The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

N-Days: The Overlooked Cyber Threat for Utilities

The most dangerous type of cyberattack any electric utility will encounter is one that targets its industrial control system (ICS) environment. While attacks on the front-office networks can be disruptive, costly and even debilitating, it is the ICS environment which is the “crown jewel” of the operation and the point at which an attacker can actually trigger physical destruction and endanger lives.

Yet it is precisely within the ICS where security is weakest and utilities are at their most vulnerable. 

Our research has shown that numerous firmware-level security flaws and weaknesses exist within the controllers and network modules in an ICS network. To make matters worse, many of these are not new vulnerabilities - they are older software flaws which have been publicly documented and known about for some time. That means hackers know about them too. 

This type of known vulnerability is called an “n-day.” What makes an n-day far more dangerous than a “zero-day” - which in recent years has received far more attention - is that an n-day requires far less effort on behalf of the hacker to exploit. What is rarely talked about when it comes to zero-days is that they are difficult, costly and time-consuming to discover and exploit. N-days, however, are just the opposite - they are well known and in many cases ready-made exploits already exist. This makes n-days a far more problematic scenario for utility operators.

Cyber Threat Overview

Utility operators need to realize they are on the front lines of America’s cyber defense battleground. 

More and more nations are developing cyber warfare capabilities, and key to these  efforts is the ability to disrupt the power supply of an adversarial state. Russia, China, Iran and North Korea are all believed to be developing offensive cyber capabilities, and have the sophistication and resources to carry out these types of attacks. Future military conflicts between the US and other countries will very likely include a cyber warfare component, and it is not unrealistic to expect that the US power grid will be targeted. 

But utilities are also at the top of the list for a variety of other threat actors. Terrorist groups, organized crime and even hacktivists could use a cyber attack on an electric utility for their own purposes, whether the goal is propaganda or extortion.

Utility networks are also far more exposed today than they were 20 or 30 years ago, because these systems are now connected to the Internet. And they are becoming even more so with the rise of Internet of Things and Industrial Internet of Things devices and components. This connection allows a remote attacker to gain access to ICS systems, but there are other threats to consider too, from employees or contractors with direct access to sensitive systems and devices, mobile media devices like USBs and CD-ROMs which may unwittingly bring an infection inside the network, etc. 

Today’s hackers are also better equipped than they were in years past. Automated scanning tools make it easier to search for known vulnerabilities in a device or network. Publicly accessible research into ICS firmware, vulnerabilities and exploitation have expanded the knowledge base for these attacks. The rise of “crime-as-a-service” in the Dark Web, where hackers can buy toolkits, exploits, malware and other products or services to aid in their attacks have also increased the hacker’s capabilities. 

All of these threats are converging on the utility operator. This is why cybersecurity must be a top priority.

Real World Cases

N-day exploit attacks on industrial control systems should not be considered a low probability risk. The world has already seen a number of attacks on industrial targets that have exploited weaknesses in ICS devices and protocols. Several recent cases illustrate this threat: 

  • CrashOverride, or Industroyer, is one of the more dangerous examples of ICS malware. As many will recall, this malware was used in a December 2016 attack to disrupt operations at a Ukrainian electrical transmission substation, resulting in a regional power outage. Based on the analysis by ESET and Dragos, this malware exploits the known CVE-2015-5374 Denial of Service condition to the Siemens SIPROTEC relays.
     
  • TRITON, also known as HatMan, is a type of ICS malware discovered by FireEye’s Mandiant in 2017. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which provide emergency shutdown capability for industrial processes.
     
  • The BlackEnergy malware has also been implicated in the Ukrainian outage incident. It is designed for espionage as opposed to physical damage, but can be useful for gathering intel on targeted networks and maintaining persistent access to the ICS. According to Dragos, this malware contained exploits for specific types of HMI applications including Siemens SIMATIC, GE CIMPLICITY and Advantech WebAccess. 

Unique Challenges for Industrial Control Systems

While n-days pose a threat to any large network, industrial users like utilities are at an especially high risk because of specific circumstances unique to those environments:

1. Systems must always be available. 

2. No standardization. In an ICS, as opposed to a standard computing environment, patching is often a manual proprietary process that requires unique software and knowledge for each vendor. 

3. Patches rarely propagate between vendors that use shared code. This highlights an example we covered at S4. In that case, a vulnerability was reported to a vendor in a different sector (telecom) and was patched by the software vendor (Intel/Windriver) but patches were not applied by a number of large vendors in ICS. 

4. Extended lifetime. Systems are typically deployed in the field for over a decade and well past their support period. Vendors who desire to sell new products are disincentivized to routinely patch and support older products with security updates, even if they are still commonly found in the field.

Uncovering the N-Day Threat

For more than a year, our team analyzed n-day vulnerabilities in the firmware of widely used ICS devices in order to gain a better understanding of the problem. Some of these findings were recently presented at the S4X18 security conference in Miami.

Through our research, we found that n-days are extremely common in the ICS environment. We discovered hundreds of n-days, ranging from low to high severity, within the ICS firmware of leading device manufacturers. Nearly every operator who reads this article is likely to have numerous n-days in their systems, many of which are severe (at a CVSS severity score of 7/10 or higher). Some of the n-days we found were over two years old.

Many of the n-days we discovered in ICS firmware are critical in nature and could allow a hacker to gain remote access and total control over parts of an industrial operator’s network or facility. These n-days could allow attackers to replicate the effects of CrashOverride, TRITON, BlackEnergy, or even Stuxnet much more easily, and at a much wider scale. For example, in our research into the VxWorks vulnerability, we found that many top manufacturers had a product that remains unpatched against this n-day. In no case was this vulnerability listed for the individual ICS products, so vendors may not even know these vulnerabilities exist. The vulnerabilities can be exploited for such malicious purposes as manipulating settings and controls, physically damaging or destroying equipment, disrupting key operations, and stealing sensitive information.

Further complicating matters, many of the the n-day vulnerabilities we found in ICS firmware were considered low complexity, which means it would not be difficult for a hacker to exploit them if he/she can just get access to the operator's network. For example, it took our researchers just a few days to a few weeks to adapt a discovered n-day into a potential attack.

Due to the large number of vulnerabilities we discovered and the long lead time on ICS patching (as well as the low patch penetration rate), we decided not to disclose individual vulnerabilities against named devices for fear of arming attackers while device operators would be unable to respond.

What is the Solution?

Unfortunately, ICS n-days are not a simple problem to address. The solutions are limited by technical complications and a slow-to-act supply chain. Nonetheless, there is a lot the industry can be doing to address the problem.

First and foremost, utilities need to be far more engaged with ICS equipment manufacturers about their security concerns. Firmware security needs to become a key negotiating point with these vendors and operators should demand more robust built-in security features for the products they are buying. Every component of the ICS environment should have strong security baked-into the software, firmware and hardware from the very start to lower the overall risk of n-days and other problems.

The current reactive approach of patching known vulnerabilities is no longer tenable. Every component of the ICS environment should have strong security baked into the software, firmware and hardware from the very start in order to lower the overall risk of n-days and other problems, and to mitigate or prevent damage from their exploitation. The best solutions will combine intrusion detection and mitigation techniques to protect against known and unknown attacks without relying on continuous updates. By and large, these features do not exist, so it is incumbent upon manufacturers to develop or source this technology as quickly as possible.

Secondly, utility operators need to be far more proactive with their own networks. They need to scan their networks regularly for known vulnerabilities. They also need to stay on top of the latest vulnerability reports and execute security patches whenever these become available from the vendors. When patches are not available, operators need to contain the threat as much as possible by taking such actions as: air-gapping critical systems; prohibiting the use of external media devices (USBs, CD-ROMs); establishing strict controls on physical access to these systems, especially from third-party contractors; conducting open source intelligence audits to eliminate vulnerable/open ports from public information sources; active network security monitoring; and checking traffic related to logic updates for ICS equipment.

Conclusion

N-day vulnerabilities pose a substantial threat to utilities. These operators need to take a number of preventive measures to reduce the threat. More proactive security during the development process is key, and operators need to engage with their vendors to ensure that they make this a priority.

Ang Cui's picture

Thank Ang for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

No discussions yet. Start a discussion below.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »