December 18, 2024

Security Sessions | Electric Utility Perspectives on the Ransomware Threat

by Joe Slowik, Dragos

The rise of ransomware

Ransomware has technically existed for decades – the first known example was distributed via floppy disk to AIDS researchers at a conference in 1989. However, the past five years have seen an incredible profusion of ransomware variants and threats. While business email compromise (BEC) remains the most costly type of cybercrime, ransomware is unique. That uniqueness is due to the imposition of financial loss along with business and operational disruption. On average, ransomware victims experience disruption or downtime for 16 days following an incident. Ransomware may also provide a cover for even more malicious actions delivered by state-sponsored or state-directed adversaries, as seen in the NotPetya event from 2017, and potentially, in the Norsk Hydro incident from 2019.

Ransomware events and the industrial landscape

Overall, ransomware has evolved into an increasingly disruptive, and at times, dangerous, threat. Yet, for most of this criminal activity’s existence, victims consisted of individual users or machines, or victims hit with malware spreading indiscriminately through networks. High-profile, large-scale events such as WannaCry – which impacted many industrial entities – followed this pattern, with control system assets affected by the rapid, uncontrolled propagation of the malware.

Matters began to change in late 2018 and early 2019 ,as ransomware activity shifted from what almost appeared to be indiscriminate victim selection to methodical, targeted intrusions. As described in detail in multiple resources, ransomware deployers combined this trend in tradecraft, with an increasingly concerning focus on industrial entities as victims. While the Norsk Hydro event is anomalous for several reasons, there are multiple other examples of industrial entities being deliberately targeted for ransomware infections.

Concurrent with persistent targeting of local government entities, ransomware authors and deployers have become increasingly brazen in target selection and subsequent disruption. In addition to several high-profile municipal ransomware incidents, recent years have also witnessed events at water utilities and multiple manufacturing organizations. Financial impacts aside, the effects on the delivery of essential services and industrial operation continuity are significant and deeply concerning.

More recently, 2019 saw the development of ransomware variants with primitive industrial control system (ICS) specific functionality. First identified in a variant called EKANS and later traced back to activity associated with MegaCortex and LockerGoga, ransomware functionality began targeting data storage and licensing systems associated with industrial operations. Specifically, malware or associated scripts would attempt to terminate processes, most likely to remove process “locks” on files such as in-use databases and licensing files, to extend ransomware encryption activity and make an infection significantly painful to industrial operations.

Specific concerns for electric sector organizations

The above is deeply concerning, but remains relatively general in scope, even with a shift to “industrial” operations. However, the electric sector has dealt with ransomware for several years. In 2016, ransomware disrupted the corporate IT network of the Lansing Board of Water & Light. While significantly impacting business operations, the event did not extend to critical control systems. More recently, a similar event took place at Reading Municipal Light Department (RMLD) in 2020. Although again concerning, the event only impacted IT systems with no known operational impact.

At present, there is no publicly known event where ransomware at an electric utility or related organization has produced an operational impact or outage. However, as shown in recent incidents such as a Ryuk event at a natural gas pipeline facility, the industrial and operational impacts of ransomware events are increasing. In this specific case, pipeline operations for the impacted facility ceased for over two days due to operational and safety concerns from the incident.

As ransomware activity persists – which all available data indicate will continue to be the case for the foreseeable future – and attackers get increasingly risk tolerant in targeting industrial operations, concerns for electric operations should increase. As seen in 2019 incident impacting a wind energy control center in Utah, even inadvertent, untargeted events can have significant repercussions on operations, such as inducing loss of view or loss of control conditions. Yet, the current trend toward focused, targeted intrusions covering entities within critical infrastructure means that previous concerns of untargeted, self-propagating ransomware variants has evolved.

Organizations must now deal with entities that may deliberately attempt to impact operations. Events to-date have largely focused on IT infrastructure, which is more easily accessible; however, there is no indication that ransomware entities have deliberately avoided more vital networks. As seen in the evolution of ransomware variants such as EKANS, attackers are moving toward deliberate targeting of industrial-related activities. Based on this and that electric sector entities have already been targeted at least on the IT level, asset owners and operators should anticipate intrusions attempting to impact electric operations as well as business networks.

Even if not deliberately designed to induce disruption of electric operations, ransomware entering into operational environments in generation or transmission networks has the potential to wreak havoc. For example, ransomware locking systems associated with energy management systems (EMS) will produce an unsafe condition for utility operations management and an inability to adjust to grid activity. Drives towards greater efficiency in utility operations and network management also mean that networks and systems that were once relatively isolated from each other and managed separately are increasingly interlinked. In addition to remote connections that can be used to facilitate adversary access into sensitive networks, shared infrastructure for management, such as Windows Active Directory and data links from operational assets to business intelligence services in IT networks, all provide for potential ingress mechanisms. This access can then be weaponized to impact sensitive systems such as SCADA management or other control-oriented devices, with the possibility of system compromise inducing physical disruption or even damage.

Defensive measures and response planning

Organizations in the utility sector and electric operations must recognize the growing threat ransomware operations pose to industrial organizations and make appropriate plans and mitigations now. Nearly all the actions most useful for either preventing or responding to ransomware also address many other security issues, allowing electric sector organizations to make investments that mitigate many problems at once.

First, electric operators and asset owners must understand that even the most well-defended, well-prepared organization can still be breached. Therefore, building and maintaining accurate plans and responses to cyber events that could either cause disruption or downtime is critical. This includes system and data restoration, to ensure that items such as configurations, license files, and other items are regularly backed up and securely stored. Rapid response to a breach and incident can ensure that any downtime is minimized.

Second, electric sector operators must understand and accept greater network connectivity and communication between standard IT systems and previously isolated control systems – but work to minimize such connections to only those that are necessary. Additionally, such connectivity must be done securely, by either ensuring the use of vulnerable, deprecated protocols is avoided (e.g., SMBv1), or traffic is limited to only required type and direction (e.g., configuring firewalls and other appliances to only allow outbound traffic for data transfer to business intelligence systems). These steps will help minimize available attack surface and potential infection or propagation routes. In this scenario, a breach may still occur, but it will be limited to immediately impacted systems instead of spreading to include control systems as well.

Third, electric sector networks must increase and improve visibility into network and process activity. The former is an increasing push, and one that has resulted in significant leaps in IT defensive posture. Similar steps – such as improved network security monitoring but also host-based visibility and log analysis – are not required in control system environments to identify when or if an attacker has gained access to these resources before they are able to execute something disruptive. The latter, process monitoring, is something operators already engage in for day-to-day running of the plant, but the identification of industrial-specific activity (such as EKANS) will require marrying operational data with improved security visibility to gain greater insight into potential intrusions.

Conclusion

Overall, the electric sector is yet to experience a catastrophic, physically disruptive incident due to ransomware – but the broader trendlines of ransomware activity indicate this will likely not last forever. To meet this challenge while also ensuring the consistent and safe delivery of power to consumers, electric sector operators and asset owners must begin preparing and investing now to harden networks and improve security postures. Electric utilities and related operations already do a commendable job in preparing for uncontrollable circumstances from storms to consumer demand shifts. Applying this same mindset of preparation and readiness to operationally focused cyber and information security will be necessary as the threat landscape begins to incorporate cyberattacks as well.

Joe Slowik iworks as a principal adversary hunter at Dragos– finding, tracking, and defeating ICS-focused malicious actors is his job and passion. Slowik’s primary missions include analyzing malware, identifying infection vectors, and profiling campaigns.

Prior to joining Dragos, Slowik ran the Computer Security and Incident Response Team (CSIRT) at Los Alamos National Laboratory within the US Department of Energy (DOE). Before his time at LANL he was an Information Warfare Officer in the US Navy. Outside of catching and defeating ICS adversaries, Slowik continues to live in Los Alamos, New Mexico.