Contributed By Glenn Hartfiel, Director, Opportune’s Process and Technology Practice
Power plant networks are under constant attack from Chinese, Russian and other unknown hackers across the world 24 hours a day and 365 days a year. A hacker’s goal is to breach critical infrastructure, such as a power plant’s external firewalls, to gain access to the internal networks and find a way into the control system environment.
Hackers typically use port scanners, password-guessing software and other readily available Internet tools to perform non-stop attacks against a power plant’s external environments. These tools look for and exploit any potential weaknesses that could be used to access internal networks. Once inside, the hacker can continue to run tools against control networks to exploit any weaknesses that might allow them take control of plant control networks.
Social engineering attacks such as ransomware are used to trick a user into clicking an attachment (i.e., phishing schemes) in order to extract and encrypt data files. This enables a hacker to extort money and decrypt information. The more access a user has to a system environment the greater the damage that can be done. Limiting administrative privileges reduces these risks.
Control system data, operational data and sensitive financial data can be encrypted and only restored if backups are currently performed. Phishing attacks can also trick users into providing their username and passwords, which can then be used to login remotely to other systems. People tend to use the same passwords across many different sites with little to no variations. This can allow a hacker to gain access to many other systems using the same login credentials and passwords from a compromised account, including control systems, banking information and other applications.
Many power plants lack dedicated IT staff that can effectively identify and repel a cyber attack so user diligence is key to identifying problems. Without proper controls, it is only a matter of time before hackers gain access to targeted resources and establish control of the environment.
Lack of Proactive Risk Mitigation and System Updates
Historically, control systems have been physically separated – or “Air Gapped”. However, these environments are now connected at various firewalled points as businesses increasingly rely on real-time plant data. Firewalls can provide security needed to prevent access to control networks. However, misconfigurations are common and they are sometimes not tested, thus enabling security weaknesses. Control networks continue to move closer to the Internet and many are now running on Microsoft-operating systems, which can expose them to similar security vulnerabilities as office computer systems.
Lack of Updates and Risk Mitigation
Complex passwords, two-factor authentication and user awareness are all lines of defense that help mitigate a successful hack. Many power plants do not want passwords that change on a set interval and do not use complex options because they are difficult to remember. Passwords such as “Password”, “2018Texans” or other dictionary words only take a few minutes of hacking to gain access to a network.
More power plants are using virtual private network (VPN) connections for remote starting of power plants. VPNs move critical control networks closer to the Internet. which can provide the ability for someone to hack into the plant and start or stop operations. If hackers figure out how to operate plant control systems, damage can be significant.
Security updates are critical to mitigating cyber hacking attacks by closing vulnerabilities that could provide access to system without having to provide login identification and passwords. Recent Cisco AnyConnect VPN software and Cisco Switch vulnerabilities have provided a great opportunity for network breaches or complete network failures if these issues are not patched up in a timely period.
Once a critical vulnerability has been identified, it is key that a technical team is deployed to make a fix. Critical patches need to be identified and fixed as soon as possible. Oftentimes, clients do not have an active IT group that updates servers, firewalls and other devices when vulnerabilities arise. Computer systems require maintenance, backups and regular updates. Without these processes in place, power plants become an easy target for hackers looking for a thrill or a foreign government who may seek visibility by taking control of power plant environments.
Cyber Attack by Chinese Actor – A Case Study
Opportune LLP was engaged by a client to review a power plant on concerns that their site may not be secure from external cyber attacks. During our review, it was found that China had hacked into the control system through a Microsoft Windows machine connected directly to the Internet without firewall protection.
The local IT resource lacked security experience and did not understand the risks of how the computer was at risk. The malicious activity was subsequently traced back to China to hack into the power plant control system. Consequently, the hacked machine was eventually rebuilt, patched and moved behind firewalls to fix the issue. It is not known what China’s intent was for hacking the asset. We suspect it could have been using these easy targets to figure out a way how to cause physical damage to a power plant with an intent to disrupt the power grid.
Multiple Layers of Defense Needed
“Defense in depth” refers to employing multiple layers of security that makes it more difficult for cyber hackers to gain access to sensitive plant control networks. These can include complex passwords, shorter password expiration policies, two-factor authentication, firewalls configured with the least privileged access and intrusion prevention systems (IPS).
These augmented protective measures are important to deter hackers from computer systems. Complex passwords should always be required as they are a fundamental reason why accounts get hacked. Hackers load security programs with dictionary files and run variants by adding dates, prefixes and suffixes to create guessable password attacks. Some attacks can break passwords within minutes if passwords are not complex enough.
Two-factor authentication for remote access is one of the best security mechanisms for obtaining access to plant control environments along with something unique that is required to authenticate onto the control network environment. One-time passwords based on a hardware or software-based token generators also make password-guessing attacks more difficult for the attacker since these use one-time passwords based on complex algorithms.
Intrusion Prevention Systems
Cisco Firepower solutions (IPS) and similar tools can be an effective way to mitigate attacks from China, Russia or any location outside specific country regions based on known IP address ranges. Firewalls configured with these country IP blocks do not eliminate cybersecurity risk. Rather, they reduce it to a much smaller range of IPs that can make a connection to the firewall and prevent hacking attempts from the excluded locations.
Additional Firepower configurations can also block specific traffic types that can make hacking much more difficult. These configurations do not allow hackers infinite login and password guesses before a firewall blocks an attacker’s IP address.
Physical Security
An easy way to gain access to a network is to walk in and physically plant a computer on the network that can be accessed remotely for hacking internal systems. Many companies spend copious amounts of money on firewalls, (IPS) and other mechanisms to prevent hackers from getting through firewalls, but do not focus on the internal network. An internal attack is harder to detect and is easier to carry out because these attacks do not go through the Internet and bypass the detection systems that focus on external attacks coming from the Internet.
Many clients we have worked with did not have adequate physical security in place that challenged people they did not know. This made it easy for intruders to gain access to the internal network. Once a computer is on the network, various free tools are run to find data that can be used to gain access to administrative accounts, which provide full access to a company’s computing environment. Users typically store passwords in unencrypted spreadsheets, which can act as a gateway for accessing the entire environment.
Avoiding Common Pitfalls: ‘If It’s Easy for Users, It’s Easy for Hackers’
User education is key to an effective security strategy. Users are the easiest way to breach all the best security processes installed at plant locations if simple passwords are used to log into plant systems. User IDs and passwords should follow best practices by requiring them to be complex and expire on a set interval.
Physical security measures should require badge access to sensitive areas, preventing access to sensitive areas for “guests” and educate users to not hold doors open for people (i.e., tailgating). Users need to be comfortable to question and challenge someone they do not know if they are unescorted.
An effective patch-testing strategy should be implemented to address security vulnerabilities. Address critical issues quickly and implement a schedule for dealing with other vulnerabilities within a set time interval. The longer a security issue goes unpatched the easier hackers can gain access to the environment.
Networks and computing environments require constant updating to mitigate risks of hackers targeting a network. Keeping up to date on exposures will help mitigate cyber attacks.
The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.