Securing utilities against cyber-attacks and malware in particular is not an easy task
Advanced malware is one of the greatest threats the utility industry will have to face. The World Energy Council recently warned that one of the top threats facing the energy sector, is Malware and securing utilities against malware attacks is of critical importance. The utility sector is a compelling target for almost every type of hacker, since it offers multiple points of attack – data, money, access to critical infrastructure, etc. – which can suite several attacks.
Utilities are also more vulnerable because of their size – sprawling office networks, industrial control systems, customer service portals and payments systems. Also the inherently weak left flank – the ICS environment.
Over the next few years, utility operators will increasingly find themselves targeted by sophisticated attacks, ranging from state-sponsored groups to criminal organizations, “hacktivists” and potentially even terrorists. These groups are likely to utilize advanced malware in these attacks, which can evade detection by standard security tools and pose a wider range of risks to a utility than many are prepared for.
There are four specific categories that utility operators should anticipate:
* Backdoor malware, * Banking Trojans, *Ransomware and *Wipers.
Securing utilities against Malware is a challenge. The goal of many sophisticated hackers, from nation-state teams to organized crime, is to gain remote access to the computer network, while remaining undetected. This is especially true for the energy sector, and utilities in particular.
Hackers often establish these “backdoors” into a company’s network through the use of special malware, such as “remote access Trojans” (RATs) and “botnets.”
By establishing a backdoor into a utility’s corporate or ICS network, a hacker is able to do almost anything he wants – from stealing data to monitoring activities, controlling parts of the network, spreading new malware inside the company and interfering with critical operations. That means if any device on the utility’s network is backdoored, the entire organization is at risk. RATs and botnet malware are spread through phishing emails, infected websites, peer-to-peer networks and portable media like thumb drives.
A banking Trojan is a type of malware that has been traditionally used to hijack bank accounts, typically by stealing the user’s login credentials as they access the online account.
Cybercriminals have been repurposing popular banking Trojans to steal other types of online credentials, in order to gain remote access to various companies, including the energy sector. Hackers have been using the “Citadel” banking Trojan to target webmail and remote access systems of petrochemical plants in the Middle East. Banking Trojans pose a substantial risk to utility operators because this malware is extremely advanced, with numerous capabilities to steal data and enable remote access into sensitive systems. They can also, gain full control over machines and access operational systems.
This malware is often spread through phishing emails and infected websites. However, hackers also use previously established backdoors (RATs and botnets mentioned above) to download banking Trojans directly into the network.
One of the most significant malware threats that has emerged in recent years is “ransomware.” Ransomware is spreading rapidly across all industries. Ransomware is a type of malware that is able to encrypt data files or make computers inoperable by denying access to certain functions. The end result in either case is that a utility will no longer be able to function normally. Hackers hold these files or machines hostage until the victim pays a ransom – which could range from tens of thousands to millions of dollars.
This malware spreads rapidly across a network once it’s infected a single work station, which makes it challenging to control. Like banking Trojans, ransomware is typically spread via phishing emails, infected websites and RATs/botnets. However, it can also be spread through separate attacks on vulnerable web servers.
Wipers are designed for the specific purpose of erasing data or functions from a computer. They’ve been around for some time, originally they were predominantly used for anti-forensic purposes by hackers – such as concealing an active attack or destroying evidence afterward. However, hackers are using wiper malware more aggressively, several highly advanced wiper malware are known to exist in the wild.
Utility operations could be severely impacted by a successful wiper attack. It could disable critical systems – from Windows-based networks to the ICS environment – leading to loss of control over key processes and potentially even a physical shut down. Wipers are spread in much the same way as the other malware types mentioned above; however, they may also be built into the payload of a larger malware package, and not activated until weeks, months or years after the initial infection.
In securing utilities, what is most important for utility operators to realize is that advanced malware defense is comprised of two equal parts: prevention and post-infection damage control.
Given the growing sophistication of malware and the groups using it, utilities should not bet on being able to block these infections every time.
Step one: Establish the strongest perimeter defense possible. This includes making sure that all computers, servers and other devices (even printers and IoT devices) are fully updated with the latest software, firmware, operating systems and security patches. A strong firewall and anti-virus program are both essential.
Step two: Segmentation. This will limit how much access a hacker can get by compromising one computer or network node. The top priority here is to make sure the ICS environment is air-gapped from the main corporate network as much as possible.
Step three: Protect data and key operations. All sensitive data should be properly secured against unauthorized access with file- or full-disk encryption programs. Important data should also be routinely backed up, using a combination of offline local storage devices and off-site virtual storage. The utility should also be able to replace computers and servers quickly in case these machines are infected and must be taken offline.
Network monitoring and testing are critical. Utilities should use a combination of intrusion detection and prevention systems (IDS/IPS), security information and event management (SIEM) and exfiltration monitoring to catch potential malware infections or other network breaches.