“Zero-day” attacks may get a lot of attention in the press, but for electric utilities, the reality is that more “mundane” threats pose a far greater risk to their operations.
Utilities depend upon industrial control system (ICS) devices, but what is largely unknown to this industry is that the majority of these products have significant security vulnerabilities embedded within them. To make matters worse, these flaws have been well documented by researchers, security companies and the U.S. government, so they are public knowledge. They are, what is referred to as, a “known vulnerability,” or “n-day.” This means attackers know about them too.
At the 2018 S4X18 cybersecurity conference, an in-depth examination was conducted of the ICS devices most commonly used in utility operations to see how widespread these known vulnerabilities actually are. This examination found that most of the ICS devices made by the world’s leading manufacturers contain a significant number of n-day vulnerabilities, which leaves them susceptible to exploitation. Additionally, many of these vulnerabilities are considered to be critical in nature, with a CVSS score of 7 or higher. This means that if an attacker is able to breach the utility’s network and gain access to the ICS, he or she would be able to take partial or total control over those devices and the facility’s operations.
Operators should be reminded of two recent attacks on Ukraine’s power grid, in which hackers were able to trigger regional power outages by disabling or subverting key ICS functions. By exploiting these latent n-day vulnerabilities in commonly used ICS equipment, an attacker could – in theory – pull off a similar attack on the U.S. mainland.
Breaking It Down — What We Found
By analyzing the firmware of widely used ICS devices, it has been found that n-days are widespread throughout the ICS environment. In fact, most utility operators who read this article are likely to have at least some of these vulnerabilities inside their own systems.
In addition to the hundreds of n-day vulnerabilities discovered, it was also found that many of them are considered “low complexity.” Therefore, it would not be difficult for attackers to exploit them if they are able to gain access to the utility’s network. For example, in some cases, it could take just a few days to a few weeks to adapt a discovered n-day into a potential attack.
It is also important to realize that many of these n-day vulnerabilities were not at all recent – in some cases, the vulnerabilities date back two years and have remained unpatched.
Specific vulnerabilities against named devices cannot be disclosed, since there is a long lead time on ICS patching, and this would further aid attackers. However, there is one example which can be shared. There is a vulnerability in VxWorks which remains unpatched by many top manufacturers. In no case was this vulnerability listed for the individual ICS products, so vendors may not even know these vulnerabilities exist. The vulnerabilities can be exploited for such malicious purposes as manipulating settings and controls, physically damaging or destroying equipment, disrupting key operations and stealing sensitive information.
Evaluating the Risk
Utility operators are on the front lines of criminal cyber activity, as they make a tempting target for all of the key malicious actors – nation-states, espionage actors, organized crime and “hacktivists.”
For this reason, utilities must prioritize any potential threat to their networks, and in particular the ICS, since a successful attack there could lead to disruption of operations and even physical damage. When it comes to the mode of attack, hackers are more likely to utilize n-days as opposed to zero-days. Why? Because zero-days are difficult, costly and time-consuming to find and exploit. N-days, on the other hand, are exactly the opposite – in many cases, ready-made exploits already exist which an attacker can look up or purchase. This makes the n-day a more likely method of attack for hackers.
The world has already seen a number of attacks on industrial targets that have exploited weaknesses in ICS devices and protocols.
Several recent cases illustrate this threat:
- CrashOverride, or Industroyer, is one of the more dangerous examples of ICS malware. As many will recall, this malware was used in a December 2016 attack to disrupt operations at a Ukrainian electrical transmission substation, resulting in a regional power outage. Based on the analysis by ESET and Dragos, this malware exploits the known CVE-2015-5374 Denial of Service condition to the Siemens SIPROTEC relays.
- TRITON, also known as HatMan, is a type of ICS malware discovered by FireEye’s Mandiant in 2017. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which provide emergency shutdown capability for industrial processes.
- The BlackEnergy malware has also been implicated in the Ukrainian outage incident. It is designed for espionage as opposed to physical damage but can be useful for gathering intel on targeted networks and maintaining persistent access to the ICS. According to Dragos, this malware contained exploits for specific types of HMI applications including Siemens SIMATIC, GE CIMPLICITY and Advantech WebAccess.
In the past, it has been difficult for remote actors to pose a significant threat to utilities, but the situation has changed dramatically in recent years, due to the increased connectivity of utilities; a large body of publicly available exploitation and vulnerability research on industrial systems; the rise of the Dark Web, which makes sophisticated tools and “kits” readily available to actors all across the world; and the increased investments of nation-states in offensive cyber operations.
In security at the Heart of ICS:
Cyber attacks pose a threat to all major industries, but the utility market – and other industrial operations – face the greatest level of risk because of specific circumstances unique to the ICS environment:
- Systems must always be available.
- Complex patching procedures. In an ICS, as opposed to a standard computing environment, patching is often a manual proprietary process that requires unique software and knowledge for each vendor.
- Patches rarely propagate between vendors that use shared code. This highlights an example we covered at S4. In that case, a vulnerability was reported to a vendor in a different sector (telecom) and was patched by the software vendor (Intel/Windriver), but patches were not applied by a number of large vendors in ICS.
- Extended lifetime. Systems are typically deployed in the field for over a decade and well past their support period. Vendors who desire to sell new products are disincentivized to routinely patch and support older products with security updates, even if they are still commonly found in the field.
How to Address the Problem:
N-days are not an easy problem to address, and this is largely due to a slow to act supply chain and the technical complexities involved with patching/updating the ICS.
However, utilities can take a number of steps to reduce the risk:
- Engage with ICS equipment manufacturers about security concerns: Firmware security needs to become a key negotiating point with these vendors and operators should demand more robust built-in security features for the products they are buying.
- Security should be integral to ICS devices; not an afterthought: The current reactive approach of patching known vulnerabilities is no longer tenable. Every component of the ICS environment should have strong security baked into the software, firmware and hardware from the very start in order to lower the overall risk of n-days and other problems, and to mitigate or prevent damage from their exploitation. The best solutions will combine intrusion detection and mitigation techniques to protect against known and unknown attacks without relying on continuous updates. By and large, these features do not exist in current products, so it is incumbent upon manufacturers to develop or source this technology as quickly as possible.
- Be proactive: Utility operators need to be far more proactive with their own networks. They need to scan their networks regularly for known vulnerabilities. They also need to stay on top of the latest vulnerability reports and execute security patches whenever these become available from the vendors. When patches are not available, operators need to contain the threat as much as possible by taking such actions as air-gapping critical systems; prohibiting the use of external media devices (USBs, CD-ROMs); establishing strict controls on physical access to these systems, especially from third-party contractors; conducting open source intelligence audits to eliminate vulnerable/open ports from public information sources; active network security monitoring; and checking traffic related to logic updates for ICS equipment.
Conclusion
Malicious cyber actors are growing, both in quantity and sophistication, and they will increasingly target industrial operators for a variety of reasons, ranging from industrial espionage to extortion, terrorism and state-sponsored cyber warfare. Since the ICS environment is inherently vulnerable to attack, it is critical for all operators to prioritize cybersecurity and take a number of proactive measures to reduce their risk.
Ang Cui, Ph.D., is founder and CEO of Red Balloon, a leading security provider for embedded devices across all industries. Prior to launching RBS, Cui was a prominent security researcher at Columbia University’s Intrusion Detection Systems Lab, where he discovered serious vulnerabilities in many widely used embedded devices. His research culminated in the development of Symbiote Defense, an advanced firmware defense system for embedded devices. Cui’s company has secured multiple U.S. government contracts to study Symbiote’s effectiveness in military, national security and industrial applications. Cui has received numerous industry awards and was named a DARPA Riser in 2015.