity network. The countries plan to integrate into the European energy network by 2025. Lithuania confirmed that it is specifically searching for US technology companies to renew its energy systems and to help in fending off possible cyber-attacks.
The Baltic countries are working together in order to seek strategic and technical support to strengthen both energy networks and cyber security. It is also about political decision-making, strengthening of NATO cooperation, as well as the US foothold in the Baltic Sea Region. It is in the interest of the US to strengthen its role in the critical infrastructure in Europe, and particularly in the Baltic States. Collaboration can also be viewed in the context of maintaining US forward presence in Baltics helping the US to obtain more informationon and a better understanding of Russia. #15
Collaboration is also important for the EU. The integration of the Baltic electricity network into the EU-wide energy grid will unify the EU electricity grid by removing the Baltic energy island. Furthermore, the co-operation and the US presence in the region will in part secure Baltic Sea submarine cables and provide additional security for other parts of critical infrastructure, such as communications in the region. US cooperation with Baltic countries is also likely to strengthen the cybersecurity of wider European energy networks.
1. The current geopolitical tensions are increasingly visible also in cyber domain.
Global superpowers, and smaller powers trying to punch above their weight, are active in trying to secure their dominance and foothold in cyber domain. Maintaining a persistent access to foreign critical infrastructure is seen as one way of influencing the adversary’s risk calculations and deterring them from making drastic moves. At the same time, defending own infrastructure from adversaries plays an increasingly important role and demands wide co-operation between countries, but also between governments and private sector.
2. Second and third order effects of attacks, ransomware attacks included, may be surprising.
Malfunctioning payment and procurement systems may cause for example regional blackouts, even if core systems like controls for production and distribution would continue to be intact and functional. Similarly, attacks against financial systems, or logistics controls, may have systemic ripple effects across the globe, as was exemplified by NotPetya case as well.
3. Critical infrastructure protection continues to be plagued by old-fashioned security thinking, and bad security culture and cyber hygiene.
Unfortunately, this also includes high-value critical installations such as nuclear power plants. Adversarial access to non-critical parts of the installation may enable their access also to the critical parts, either through sophisticated means of attack, or by simple mistakes or short cuts taken in network designs and their operation.
text: PASI ERONEN International security analyst and consultant
1. https://www.nytimes.com/2019/06/15/us/politics/ trump-cyber-russia-grid.html
2. https://www.nytimes.com/2019/06/17/world/europe/ russia-us-cyberwar-grid.html
3. https://www.cpomagazine.com/cyber-security/us-cybercommand-signals-more-aggressive-approach-involvingpersistent-engagement-ahead-of-2020-election/
4. https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR- --SSCI.pdf
5. https://www.wired.com/story/russian-hackers-attackukraine/
6. https://www.fifthdomain.com/civilian/dhs/2020/01/03/ theyre-going-to-want-bloodshed-5-ways-iran-couldretaliate-in-cyberspace/
7. https://www.fifthdomain.com/civilian/dhs/2020/01/07/ dhs-cyber-agency-releases-advisory-on-iranianthreats/
8. https://www.cisa.gov/sites/default/files/publications/ CISA-Insights-Increased-Geopolitical-Tensions-and- Threats-S508C.pdf
9. https://www.bbc.com/news/technology-49125853.
10. https://www.zdnet.com/article/ransomware-incidentleaves-some-johannesburg-residents-withoutelectricity/
11. https://www.washingtonpost.com/politics/2019/11/04/ an-indian-nuclear-power-plant-suffered-cyberattackheres-what-you-need-know/
12. https://www.economist.com/ asia/2019/11/01/a-cyber-attack-on-an-indian-nuclearplant-raises-worrying-questions
13. https://www.zdnet.com/article/employees-connectnuclear-plant-to-the-internet-so-they-can-minecryptocurrency/
14. https://www.cyberscoop.com/us-baltic-states-gridcybersecurity-agreement/
15. https://www.fifthdomain.com/dod/2019/11/11/two-yearsin-how-has-a-new-strategy-changed-cyber-operations/
