Tearing a page from the bad actor’s handbook was a recent China nation-state attack against 10 Indian power sector companies. Tensions between China and India are running high over a disputed border. What appears to be a textbook attack patterned from another nation-state attack five years earlier, which saw Russia attack the power grid of Ukraine. This attack occurred during an ongoing cyberwar brought on by Ukrainian succession threats.
By Tari Schreider, C|CISO, CRISC, MCRP, ITILF, Senior Analyst at Aite Group
These attacks against India’s power infrastructure are not new. The following demonstrates the hacker’s appetite for Indian power companies:
- 2020: Jammu and Kashmir State Power Development Department – ransomware
- 2019: Andhra Pradesh Eastern Power Distribution Company Limited (APEPDCL) – ransomware
- 2018: Uttar Haryana Bijli Vitran Nigam Limited (UHBNVL) – ransomware
- 2017: West Bengal State Electricity Distribution – ransomware
In these examples of ransomware attacks, hackers attempted to extort US$100,000’s in ransom demands. Power company impacts ranged from essential data loss, critical utility applications rendered inoperable, and customers widely affected.
We’re Air-gapped, all Good Here
Cyberattacks against utility companies occur less frequently, primarily due to their diversity of technology platforms. Cybercriminals are adept at back office systems; however less proficient at supervisory, control, and data acquisition (SCADA) systems or industrial control systems (ICS). SCADA and ICS systems tend to be “air-gapped from the Internet, further distancing them from bad actors. The issue with believing that SCADA and ICS systems are secure is that most utility companies forget these systems are dependent on many support services that are not air-gapped from the Internet. Utility companies rely on internal systems such as applications to field trouble calls, create repair orders, pay bills, coordinate repair materials, dispatch contractors, pay invoices, and handle service disconnections. When these systems become impacted by a cyberattack, the whole of the utility becomes disrupted. This interdependency attack damage scenario will become more common as more utility companies fuse operational technology with information technology.
The Dominos Fall
One such example occurred 4,300 miles from India’s Capital in Johannesburg, South Africa. In July of 2019, City Power, Johannesburg’s electric utility companies, suffered a crippling ransomware attack that encrypted a significant portion of their IT operations, preventing many essential services from continuing. The Achilles heel of progress in this outage example came when an application that allows customers to buy and sell electrical power unit credits using prepaid vending ceased to function, causing power disruptions throughout the city. The magnitude of City Power’s cyberattack can be appreciated when you realize 245,433 of their customers rely on prepaid power credits.
China, Russia, Hacking Oh No!
In December of 2016, the world saw one of the most brazen cyberattacks on a sovereign country by another country. Just days before Christmas, Russian hackers attacked Ukraine’s national power grid operator Ukrenergo causing a system-wide blackout for one hour. Cybersecurity firm Dragos, Inc. reconstructed the attack, learning that the attack’s intent appeared to cause mass destruction of the power grid. Only through a misstep by the hackers and a little luck on the side of Ukrenergo did the attack’s full brunt become unwittingly thwarted. You can read a comprehensive analysis of Drago’s investigation at New Clues Show How Russia’s Grid Hackers Aimed for Physical Destruction. In a tale of history repeating itself, Russia attacked Ukraine’s power infrastructure in 2017 when a ransomware attack against Ukraine caught the Energy Company of Ukraine in its crosshairs.
Glass Half Full?
A 2019 study by Siemens and Ponemon Institute stated that “54% of the 1,726 utility professionals expected a cyberattack on their critical infrastructure in the next year.”1 What concerns me is the 46% that believed just the opposite were doing in 2020 to prepare to fend off a cyberattack? What are you doing this year to defend against a clear and present threat to your organization’s critical infrastructure?
1 2019, October 8, Utilities Vulnerable to Cyber Attacks, Finds Study, T&DWorld
About the Author
Tari Schreider is a distinguished technologist and nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. He is currently a Senior Analyst with Aite Group covering cybersecurity technologies and practices for Aite Group, LLC. was formerly Chief Security Architect at Hewlett-Packard Enterprise and National Practice Director for Security and Disaster Recovery at Sprint E|Solutions. Schreider is an instructor for EC-Council where he teaches advanced CISO certification and risk management courses.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.