December 22, 2024

Security Sessions | Defending Canada's Electricity Sector Against Cyber Security Threats

by David Masson, Darktrace

In 2015, power was cut to 225,000 households, when cyber-attackers penetrated the systems of a western Ukrainian power company with a spear-phishing email. In 2016, citizens in certain parts of Kyiv lost power for an hour, again, due to a cyber-attack, reducing Kyiv’s total power consumption by a fifth for that night.

Though this happened in Ukraine, Canada is also susceptible to these threats. In fact, Canada’s electricity sector has already experienced cyber-attacks, albeit of a different variety. According to a recent bulletin on cyber security guidance for the electricity sector from the Canadian Centre or Cyber Security (CCCS), most of the attacks on Canadian electricity have been ransomware or fraud. And while an overt state-sponsored attack that aims to debilitate Canada’s electricity sector seems unlikely, Canada has already seen activity from nation-state actors that can position them for a future attack.

Why Canada’s electricity sector is a target

We see two types of threat actors who have targeted and will continue to target Canada’s electricity sector, cybercriminals and state-sponsored attackers. Their motives, however, are very different.

Cybercriminals tend to be financially motivated. These motivations include ransom payments and profiting from the exfiltration of personally identifiable information (PII) and intellectual property (IP) to sell on the Dark Web. An example of this occurred in April 2020, when ransomware encrypted the corporate systems and website of the Northwest Territories Power Corporation.

On the other hand, nation-states have more complex geopolitical motivations. Many of these threats are classified; however, several instances of state-sponsored threats against the North American electricity sector have been made public. In 2019, for example, threat actors sponsored by Iran conducted a vast espionage campaign against industrial control systems (ICS) suppliers.

The consequences of cyber-attacks against Canada’s electricity sector

A cyber-attack on the electricity sector goes farther than business disruption. Because Canadians depend on power for their daily lives, any interruption or shutdown could directly impact public safety. The consequences also could affect the nation at large, including national security and the economy.

Case in point: A 2003 power outage lasted a week throughout the Northeast, causing a CAD 2.3 billion loss to Ontario’s economy, contributing to a 0.7% decrease in Canada’s overall GDP. While a cyber-attack did not cause this outage, cyber-attacks against the bulk power system or local distribution networks could undoubtedly lead to similar results.

The 2003 outage also highlights another important fact about the Canadian electricity sector: Canadian grids and U.S. grids are deeply interconnected. Canada’s most extensive power grids are connected within the country and externally to grids in the U.S. Over 35 Canada-US transmission line connections, called “interties,” cross the provinces that border the U.S. As a result of these interties, the U.S. and Canada will likely have to share the impact burden of any cyber disruption.

According to the CCCS bulletin, this interconnectedness makes Canadian grids a target of cyber warfare, as attackers might attempt to disrupt the U.S. electricity sector via Canada’s electrical grids. Indeed, the electricity sector is a prime target for nation-states and state-sponsored actors seeking geopolitical advantage due to the importance of electricity in all aspects of life.

How Canada’s electricity sector is vulnerable

It is worth discussing how exactly Canada’s electricity sector is vulnerable to cyber-attacks. These issues stem from both internal and external factors: the technology architecture of the electricity sector itself and the cyber threat landscape that surrounds it.

First, ICS and operational technology (OT), used in the electricity sector to monitor and manage the grid centrally, were often engineered before the internet and thus were designed with reliability and safety in mind rather than cyber security.

Due to their often-outdated design, common vulnerabilities and exposures (CVEs) are abound in ICS and OT environments. On top of this, tracking and patching these vulnerabilities remains a vexed process. Many vulnerability advisories for ICS devices have no practical mitigation advice, and over a fifth of reported CVEs don’t even include a patch. For these reasons, most vulnerability management workflows are a process of diminishing returns, making ICS and OT devices particularly difficult to secure.

Considering the challenges involved in securing ICS and OT — along with the high stakes of compromise, which can lead to massive financial loss and threaten human safety—organizations with ICS and OT, many of which are critical infrastructure, have historically implemented what’s known as an ‘air gap,’ with ICS and OT systems entirely disconnected from the internet.

IT-OT convergence

However, internet-connected IT systems have increasingly become connected to ICS and OT systems, poking holes in this ‘air gap.’ This much-discussed trend is called IT-OT convergence. This convergence can be unintentional, such as when OT protocols are unwittingly used on the IT network. A British IT company specializing in cyber security AI detected over 6,500 suspected instances of ICS protocol use across 1,000 enterprise environments in one anonymized study.

IT-OT convergence can also be intentional. Connecting ICS to the cloud (what’s known as “ICSaaS”), remote management of OT, and the adoption of the industrial internet of things (IIoT) and cyber-physical systems are all valid reasons to connect your IT and OT systems. According to one of the British cybersecurity company’s customers in the electric industry, “IT-OT convergence brings opportunities for new services, efficiencies and productivity gains. But just as it expands the benefits, it also introduces additional vulnerabilities and avenues for exploit.” This convergence can increase efficiency and reliability.

Though laudable, these technologies will only increase IT-OT convergence and thus the vulnerability of the electricity sector. Ultimately, IT-OT convergence widens the attack surface, allowing threats to spread laterally more easily from IT into OT systems.

Therefore, many of the attacks we see today that disrupt OT start in IT. For example, the cyber-attack against Colonial Pipeline led to the shutdown of OT but only actually affected IT systems. Due to the threat of the attack spreading from IT to OT, the organization decided to shut down OT manually out of caution. According to the cybersecurity company’s customers, “Attacks like that on Colonial Pipeline served as a reminder of why security investments are necessary, and we need to do more regarding cyber security technology, training, and education.”

The threat landscape surrounding Canada’s electricity sector

Attacks on Canada’s critical infrastructure are constantly increasing in volume and variety. In conversations with one customer in the electric industry, their security team noted, “Our biggest challenges are the threats that we don’t know about, and that strive to remain unknown, along with bad actors exploiting the best intentions of good people.” The entire industry widely shares this sentiment. The electricity sector must closely understand three significant attack methods: ransomware, supply chain attacks and insider threats.

As mentioned above, the increasing interconnectedness of IT and OT means that even ransomware that only compromises IT can indirectly affect OT systems. At the same time, we are also seeing more and more ransomware strains that can directly affect OT. At least seven known ransomware variants directly target ICS processes, including the infamous EKANS ransomware that shut down operations globally for a major automobile manufacturer.

Supply chain attacks are also a significant concern for the electricity sector, especially in the wake of the Log4j vulnerability, which has affected IT and OT/ICS systems. Supply chain attacks help threat actors access ICS IP, and thus, state-sponsored attackers often leverage these methods. According to the cybersecurity company’s customer, “Every partner and supplier has the potential to introduce code or processes that on the surface appear to be valid. We vet vendors rigorously to establish that they are secure and that the integrity of their products is solid.”

The company continued, “But despite everyone’s best efforts, any vendor is a potential backdoor into their partner and is a target for exploitation. Constantly monitoring traffic from trusted components and receiving alerts should a bad actor be able to subvert everyone else’s good efforts is mission-critical. Correlating events and identifying patterns or behaviours that pose a risk to our organization is a great asset as a countermeasure and a key component of a zero-trust cyber posture.”

Lastly, whether intentional or unintentional, insider threats are still a persistent threat to Canada’s electricity sector. Whether a threat actor bribes an employee to install malware or an ex-employee is disgruntled and vengeful, insider threats allow cyber-attacks to slip past perimeter defences.

How can Canada defend its electricity sector from cyber-attacks?

To protect Canada’s electricity sector from these attacks, we need to take a fundamentally different cyber defence approach. The air gap is increasingly becoming a thing of the past. On top of this, traditional defence methods, such as mapping and patching CVEs, prove ineffective because many CVEs in OT and ICS are not patchable.

Self-learning artificial intelligence (AI) can uniquely detect and respond to threats without relying on these legacy security methods. By learning the ‘digital DNA’ of an electricity organization’s technology infrastructure, self-learning AI empowers machines to defend themselves against in-progress attacks. Self-learning AI achieves this by understanding the typical pattern of life for all devices, machines, and operators in an environment and the organization, which allows it to spot even the most subtle forms of unusual behaviour wherever and whenever it occurs.

According to another customer of the cybersecurity company, “Without this understanding of what ‘normal’ behaviour on our network and in our environment should look like during work hours and normalized traffic by our employees — you can’t always highlight and zero-in on activity that could be harmful. Big things stand out, but security teams and tools could miss a series of little things. Self-Learning AI helps establish a baseline of activities so that we can much more easily identify atypical behaviours. This allows us to concentrate efforts on the riskier behaviours much faster than we could with traditional tools and methods.”

We also need to move away from a mindset of protecting either OT or IT in isolation. These environments are increasingly converged, as discussed above. Fortunately, self-learning AI technology spans both environments, from laptops and servers within enterprise environments to human-machine interfaces (HMIs) and programmable logic controllers (PLCs) in industrial environments. This unified view enables the AI to thwart attacks in IT before they can spread to OT and vice versa.

Defending against threats to the electricity sector in the real world with self-learning AI

There are many examples of self-learning AI fighting back against threats to the energy sector in the wild. For example, an energy supplier in North America thwarted a signatureless, double-threat ransomware attack with self-learning AI, preventing operations from shutting down.

In another example, an attacker gained entry to the digital estate of a European energy provider in mid-2020. Before installing the cybersecurity company’s self-learning AI within the digital estate, the attacker managed to install a backdoor onto a computer. This backdoor was likely Meterpreter, a piece of the Metasploit software.

Within hours of being installed, self-learning AI observed the infected device displaying beaconing behaviour and downloading several executable files from endpoints associated with command and control. This visibility allowed quick remediation of the threat, preventing further damages to the customer network.

Towards the end of 2020, another attacker penetrated the systems of a European energy provider. Before the organization deployed self-learning AI, the attacker had already successfully installed the Emotet malware onto multiple devices. The attacker then installed malware associated with both the Qakbot banking trojan and the ransomware strain Egregor onto previously infected devices.

Within one week of being installed, self-learning AI identified the infected devices beaconing to endpoints associated with Emotet, Egregor and Qakbot. In the second week of the deployment, this AI identified a device spreading malicious executable files to other internal devices using SMB and Service Control.

Ultimately, Canada’s electricity sector must adopt sophisticated technologies that can defend against today’s influx of increasingly sophisticated threats to maintain service for Canadian consumers. When the next attack will strike an organization in the electricity sector and what it will look like remain unknown. However, technologies like self-learning AI can identify the ‘unknown unknowns’ in any environment and stand ready to fight back.

David Masson is the director of Enterprise Security for Darktrace. He brings over two decades of experience working in fast-moving security and intelligence environments in the UK and Canada across civilian, military and diplomatic circles. Before Darktrace, Masson held senior management positions with Public Safety Canada, the UK Ministry of Defence and Royal Auxiliary Air Force (RAuxAF).