Introduction
Utilities refer to the systems or organizations responsible for maintaining public infrastructure services and these include electricity, water supply, waste management, sewage treatment, gas supply, communications, etc. Our findings show that over 50% of cybersecurity events occurred in the utilities industry, with the majority being in the electricity and oil sectors, such as the BlackEnergy 3 attack that disrupted the electricity supply in Ukraine. Analysis of the event showed that once the attackers entered the industrial control environment, their actions were almost entirely unimpeded, leading to an increase in the damage caused by security incidents. This blog will report on the results of on-site examination of the Utilities OT field, and analyze the attack vectors of ICS (as shown in Figure 1) to examine the real-world security threats in these environments. After observing the OT environment in the field, we have conducted the following attack vector simulations, illustrating attack scenarios most likely to occur and countermeasures for mitigating them.
Figure 1. Attack Vectors of ICS
Five Common Attack Vectors Facing the Utility Industry
1. Ransomware Attack
Utilities belonging to the state often use computer equipment that is not supported by security updates because they were built a long time ago and there was no significant architecture adjustment before the system was retired. As a result, we often see computer equipment that is still being used in the OT environment despite it no longer being supported by security updates. In the past, we conducted a study in the OT environment of a water treatment plant and found that the control console in the water plant used an outdated Windows operating system and had remote desktop services enabled. In this scenario, the attacker could easily use the Metasploit tool to execute an attack through the built-in attack module and obtain the Meterpreter interface. Meterpreter is an extension module in the Metasploit tool, serving as the control channel returned after the overflow success. Through this control channel, the attacker can execute a ransomware attack on the outdated Windows operating system (as shown in Figure 2). In August 2022, the ransomware organization Cl0p announced that they had infiltrated a water treatment plant in the UK, claiming to have access to the its OT network, and publicly disclosing a SCADA screen as proof of the intrusion.
Figure 2. Ransomware Attack
2. ICS Protocol Attack
We have noticed that some power plant sites use controllers based on the UDP protocol on the Ethernet network. Although the GE EGD equipment we studied does not use an open-source communication protocol, after researchers recorded and analyzed it, we were still able to identify specific network packet contents. Due to the weakness created by the lack of identity verification in the communication protocol of the controllers we studied, we were able to successfully alter the network packet contents through a man-in-the-middle attack, successfully changing the status of the turbine from closed to open, allowing us to continue adjusting the parameters of the controller. This attack method is similar to the well-known Stuxnet event in the past, where the attacker changed the speed of the centrifuge in the nuclear power plant through the controller, causing the machine to lose its ability to operate.
Figure 3. GE EGD ICS Protocol Attack
3. Wireless Attack
Accurate time is required in power plants to measure the amplitude and angle of electric voltage and current, as an imbalance in the supply and demand of the power grid may result in frequency imbalances that cause instability. Due to cost and efficiency considerations, most power plants use GPS as a reference for time. However, GPS can be falsified by a stronger signal, and if the NTP Server in the power plant mistakenly trusts the GPS time correction issued by the attacker, it may lead to a blackout. Below we demonstrate the falsification of GPS position using the HackRF tool, causing the victim to receive incorrect time messages. The article “The Power Grid’s Vulnerability to GPS Spoofing Attacks” summarizes research on GPS attacks against the power grid, showing the consequences of power grids with sub-microsecond level accuracy when the time synchronization signal is deceived.
Figure 4. GPS Spoofing Attack
4. Physical Attack
In the actual field of wind power generation, in addition to the blades, gearbox, and generator on the wind turbine, there will also be a connected control panel under the wind turbine. This control panel contains HMI, controllers, and inverters. It also provides power information to the backend SCADA system. Previous literature research has actually tried to physically compromise an operating wind power generation unit. During this test, the researcher successfully broke the physical lock on the wind turbine unit within a minute and then remotely connected to the SCADA system through the networked device inside, and issued control commands to other wind turbine units. From the above case study, we have found that physical security is an area that power plants and system integrators commonly overlook, leading to exposed assets with poor physical protection, giving attackers the opportunity to connect from external assets to the internal environment of OT. If the internal network is not adequately secured, attackers can easily force power plants to shut down.
5. Remote Service Attack
In the Utility field, we have observed that some Modbus servers require the opening of port 502. We have also observed that these devices provide http and ftp services, allowing users to directly adjust the configuration or memory data of the PLC. In practice, sometimes the Utility operator may focus on how to keep the OT environment running smoothly, while ignoring basic security settings. For example, the default username and password for remote services is a common vulnerability. Acting as malicious hackers, we were able to use the default username and password provided by the PLC device manufacturer to log in to the PLC web interface, and successfully adjust the data of any memory location in the PLC, controlling the endpoint device according to the corresponding memory location. This can potentially affect the operational quality of the Utility.
In addition, the issue of overlooking security settings also occurs in the network communication equipment that manages the entire plant. For example, an attacker only needs to log in to the network communication equipment through telnet and change the VLAN settings to successfully paralyze the entire plant network.
How to Mitigate Common Attack Vectors Facing the Utility Industry
Utilities’ Industrial Control Systems (ICS) and Operational Technology (OT) environments are vulnerable to Advanced Persistent Threat (APT) attacks due to their critical role in providing essential public infrastructure services. Given the challenges of updating obsolete equipment in ICS/OT environments, it is crucial for organizations to implement effective security measures. In response to this threat, we suggest the following:
1. Inspect:
The first key to OT zero trust is “never trust, always verify “. To uphold this, implementing security checks on ICS/OT assets is an important initial step. This implies that every piece of equipment entering the workplace must undergo malware and security status scanning. Assets brought in by internal employees or trusted suppliers could potentially bring threats into the ICS/OT environment. Ransomware may be hidden in assets ready for deployment (supply chain attacks) or in devices brought into the production line by personnel (insider threats). Organizations are advised to set up an inspection procedure that can quickly execute and record whether any assets entering the facility carry ransomware or have high-risk vulnerabilities. Since malware is constantly evolving, scanning tools also need to be continuously updated to ensure the validity of the equipment’s scan reports, which should be detailed in content.
Moreover, modern operating systems’ features and services are not designed for ICS/OT operations; therefore, many functions might have exceeded the basic operational requirements. To automate the inspection of software vulnerabilities and configuration settings on devices, administrators should also verify whether the operating system configuration of the ICS/OT devices is in a “secure state” to avoid introducing high-risk vulnerabilities. For example, they should check the operating system version, enabled services, and ports to verify whether the configuration of computing equipment systems is secure.
2. Lockdown:
Asset hardening is a crucial stage in eliminating attack vectors that includes network service hardening, patching system vulnerabilities, and shutting down non-essential services such as applications, user privileges, user accounts, network services, network ports, and other unnecessary system features. The hardening of assets can prolong the life of the asset, protect aging assets, and enable technicians to minimize attackers’ access to computers executing critical tasks, thereby preventing opportunities for malware to run.
1) Deploy ICS/OT endpoint protection on core assets: The greatest challenge in deploying antivirus software on ICS/OT devices is to detect unusual activities without impacting production and to protect key assets. Organizations can employ effective methods (e.g., OT/ICS software digital signatures) to verify whether software comes from a trusted source.
2) Implement minimum privilege control: ICS/OT devices must be able to intelligently identify critical task processes, thereby assigning priority to production-related applications as required for their work and performing abnormal operation behavior detection, such as learning, detecting, and authorizing daily operation behaviors. Under minimum privilege control, monitoring of vulnerable legitimate processes ensures fast operation and resource availability for necessary tasks.
3) Disable redundant, unauthorized services, and software: Organizations can use application trust lists to lock applications, configuration settings, data, and USB ports on ICS/OT assets. This helps prevent unauthorized applications from running and ensures that only trusted users and applications can change configuration settings or data.
3. Segment:
The administrators of Utilities must be ready to repel various threats proliferated by hackers over the internet. The essence of network segmentation lies in defining necessary or unnecessary communication based on asset characteristics and dividing the organization’s ICS/OT network into more defensible zones. For example, determining executable instructions based on trusted ICS/OT communication protocols or specifying which assets can communicate based on specific IP policies. This enhances network access control in factory networks, utilizes better packet analysis, and makes it harder for hackers to collect information or move around within the factory network. Factory administrators can achieve dynamic network segmentation through the following methods using next-generation ICS/OT IPS and firewall devices:
1) Allow only legitimate and necessary network services to pass through
2) Permit only legal, safe, or user-authorized file sharing
3) Prevent unauthorized external network access
4) Prevent unauthorized devices from connecting to the factory network
5) Perform appropriate micro-segmentation within the network, isolate production lines, and move production-related server hosts to secure network segments
6) Support deep packet inspection techniques, combined with the latest industrial threat intelligence, to prevent lateral threat movement
7) Support asset risk assessment, including detailed vulnerability intelligence and attack vector reports
4. Reinforce:
On-site maintenance of ICS/OT is one of the ways for malware to enter physically isolated environments. Field technical engineers often engage in activities such as replacing computing devices, storage devices within ICS/OT equipment, or updating software. All these activities must be installed with the implicit guarantee that there is no malware.
Manage potential threats of maintenance operations: ICS/OT devices need to undergo another scan each time a software or configuration change occurs. However, in the factory line environment, there are stringent environmental restrictions. For example, if software can’t be installed on the machine, the best method is to use handheld quick scan devices to initiate malware scanning. If the device can install ICS/OT antivirus software, then malware scans can be launched in compliance with production policies. The most important things are to monitor vulnerable legitimate processes to prevent any unauthorized software and information changes, automate verification of applications and file updates as clean and harmless, while aggregating logs to a centralized management platform for analysis and archiving.
1) Shield asset vulnerabilities: Updating ICS/OT assets depends on many factors, such as whether the security update is available. If it is available, is it compatible? Does the ICS/OT environment allow for patching assets? Asset status and security update status are factors continually consulted during the maintenance process. For assets that have not been updated or are yet to be updated, known vulnerability exploits can be resisted at this time through virtual patching technology of ICS/OT Intrusion Prevention Systems or by using system lockdown functions to block unsafe updates. With this method, it is not mandatory for endpoints to undergo system updates, i.e., there is no need to reboot the system or shut down production lines. This allows technical personnel more time to mitigate risks until the original equipment supplier has published and tested their proprietary security update; this also indefinitely protects other legacy assets that cannot be patched.
Conclusion
Despite being in a relatively isolated network environment due to technological limitations, utilities infrastructure built long ago are still vulnerable to Advanced Persistent Threat (APT) attackers who can gain access to the control network of the factories through their supply chains or other vectors (such as the 2022 attempt to deploy Industroyer2 malware to Ukrainian substations). As utilities maintain public infrastructure services, attacks on them can have a significant impact on people and the natural environment. Thus, utility operators must prioritize cybersecurity as one of their key operational guidelines.
APT attacks are usually driven by commercial or political motives and involve a stealthy, persistent network intrusion process. Attackers attempt to monitor specific targets without being detected, gather relevant information, and wait for the right moment to inflict catastrophic damage. As a result, it is difficult for utility personnel to detect any anomalies in the SCADA system before a disaster occurs. At this point, we strongly recommend that utilities be equipped with OT endpoint and network defense solutions. By utilizing native OT defense solutions, they can detect any subtle signs of intrusion that are difficult for the human eye to spot, ensuring the digital safety of the utility’s infrastructure.