Electrical grid is said to be vulnerable to terrorist attack. I can agree that electrical power distribution network would be quite vulnerable if someone tries to sabotage it and knows what to do. I know this because I design software and hardware for control systems for electrical companies.
Some days ago I saw in Finnish television an interesting documentary Suomi polvilleen 15 minuutissa (viewable on Yle Areena at least for Finnish people still for few weeks). It says that in Finland there has been debate on how many weeks the army could protect the country against potential attacks. The document says that the country could collapse in 15 minutes if some outside attacker or a small terrorist group would attack to certain key point in power network. Practically nothing would work anymore without power and it will take quite bit of time to get replacement parts for some key component. There are not too many spare parts and it it take months or a year to build a new big high voltage distribution transformer.
This vulnerability would hold to practically all developed countries. I have understood that Finnish electrical power distribution network would be in pretty good condition compared to electrical power networks on some other countries. I think that in many countries could quite easily cause huge problems by damaging some key points on power distribution network. Those attacks could be either cyber-attacks or attacks or damaging physical infrastructure.
In USA there has been lots of talk lately about electrical grid vulnerability to terrorist attack. There are warnings like this: Cyber-terrorists could target the U.S. electrical grid and throw the nation into chaos. And there is indeed some truth on those because this critical infrastructure is vital to a country’s economy and security, not a new target for terrorist groups (there have been documented incidents since the 1970s), inherently vulnerable (economical and practical reasons) and extremely hard to protect well. The electric power delivery system that carries electricity from large central generators to customers could be severely damaged by a small number of well-informed attackers. The system is inherently vulnerable because transmission lines may span hundreds of miles. Electrical infrastructure is not necessarily a new target for terrorist groups- there have been documented incidents since the 1970s.
New York Times writes that Terrorists could black out large segments of the United States for weeks or months by attacking the power grid and damaging hard-to-replace components that are crucial to making it work. By blowing up substations or transmission lines with explosives or by firing projectiles at them from a distance, the report said, terrorists could cause cascading failures and damage parts that would take months to repair or replace.
Remember the fact that causing large scale problems for long time is usually hard. In Debunking Theories of a Terrorist Power Grab article a Penn State power-system expert cites laws of physics to pull the plug on worries that a terrorist attack on a minor substation could bring down the entire U.S. electric grid. The most vulnerable points are the ones that have the most energy flowing through them — like huge power stations or highly connected transformers. Those are the ones that should be well protected well and there should not be too much worrying on protecting smaller transformers.
Here are few links to articles for more information:
- Panel: Electrical grid vulnerable to terrorist attack
- Terrorist Attack on Power Grid Could Cause Broad Hardship, Report Says
- Protecting the Electric Grid from Terrorism — Nobody is in Charge
- Cyber-terrorist attack on U.S. electrical grid could be “gravest short term threat” to national security
- Report: U.S. Electric Infrastructure ‘Inherently Vulnerable’ to Terrorist Attacks
- Debunking Theories of a Terrorist Power Grab
- Thousands Seen Dying If Terrorists Attack U.S. Power Grid
- The Protection of Public Facilities against Terrorist Attacks
- Critical to Infrastructure: Attacks on Electrical Network
There is also a free book Terrorism and the Electric Power Delivery System on-line covering those topics. Check it out if you want to learn more. It gives you much more background than those articles.
498 Comments
Tomi Engdahl says:
Feds have plan in case we are hit with catastrophic solar flares
http://www.digitaljournal.com/science/white-house-prepares-six-step-plan-for-catastrophic-solar-flares/article/448073
We take the nation’s power grid for granted. But what would happen if the power went out all over the country, or all over the world? This scenario has resulted in the White House coming out with a contingency plan if a massive solar flare hits.
Most of us are familiar with the devastation caused by hurricanes, earthquakes, and even droughts. But there is one natural phenomenon that could devastate our technology-driven society, and that is space weather.
We hear and read about electromagnetic pulses (EMPs), solar flares and coronal mass ejections (CMEs). As a matter of fact, an intense solar flare disrupted low-frequency radio wave communications over South America and the Atlantic Ocean on September 28 this year.
And in October 2014, Digital Journal reported on an X-Class event, the most powerful kind of solar flare.
Space weather scientists are kept busy watching the sun
Space weather scientists with the National Oceanic Atmospheric Administration (NOAA) and NASA have warned for years that if a massive solar storm were to hit the earth, the effects would be beyond catastrophic. An EMP would take down electrical grids, quite possibly on a global scale, and it could last for months and months.
Think about this, no satellites, no telecommunications capabilities, no refrigeration, no airlines, no water and no food supply line. Why? Because almost everything we use or rely on is partially or fully dependent on electricity. It can be a frightening scenario to contemplate. “Frankly,” space weather consultant John Kappenman told Gizmodo last month, “this could be one of the most severe natural disasters that the country, and major portions of the world, could face.”
A web of interdependencies makes the modern economy especially sensitive to solar storms.
Read more: http://www.digitaljournal.com/science/white-house-prepares-six-step-plan-for-catastrophic-solar-flares/article/448073#ixzz3qcLuPbpS
Tomi Engdahl says:
New Tool Guides Infrastructure Recovery After Disasters
http://www.techbriefs.com/component/content/article/1198-ntb/news/news/23398-new-tool-guides-infrastructure-recovery-after-disasters
A new computerized tool guides stakeholders in preparing for, and recovering from, natural and man-made disasters such as the cyclones in India that knocked out swaths of the Indian Railways Network. The method, developed by Northeastern University researchers, guides stakeholders in the recovery of large-scale infrastructure systems. Other possible applications include water-distribution systems, power grids, communication networks, and natural ecological systems.
The tool, based on a quantitative framework, identifies the order in which the stations need to be restored after full or partial destructions,”
The model gives decision-makers — urban planners, emergency managers, operations personnel — the ability to prioritize where to place mitigation measures, such as backup power, and other safeguards, including computer-security, to make the overall system better withstand the risk of disruption.
Tomi Engdahl says:
Iranian hackers ‘targeted’ New York dam
http://www.bbc.com/news/technology-35151492
Iranian hackers penetrated the computers controlling a dam near New York, reveals the Wall Street Journal.
The 2013 attack did no damage but revealed information about how computers running the flood control system worked, said the paper.
Hackers working for nation states regularly hit national infrastructure targets, said a separate AP report.
About 12 times in the last decade hackers have won high-level access to power networks, it said.
Detailed plans
Extensive information about the Bowman Avenue dam in Rye, New York state was taken by the hackers, experts familiar with the incident told the newspaper.
An investigation pointed to Iran as the likely source of the attack and alerted US authorities to the significant cyber warfare capabilities of that nation, said the report The same group of hackers that attacked Bowman Avenue was also implicated in separate attacks on three US financial firms, it added.
The US power network has also come under regular attack by “sophisticated foreign hackers” said AP in an extensive investigation.
Many times security researchers had found evidence that hackers had won access to these sensitive systems. So far, all the attacks seemed intent on gathering detailed information, including engineering drawings, about networks and facilities.
One extensive campaign gave hackers access to 82 separate plants spread across the US and Canada.
The knowledge accumulated by the attackers has not been used to shut down the power plants or change the way they work
Hackers could get at the power plants and other parts of national infrastructure because many of the systems were set up long before the need to protect them against remote attacks became apparent.
Tomi Engdahl says:
Flare-well, 2015 – solar storm to light up skies on New Year’s Eve
Northern Lights coming down as far as California after G3 eruption
http://www.theregister.co.uk/2015/12/30/solar_storm_northern_lights_in_california/
“The geomagnetic storming watch for 30 December has been upgraded to a G3 (Strong), with a G1 (Minor) storming watch still in effect for 31 December,” reads the NOAA advisory.
There’s no need for panic – this won’t be anywhere near as strong as the 1859 Carrington event, when a massive solar storm fried our then-primitive electronics.
The solar storm severity rating runs from 1 to 5, and a class 3 will only temporarily disrupt some radio traffic and possibly GPS signals. Power systems may also see voltages peaking, but on the plus side (thanks to the orbital position of the planet) we will get a lovely light show.
As the charged particles of the eruption hit our magnetosphere they’ll cause a spectacular display of ionization.
Tomi Engdahl says:
Hackers used malware to confuse utility in Ukraine outage – report
http://www.reuters.com/article/us-ukraine-cybersecurity-attack-idUSKCN0UO00W20160110
Hackers likely caused a Dec. 23 electricity outage in Ukraine by remotely switching breakers to cut power, after installing malware to prevent technicians from detecting the attack, according to a report analyzing how the incident unfolded.
The report from Washington-based SANS ICS was released late on Saturday, providing the first detailed analysis of what caused a six-hour outage for some 80,000 customers of Western Ukraine’s Prykarpattyaoblenergo utility.
SANS ICS, which advises infrastructure operators on combating cyber attacks, also said the attackers crippled the utility’s customer-service center by flooding it with phone calls to prevent customers from alerting the utility that power was down.
“This was a multi-pronged attack against multiple facilities. It was highly coordinated with very professional logistics,”
Experts widely describe the incident as the first known power outage caused by a cyber attack. Ukraine’s SBU state security service blamed Russia, and U.S. cyber firm iSight Partners identified the perpetrator as a Russian hacking group known as “Sandworm.”
The utility’s operators were able to quickly recover by switching to manual operations, essentially disconnecting infected workstations and servers from the grid
“What is now true is that a coordinated cyber attack consisting of multiple elements is one of the expected hazards (electric utilities) may face,”
Tomi Engdahl says:
Mapping Hundreds of Power Disruptions Caused by … Squirrels
The work hopes to counter political fear-mongering over terrorist cyberattacks.
http://www.citylab.com/design/2016/01/map-squirrel-cyberattack-power-outage-blackout-terrorism/423648/
An electrified squirrel causing a black-out in your neighborhood is more than an unfortunate occurrence for all parties involved—it’s a regular event that happens much more often than you might think.
Now, thanks to the work of an East Coast resident going by Cyber Squirrel, you can track the furry animals sadly snared in the grid. Cyber Squirrel has created a map, based on news reports, showing places where squirrels have gotten caught in power equipment and disrupted electrical service. It includes 623 instances since 1987, though the real number is likely much higher. (For variety’s sake, the map has dozens of reports of other creatures causing disruptions—214 for birds, 47 for snakes, nine for beavers, etc.)
The map’s creator hopes to contrast political fear-mongering over terrorist cyberattacks and what’s actually happening on a weekly basis.
As to the real number of bushy-tailed blowouts being larger, Cyber Squirrel points to an energy-industry spokesman saying squirrels caused 560 outages in Montana in 2015 alone
“[W]e logged over 300 events in 2015 worldwide. Think of how large the number really is. And we sit here and worry about cyber armageddon? We experience ‘armageddon’ every day…. Now does that mean power companies are perfectly safe from the cyberz? Absolutely not. There is definitely some risk there and as a national security issue it is an issue that needs attention. Just nowhere near the attention that [it] has been getting from the cyber war hawks.”
Cyber Squirrel 1
Disrupting at the highest levels, its #CyberWar4Ever!
http://cybersquirrel1.com/
This map lists all unclassified Cyber Squirrel Operations that have been released to the public that we have been able to confirm. There are many more executed ops than displayed on this map however, those ops remain classified.
Tomi Engdahl says:
SCADA “Selfies” a Big Give Away To Hackers
http://it.slashdot.org/story/16/01/19/0310229/scada-selfies-a-big-give-away-to-hackers
The world’s governments are on notice that their critical infrastructure is vulnerable after an apparent cyberattack darkened 80,000 households in three regions of Ukraine last month. But on the question of safeguarding utilities, operators of power plants, water treatment facilities, and other industrial operations might do well to worry more about Instagram than hackers, according to a report by Christian Science Monitor Passcode. Speaking at a gathering of industrial control systems experts last week, Sean McBride of the firm iSight Partners said that social media oversharing is wellspring of information that could be useful to attackers interested in compromising critical infrastructure. Among the valuable information he’s found online: workplace selfies on Instagram and Facebook that reveal details of supervisory control and data acquisition, or SCADA, systems.
“No SCADA selfies!” said Mr. McBride at the S4 Conference in Miami Thursday. “Don’t make an adversary’s job easier.” iSight has found examples of SCADA selfies at sensitive facilities and warns that such photos may unwittingly reveal critical information that operators would prefer to keep secret.
Worried about cyberattacks on US power grid? Stop taking selfies at work
http://www.csmonitor.com/World/Passcode/2016/0115/Worried-about-cyberattacks-on-US-power-grid-Stop-taking-selfies-at-work?cmpid=TW
Experts warn that malicious hackers gain valuable insight when companies and employees reveal too much information on the Web – especially when they work at sensitive facilities.
The world’s governments are on notice that their critical infrastructure is vulnerable after an apparent cyberattack darkened 80,000 households in three regions of Ukraine last month.
Social media oversharing is wellspring of information that could be useful to attackers interested in compromising critical infrastructure, said Sean McBride, senior threat intelligence analyst at iSight Partners. Among the valuable information he’s found online: workplace selfies on Instagram and Facebook that reveal details of supervisory control and data acquisition, or SCADA, systems.
iSight has found numerous examples of SCADA selfies at sensitive facilities and warns that such photos may unwittingly reveal critical information that operators would prefer to keep secret. The firm’s researchers have also discovered panoramic pictures of control room and video walk-throughs of facilities.
In addition to posting videos and photos on the Web, corporate websites can divulge valuable information to adversaries. For instance, organization charts or lists of employees with contact information accessible via the utility website are valuable sources of information for would-be attackers, says McBride.
These kinds of easily accessible images have aided critical infrastructure attacks in the past.
In 2011, industrial control systems expert Ralph Langner used an image of a SCADA control system monitor in one of the photos to match the configuration of the Natanz centrifuges to configuration information in the Stuxnet malicious software created to hobble the facility.
Today, McBride said that he and fellow researchers have used open-source information from media, government, and private sources to identify 15 facilities in the US that are critical to the operation of the electric grid.
McBride suggested that critical infrastructure operators think like hackers before posting photos online: “Ask yourself, ‘What do my adversaries know about me and the organizations I support.’ “
Tomi Engdahl says:
Cyber Attack Caused Massive Power Outage
http://www.epanorama.net/newepa/2016/01/11/cyber-attack-caused-massive-power-outage/
Tomi Engdahl says:
The effects of a hacked power grid
http://www.edn.com/electronics-blogs/powersource/4441387/The-effects-of-a-hacked-power-grid?_mc=NL_EDN_EDT_EDN_weekly_20160211&cid=NL_EDN_EDT_EDN_weekly_20160211&elqTrackId=fa23901aa29646f9afdf9e4c56a5e872&elq=47c0069f95944aad8205fdc33fe9724d&elqaid=30798&elqat=1&elqCampaignId=26939
Oil and gas, water and electric power rely on SCADA (supervisory control and data acquisition), protection, and monitoring systems that use communications networks. The use of communications networks makes these systems potentially vulnerable to cyberattack.1
A power blackout in the Ukraine recently affected about 1.4 million people using an espionage Trojan known as BlackEnergy. The attack looks to be first time that malware has been used to create a large-scale power disruption.
The power grid failure took down nearly a quarter of the country’s power for several hours. This type of cyber threat is now becoming more of a reality as power delivery and technology continue to merge.
Today, utilities are faced with a confusing array of cybersecurity guidance, standards, and regulatory requirements.
Keeping The Lights On — And Hackers From Crossing The Power Lines
http://graduatedegrees.online.njit.edu/msee-resources/msee-infographics/keeping-the-lights-on-and-hackers-from-crossing-the-power-lines/
The electric grid in the United States suffers from multiple issues, including inefficiency and high cost. Smart technologies have been touted to solve these and other operational difficulties. Yet, a shift can bring its own problems as well. Mixing power delivery with digital technologies opens up the possibility of disruptions caused by malicious entities. This threat must be seriously considered and mitigated with a carefully crafted strategy.
Tomi Engdahl says:
NIST Special Publication 800-82
Revision 2 Final
Public Draft
Guide to Industrial Control Systems (ICS) Security
http://csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_second_draft.pdf
Tomi Engdahl says:
A Field Guide to the North American Utility Pole
http://hackaday.com/2016/02/22/a-field-guide-to-the-north-american-utility-pole/
Tomi Engdahl says:
NSA Chief Worries About Cyber Attack on US Infrastructure
http://www.securityweek.com/nsa-chief-worries-about-cyber-attack-us-infrastructure
SAN FRANCISCO – RSA CONFERENCE 2016 – US National Security Agency chief Michael Rogers warned Tuesday that hackers will try to mount a cyber attack against US infrastructure, similar to the power failure in western Ukraine last year.
“It’s only a matter of the when, not the if, you are going to see a nation state, a group or an actor engage in destructive behavior against critical infrastructure of the United States,” Rogers told a cybersecurity conference in San Francisco.
Rogers also heads the US military’s Cyber Command, which is engaged in targeting enemy networks and social media sites.
On December 23, parts of western Ukraine were plunged into darkness after a computer virus affected the networks of several regional electricity companies.
“An actor penetrated the Ukrainian power grid and brought large segments of it offline in a very well-crafted attack that both focused on knocking the system down but also focused on how was the provider likely to respond to that outage,” Rogers said. ”
Seven weeks ago it was Ukraine. That isn’t the last we are going to see of this, and that worries me,” he added.
Tomi Engdahl says:
Solar explosion leads to blackout, March 10, 1989
http://www.edn.com/electronics-blogs/edn-moments/4429407/Solar-explosion-leads-to-blackout–March-10–1989?_mc=NL_EDN_EDT_EDN_today_20160310&cid=NL_EDN_EDT_EDN_today_20160310&elqTrackId=103aaabd0e79426b868df596b228d4c9&elq=7c336a274dea493baade1f84853706b9&elqaid=31244&elqat=1&elqCampaignId=27325
The sun constantly sends particles and energy toward Earth, but on March 10, 1989 astronomers witnessed a powerful explosion on the sun that released a billion-ton cloud of gas, 36 times the size of the Earth, toward our planet at a million miles per hour.
The solar flare and CME (coronal mass ejection) from the explosion caused immediate short-wave radio interference that jammed radio signals in Russia. CMEs can cause magnetic storms affecting communication systems, power grids, and astronauts in space.
Two days later, a cloud of solar plasma with electrically-charged particles, reached Earth’s magnetic field causing a geomagnetic storm (see the NASA animation below). The collision caused intense auroras at the poles that could be seen as far south as Florida and Cuba. As it occurred during the Cold War, some feared the lights in the sky were a nuclear strike.
The storm created electrical currents in the ground beneath North America, and on March 13 a blackout occurred after the Hydro-Québec power utility grid crashed when safety systems sensed a power overload caused by the currents pulsing through the ground.
Tomi Engdahl says:
IT, OT experts having trouble tracking ICS threats
http://www.controleng.com/single-article/it-ot-experts-having-trouble-tracking-ics-threats/57087155cc7c681925caa2ca0f48eec2.html
A survey of IT and OT professionals indicated that the is a lack of preparation for a potential cyber security attack against industrial control systems (ICSs), particularly in the energy industry, which faces more cyber attacks than any other industry.
Almost two-thirds of operational technology (OT) security professionals do not have to ability to accurately track all the threats targeting their networks, a new survey said.
On top of that, 82% of the respondents said a cyber attack on the OT side of the organization could cause physical damage, according to the survey by Tripwire Inc. Then when asked if their organization has the ability to accurately track all the threats targeting their OT networks, 65% replied, “no.”
The survey was conducted for Tripwire by Dimensional Research on the cyber security challenges faced by organizations in the energy sector. The study occurred in November 2015, and respondents included over 150 information technology (IT) professionals in the energy, utilities, and oil and gas industries.
Additional findings include:
More than three out of four respondents (76%) believe their organizations are targets for cyber attacks that could cause physical damage
Seventy-eight percent of respondents said their organizations are potential targets for nation-state cyber attacks
One hundred percent of energy executive respondents believe a kinetic cyber attack on operational technology would cause physical damage.
Oriental Motor
“The incredibly high percentages of these responses underscores the need for these industries to take material steps to improve cyber security,”
“We’ve already seen the reality of these responses in the Ukraine mere months after this survey was completed,” Erlin said. “There can be no doubt that there is a physical safety risk from cyber attacks targeting the energy industry today”
Tomi Engdahl says:
U.S. Electric Grid – America the Vulnerable
http://www.securityweek.com/us-electric-grid-america-vulnerable
In the new digital age, the threat of cyber attack reaches every part of modern society. Electrical power runs just about every aspect of life for most people, and most are not prepared when the power source is interrupted or goes away. A public announcement could be made one week ahead of time, and the majority of people would still be in the same vulnerable position if the power were to go away abruptly.
Last year Lloyd’s published a report titled “Business Blackout” where they shared their analysis and findings of an imminent cyber attack on the U.S. power grid. In their attack scenario, attackers were able to inflict physical damage on 50 of the 700 generators on the electrical grid on the east coast where there is a substantial population of people in major cities that includes New York City, Washington D.C. and Boston. In this situation, 93 million people were affected by a blackout.
There would most certainly be mass chaos among the population, and the total impact to the USA in the Lloyd’s report is estimated at $243 billion dollars and rising to over $1 trillion in extreme cases. In an already fragile and recovering economy, an attack like this could cripple the country and most certainly disrupt any momentum the economy had been able to gain.
Not only is this scenario possible, I believe it is imminent. Based on existing intelligence, it is reasonable to assume that nation-states already possess all the information they need to launch such an attack on the U.S. power grid – they choose not to because of political implications. I also believe the USA possesses the same capabilities. It isn’t just nation-states that we need to be concerned with, as radical terrorist groups are highly motivated to bring harm to the American people and economy.
Within the energy sector, here are just a few examples of reported attacks or attempted attacks:
• In 2012 and 2013 Russian hackers were able to successfully send and receive encrypted commands to the U.S. power generators.
• The Department of Homeland Security (DHS) announced last year that unauthorized cyber hackers were able to inject malicious software into the grid operations that allowed spying on U.S. energy companies.
• In October of last year, US law enforcement officials reported a series of cyber attacks that were attempted by ISIS targeting the U.S. power grid.
• In December 2015, the Associated Press reported that “security researcher Brian Wallace was on the trail of hackers who had snatched a California university’s housing files when he stumbled into a larger nightmare: cyber attackers had opened a pathway into the networks running the United States power grid.”
Home Security Deputy Secretary Alejandro Mayorkas acknowledged in an interview, “we are not where we need to be” on cybersecurity.
The Good News – And Practical Tips to Reduce the Threat Surface
Tomi Engdahl says:
Homeland Security report hoses down energy-sector ‘cybergeddon’ talk
It’s all the media’s fault. Even when the DHS hypes things up
http://www.theregister.co.uk/2016/04/06/dhs_report_tones_down_energysector_cybergeddon/
Everybody knows how easily the world could be plunged into a New Dark Ages with nothing more than a handful of hacker keystrokes – everybody except the United States Department of Homeland Security (DHS).
In a report obtained and published by Public Intelligence researchers, the DHS contradicts most of the received wisdom attached to the critical infrastructure debate, by assessing the immediate risk to America’s energy network as “low”.
The intelligence assessment, entitled Damaging Cyber Attacks Possible but Not Likely Against the US Energy Sector, has been circulated among America’s policy-makers since January.
Working with ICS-CERT, the DHS has come to the conclusion that the main aim of nation state-level attackers on the US energy sector is espionage rather than destruction.
“The APT activity directed against sector industrial control system (ICS) networks probably is focused on acquiring and maintaining persistent access to facilitate the introduction of malware, and likely is part of nation-state contingency planning that would only be implemented to conduct a damaging or disruptive attack in the event of hostilities with the United States”, the report says under the heading Key Judgements.
While there were 17 intrusions “against the US energy sector” reported in 2014, for example, the report says the “APT actors did not cause any damage or disruption”.
Comment
The DHS’s public rhetoric doesn’t always help media distinguish between real and imagined threats. A good example is in how the report dissects the now-famous December blackouts in the Ukraine.
In March, ICS-CERT was confident about attributing the attacks to intrusions: “power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers”.
Tomi Engdahl says:
U.S. Electric Grid – America the Vulnerable
http://www.securityweek.com/us-electric-grid-america-vulnerable
In the new digital age, the threat of cyber attack reaches every part of modern society. Electrical power runs just about every aspect of life for most people, and most are not prepared when the power source is interrupted or goes away. A public announcement could be made one week ahead of time, and the majority of people would still be in the same vulnerable position if the power were to go away abruptly.
Last year Lloyd’s published a report titled “Business Blackout” where they shared their analysis and findings of an imminent cyber attack on the U.S. power grid. In their attack scenario, attackers were able to inflict physical damage on 50 of the 700 generators on the electrical grid on the east coast where there is a substantial population of people in major cities that includes New York City, Washington D.C. and Boston. In this situation, 93 million people were affected by a blackout.
There would most certainly be mass chaos among the population, and the total impact to the USA in the Lloyd’s report is estimated at $243 billion dollars and rising to over $1 trillion in extreme cases. In an already fragile and recovering economy, an attack like this could cripple the country and most certainly disrupt any momentum the economy had been able to gain.
Tomi Engdahl says:
German nuclear plant found riddled with viruses
http://www.epanorama.net/newepa/2016/04/27/german-nuclear-plant-found-riddled-with-conficker-other-viruses-apps-and-software-geek-com/
Nuclear Power Plant Infected by Computer Virus
http://www.epanorama.net/newepa/2016/05/01/nuclear-power-plant-infected-by-computer-virus/
Tomi Engdahl says:
Michigan electricity utility downed by ransomware attack
Don’t click on the links, don’t click on the links, don’t …
http://www.theregister.co.uk/2016/05/03/michigan_electricity_utility_downed_by_ransomware_attack/
A water and electricity authority in the US State of Michigan has needed a week to recover from a ransomware attack that fortunately only hit its enterprise systems.
Lansing’s BWL – Board of Water & Light – first noticed the successful phishing attack on its corporate systems on April 25, and has had to keep systems including phone servers locked down since then.
Tomi Engdahl says:
One good example of this is the Belkin WeMo platform. Young says you can install a device like this outlet that you can control with your smartphone in five minutes. Yet, there might not be any intrusion detection for a product like that. In a worst case scenario, he says, a Chinese hacker could find a vulnerability for these outlets and then power cycle them repeatedly for thousands of users all over the U.S. to cause massive blackouts. Yet, for the end-user, there is some incredible usefulness, energy savings, low costs, and a simple install.
Foeckl says it’s this emerging utility and usefulness that makes IoT more vulnerable.
Source: http://www.csoonline.com/article/3077537/internet-of-things/security-concerns-rising-for-internet-of-things-devices.html
Tomi Engdahl says:
Monkey business takes out a power grid
http://www.edn.com/electronics-blogs/powersource/4442201/Monkey-business-takes-out-a-power-grid?_mc=NL_EDN_EDT_EDN_today_20160623&cid=NL_EDN_EDT_EDN_today_20160623&elqTrackId=de4e855381f7439e9e1a0f0af48e96f8&elq=4976bf49cec34e4d957919930a7ba365&elqaid=32805&elqat=1&elqCampaignId=28654
In the US, states can require power companies to install blocking devices or other technologies to protect large transformers and generators against man-made electromagnetic pulse (EMP) attacks created by nuclear detonations or geomagnetic disturbances caused by solar storms. But how do you protect against a smart monkey?
In Kenya recently, a monkey, native to that country, climbed onto the roof of the 180 MW Gitaru hydroelectric power station and then jumped or fell onto a transformer which became overloaded. The transformer subsequently tripped. This seemingly simple event actually triggered a nationwide blackout.
It is possible that the nationwide blackout was caused by a further cascade of transformer trips, or the grid may have tried to deal with a rapid reduction in power generation. Power was restored to the nation four hours later, and the monkey survived and has now been taken in by the Kenya Wildlife Service.
Tomi Engdahl says:
Is Your Smart Grid Secured?
http://www.eetimes.com/author.asp?section_id=36&doc_id=1330035&
Involved in early days projects to add communication and intelligence to power supplies, which became the so called “Digital Power” I have been frequently asked about software security and how the power supplies industry was prepared to address such issues.
If it is for sure, there is very little risk a hacker reaches a single Digital-POL at board level, the risk increases exponentially as we move upward in the value chain and, in that chain, the Smart Grid is probably the highest and the most exposed to attacks. At a time when the number of renewable power sources is growing, smart meters are being deployed and many others are being connected to the Smart Grid, what is the situation in terms of security? Are we safe?
Risk escalation
From 2007, when the US government demonstrated, in the Aurora Generator Test, that with only 21 lines of codes hackers could take control of a power plant and physically destroy a generator; to April 2016 when a water and electricity authority in the State of Michigan, after being victim of a ransomware attack was forced to keep IT systems locked down for a week, the number of cases reported to security authorities is rapidly increasing.
The Florida International University estimated that, during the first six months of 2015, more than100 cyber incidents have affected infrastructure in the US and the energy sector had the largest number of attacks. Cyber-attacks toward Smart Grid is a global threat and all countries are exposed to high risk, motivating power experts and networks managers to consider a global response and methodology to prevent any damages.
February 2016, the US Department of Homeland Security (DHS) issued an alert (IR-ALERT-H-16-056-01), reporting on a case that happened on December 2015 in Ukraine, raising the information to a high level of attention to Smart Grid Operators, motivating them to accelerate protection mechanisms and to develop preventive actions policies.
Black Christmas for Ukrainians!
December 23rd 2015 at 04:00 PM, the Ukrainian’s region Ivano-Frankivsk was plunged into darkness for several hours and more than 220.000 customers lost power and, the IT and communications systems of the utility companies were severely damaged by the attackers.
SCADA systems are basically Process Control Systems (PCS) that are used for monitoring, gathering, and analyzing real-time environmental data. PCSs are designed to automate electronic systems based on a predetermined set of conditions, such as traffic control or power grid management.
Making the Smart Grid safer!
The Smart Grid is an extremely complex architecture with a lot of areas for intrusions and attacks. Especially when operating a Smart Grid has moved from managing electricity distribution to a super Information and Communication Technology machinery.
“Technological advances in grid operation have made the power grid increasingly vulnerable to cyberattacks. The growth of the smart grid has created many more access points for penetrating grid computer systems – the “internet of things” will only make this worse.”
All over the world, governmental, consortiums and group of experts are engaged in an amazing race to deploy security methods and protocols to make the Smart Grid safer. In the USA, the set of Critical Infrastructure Protection (CIP) standards issued by the North American Electric Reliability Corporation (NERC) became mandatory in 2007 for owners, operators and users of the Bulk Electric System (BES). That is to ensure that certain assets on the grid critical to reliable operation are protected from both a cybersecurity and physical security standpoint.
In Europe, despite a number of initiatives within the European network and information security community to establish frameworks and standard operating procedures, the EU-level response to cyber incidents lacks consistency though projects such as the EU-funded Smart Grid Protection Against Cyber Attacks (SPARKS) are showing very good signs of progresses.
A signal we should never forget
Because of the complexity and the variety of connected devices to the Smart Grid, power supplies manufacturers will have to consider the security aspect when their products integrated within a Smart Grid. As I introduced at APEC 2015 Software Defined Power Architecture are deploying fast in the ICT industry and some systems, already installed in data-centers, are connected to the Smart Grid and communicating through the SCADA system.
To close the loop, if there is little risk a hacker would send a command to a POL blasting a local core processor, the risk for a UPS and even a frontend rectifier to receive a fatal command is not excluded.
Tomi Engdahl says:
The Bomb-Sniffing Dogs That Patrol Russia’s Power Stations
https://www.wired.com/2016/11/bomb-sniffing-dogs-protecting-russian-power-stations/
Fifteen hydroelectric plants provide power to the 3 million people of Dagestan, and each of them is a tempting target for terrorists in a Russian republic facing an Islamic insurgency. Their security is paramount, and it starts with dogs.
Forty German and Belgian shepherds join guards in safeguarding the plants, sniffing out any sign of trouble.
Tomi Engdahl says:
Experts Propose Cybersecurity Strategy for Nuclear Facilities
http://www.securityweek.com/experts-propose-cybersecurity-strategy-nuclear-facilities
Institutionalizing cybersecurity, reducing complexity, active defenses and transformative research should be a priority in reducing the risk of damaging cyberattacks at nuclear facilities, according to the Nuclear Threat Initiative (NTI).
While the Stuxnet attacks aimed at Iran are the most well-known, nuclear facilities in Germany and South Korea have also been hit by cyberattacks. European Union officials have also raised concerns about the possibility of attacks against Belgium’s nuclear plants.
Reports published in the past months warned that countries are not prepared to handle attacks targeting their nuclear facilities, and the nuclear industry still underestimates cyber security risk.
A report published on Wednesday by the NTI provides a set of recommendations for improving cyber security at nuclear facilities based on a 12-month analysis conducted by an international group of technical and operational experts.
One of the most important priorities involves institutionalizing cybersecurity. Specifically, nuclear facilities should learn from their safety and physical security programs and integrate these practices into their cybersecurity programs.
Another priority should be active defenses. Experts pointed out that a determined adversary will likely be capable of breaching the systems of a nuclear facility and organizations must be prepared to efficiently respond to such incidents.
Reducing the complexity of digital systems should also be a priority for nuclear facilities. Experts recommend minimizing the complexity of digital systems and even replacing them with non-digital or secure-by-design products.
Finally, the NTI recommends conducting transformative research with the goal of developing hard-to-hack systems for critical applications.
“Today’s defenses are no longer adequate, and a fresh look at how to best protect nuclear facilities from cyberattack is needed,” experts wrote in the NTI report. “The threat is too great, and the potential consequences are too high, to remain comfortable with the status quo.”
Tomi Engdahl says:
Russian hacks into Ukraine power grids a sign of things to come for U.S.?
http://www.cbsnews.com/news/russian-hacks-into-ukraine-power-grids-may-be-a-sign-of-things-to-come/
Russian hacking to influence the election has dominated the news. But CBS News has also noticed a hacking attack that could be a future means to the U.S. Last weekend, parts of the Ukrainian capitol Kiev went dark. It appears Russia has figured out how to crash a power grid with a click.
Vasyl Pemchuk is the electric control center manager, and said that when hackers took over their computers, all his workers could do was film it with their cell phones.
“It was illogical and chaotic,” he said. “It seemed like something in a Hollywood movie.”
The hackers sent emails with infected attachments to power company employees, stealing their login credentials and then taking control of the grid’s systems to cut the circuit breakers at nearly 60 substations.
The suspected motive for the attack is the war in eastern Ukraine
But hackers could launch a similar attack in the U.S.
“We can’t just look at the Ukraine attack and go ‘oh we’re safe against that attack,’”
the malicious software the hackers used has already been detected in the U.S.
In Ukraine, they restarted the power in just hours. But an attack in the U.S. could leave people without electricity for days, or even weeks, according to experts. Because, ironically, America’s advanced, automated grid would be much harder to fix.
“Even if we just lose a portion, right? If we have New York City or Washington D.C. go down for a day, two days, a week, what does life look like at that point?”
Tomi Engdahl says:
What’s the biggest danger to the power grid? Hackers? Terrorists? Er, squirrels
Turns out Mother Nature is a killer for power and people
https://www.theregister.co.uk/2017/01/19/biggest_danger_to_power_grid_is_squirrels/
For decades now people have been claiming that the power grid could be taken down by terrorists. However, simple statistical analysis shows that the biggest danger isn’t online hackers, but squirrels – aka rats with good PR.
Fast forward to 2017, and Thomas is still beavering way: he’s found that not only are furry and feathered critters a much bigger danger to the power grid than hackers, they are also killing people.
In a presentation to the ShmooCon hacking conference at the weekend, Thomas showed that squirrels have been responsible for 879 power outages around the world, with the next most common animal saboteurs being birds – either directly via nests, or resulting from streams of excrement.
“35 years of cyberwar and the squirrels are winning,” he said.
In all, he has tracked 1,753 animal-caused power outages that, taken in total, equate to 78 days without power in the US, leaving over 4.7 million people in the dark. These incidents have also caused the death of eight people.
There is a serious point to this
So far, so funny, but there is a serious point to all of this. Thomas sees the project not only as an interesting data exercise, but also as a way to puncture some of the pomposity of so-called cyberwarfare experts.
“Why Cyberquirrel1? Basically to counteract the ludicrous cyberwar claims,” he said. “It’s really at an epic, unbelievable level some of the bullshit that gets peddled as fact by people at high levels of government and industry who are really spouting stuff they don’t know anything about. We’re trying to counter some of the FUD that’s out there.”
Tomi Engdahl says:
Monkey business takes out a power grid
http://www.edn.com/electronics-blogs/powersource/4442201/Monkey-business-takes-out-a-power-grid
In the US, states can require power companies to install blocking devices or other technologies to protect large transformers and generators against man-made electromagnetic pulse (EMP) attacks created by nuclear detonations or geomagnetic disturbances caused by solar storms. But how do you protect against a smart monkey?
In Kenya recently, a monkey, native to that country, climbed onto the roof of the 180 MW Gitaru hydroelectric power station and then jumped or fell onto a transformer which became overloaded. The transformer subsequently tripped. This seemingly simple event actually triggered a nationwide blackout.
KenGen, the Kenya Electricity Generating Company, says that its power installations are secured by electric fencing which keeps away animals, but it seems like the monkey was able to evade the protected area.
Tomi Engdahl says:
Power grid blackouts: Are they preventable and predictable?
http://www.edn.com/design/power-management/4421404/Power-grid-blackouts–Are-they-preventable-and-predictable-
Tomi Engdahl says:
Green software blacked out Australian State
Wind-turbine-ware defaults didn’t handle exceptional weather events
https://www.theregister.co.uk/2017/03/28/wind_turbines_software_protection_confirmed_as_south_oz_culprit/
Something good is going to come out of last year’s “Black System” in the Australian State of South Australia: the global wind power industry has learned how to do better modelling for systems under attack from repeated failures.
South Australia last year experienced a vicious storm that uprooted high-voltage power and blew with sufficient intensity that wind turbine operators shut down their plant to protect them from damage.
That shutdown led local politicians to use a “wind can’t be relied on” argument.
The combination of undocumented features and control settings particular to the turbines meant while the turbines were able to ride through individual outages on the whole grid, multiple disturbances triggered the incorrect setting, the Black System and a political storm about energy policy.
Re-modelling to take protection features into account during “multiple fault” events, the Manitoba report says, “is beneficial not only to AEMO but to the global wind industry in general.”
Tomi Engdahl says:
When the Grid Goes Dark
http://hackaday.com/2017/04/03/when-the-grid-goes-dark/
If you lived through the Y2K fiasco, you might remember a lot of hype with almost zero real-world ramifications in the end. As the calendar year flipped from 1999 to 2000 many forecast disastrous software bugs in machines controlling our banking and infrastructure. While this potential disaster didn’t quite live up to its expectations there was another major infrastructure problem, resulting in many blackouts in North America, that reared its head shortly after the new millennium began. While it may have seemed like Y2K was finally coming to fruition based on the amount of chaos that was caused, the actual cause of these blackouts was simply institutional problems with the power grid itself.
Built-in Protection Hardware
While blackouts of size and scope of the few that occurred in the early 2000s aren’t very common, local small-scale blackouts are almost guaranteed at some point or other. Although power utilities are incentivized to prevent as many of them as they can (if the power’s out, the meters aren’t spinning), there’s no guaranteed way to prevent lightning from striking power lines or expensive equipment, or to prevent unscrupulous electricians from overloading panels and damaging transformers, or preventing birds from nesting in every substation.
In theory, once there is a problem (referred to as a “fault” on the electrical system) there are a variety of protective devices to ensure that the interruption in power is as short as possible. Most electrical faults are brief, transient faults that will clear themselves after a small amount of time
A Perfect Failure
All of this protective equipment isn’t without its faults, though, and can misbehave under the right circumstances to extraordinary effect. Such was the case in the Northeast Blackout of 2003 where a transmission line made contact with a tree in Ohio. Normally an incident like this would be dealt with swiftly by the protective equipment and grid operators. This was a summer day, though, and the reason that the power line came into contact with the tree was because it was sagging farther than normal from carrying close to its maximum rated current.
Blackouts as a Business Model
On the other hand, however, there have been large-scale blackouts that have been caused by companies actively trying to profit off of them. The California Electricity Crisis of 2000 and 2001 was a textbook case of conflict of interest, where energy traders such as Enron, who had control over energy supplies to the state, were also the ones who were trading energy futures.
Jump Starting a Power Plant
While there is a regulatory agency (in North America) with some teeth (thanks to Enron) to deal with problems like this, the power companies still have to be able to restore power once a blackout occurs. While any damage to the grid must be repaired, getting the power on isn’t quite as simple as flipping a switch at a nuclear plant or a combustion turbine. If these base-load plants lose power, they need either off-site power from something called a black-start plant, or they need large diesel generators in order to start producing power again.
Tomi Engdahl says:
Lights Out in Québec: The 1989 Geomagnetic Storm
http://hackaday.com/2017/04/10/lights-out-in-quebec-the-1989-geomagnetic-storm/
In some cases, these expanding clouds of plasma are Earth-directed, like in March of 1989. After a few days of travel, the expanding donut reaches the Earth’s magnetosphere, which is the limit of influence of the Earth’s magnetic field. The leading edge of the CME forms a shock wave that flattens the magnetic field on the day-side of the globe. This allows charged particles to slip into the Earth’s atmosphere, causing the aurora I saw at around 42° North latitude – a little far south for regular display of the Northern Lights, but not so far that they were unheard of. The 1989 CME was so powerful that it caused aurorae clear down to Florida, and even Cuba witnessed the display.
The Path of Least Resistance
As amazing as the aurorae in the 1989 CME were, they weren’t what caused so many headaches for Hydro-Québec. The action there was caused on the backside of Earth, away from the Sun. While it was compressing the day-side magnetosphere, the CME shock wave was also stretching out the night-side magnetosphere into a long tail of magnetic flux. Just like the collapsing magnetic fields inside the sun that started the CME in the first place, eventually the magnetic lines of force in the tail reconnected, releasing terawatts of stored energy back toward the Earth.
This is where the trouble started for Hydro-Québec. All that electrical energy needed to go someplace, and as is always the case, it took the path of least resistance. Most of the province of Québec sits atop a massive insulating sheet of igneous rock called the Canadian Shield, and the thin layer of soil stretched over it was soon conducting massive amounts of current. The ground connections of Hydro-Québec’s transmission system of high-tension lines and transformers eventually started conducting some of these earth currents, and at 2:43 AM, protective circuit breakers tripped at the Chibougamau substation in central Québec. This caused an imbalance on a 750 kV transmission line, which tripped breakers 150 km away.
Within one minute, the cascading failures had tripped automatic systems all over Québec, shutting down 21 gigawatts of supply and plunging the province into darkness for over nine hours. The cascade of failures wasn’t limited to Canada; thanks to interconnects between the US and Canadian grids, over 200 grid faults occurred within the first few minutes in the US. Operators were able to shunt around issues and avoid any major blackouts, though.
They learned the lessons the sun had to teach them that day, and put in systems to prevent a recurrence. The simple expedient of decreasing the sensitivity of the protective relays that first caused the problem has avoided a repeat in similar storms
Tomi Engdahl says:
I fought Ohm’s Law and the law won: Drone crash takes out power to Silicon Valley homes
1,600 PG&E customers hit by gizmo prang
https://www.theregister.co.uk/2017/06/09/drone_hits_wire_kills_silicon_valley_power/
A wayward quadcopter is being blamed for a power outage in Google’s back yard this week.
The city of Mountain View said that a large portion of the city, including city hall and the central library, were without power from 8:15 to 11:00 Thursday night, as part of an outage that knocked out service to around 1,600 customers.
The culprit for the attack was quickly identified as a semi-crispy hobby drone that had struck a power line. The quadcopter craft was almost completely destroyed from the collision
“The damage of the drone crash totaled tens of thousands of dollars, and the repair work was completed early Friday morning,”
Now the city is trying to track down the operator responsible for the crash.
Tomi Engdahl says:
Andy Greenberg / Wired:
Researchers say Crash Override, which took down Ukraine’s power grid, is the only known malware to have attacked physical infrastructure other than Stuxnet — AT MIDNIGHT, A week before last Christmas, hackers struck an electric transmission station north of the city of Kiev …
‘Crash Override’: The Malware That Took Down a Power Grid
https://www.wired.com/story/crash-override-malware
Tomi Engdahl says:
British Airways: Engineer accidentally cut data center power supply
http://www.cablinginstall.com/articles/pt/2017/06/british-airways-engineer-accidentally-cut-data-center-power-supply.html
An engineer had disconnected a power supply at a data center near London’s Heathrow airport, causing a surge that resulted in major damage when it was reconnected, Willie Walsh, chief executive officer of parent IAG SA, told reporters in Mexico.
The incident led BA’s information technology systems to crash, causing hundreds of flights to be scrapped over three days as the airline re-established its communications.
The engineer in question had been authorized to be on site, but not “ to do what he did,”
Analysis: 70% of data center outages directly attributable to human error
http://www.cablinginstall.com/articles/2013/08/apc-dc-human-error-paper.html
A new white paper from APC-Schneider Electric contends that “a properly designed, implemented, and supported operations and maintenance (O&M) program will minimize risk, reduce costs, and even provide a competitive advantage for the overall business the data center serves. A poorly organized program, on the other hand, can quickly undermine the design intent of the facility putting its people, IT systems, and the business itself at risk of harm or interruption.”
The paper’s executive summary states that 70% of data center outages are directly attributable to human error, according to the Uptime Institute’s analysis of their “abnormal incident” reporting (AIR) database. This figure highlights the critical importance of having an effective operations and maintenance (O&M) program, says APC-Schneider Electric.
Tomi Engdahl says:
Thousands of Firms Fail to Update Software on Most Computers: Study
http://www.securityweek.com/thousands-firms-fail-update-software-most-computers-study
An analysis of 35,000 companies from more than 20 industries across the world showed that many of them are at risk of suffering a data breach due to their failure to ensure that the software running on their computers is up to date.
The study conducted by cybersecurity ratings company BitSight focused on Apple and Microsoft operating systems, and the Firefox, Chrome, Safari and Internet Explorer web browsers.
The research showed that more than 50 percent of computers in over 2,000 organizations run an outdated version of the operating system, and over 8,500 companies have failed to update Web browsers on more than half of their machines.
The fact that public sector organizations have done a poor job at protecting their systems is not surprising, and even U.S. President Donald Trump called for government agencies to take measures in his recent cybersecurity executive order.
At the other end of the chart we have the legal and energy sectors, which had the fewest devices running outdated software.
“Given that the Energy sector provides critical infrastructure services, organizations in this sector should maintain their proactive approach to security,” BitSight said in its report.
In the case of Windows, more than 60 percent of analyzed PCs were running Windows 7 or earlier, including XP and Vista, which no longer receive updates from Microsoft.
A Growing Risk Ignored: Critical Updates
https://cdn2.hubspot.net/hubfs/277648/Insights/BitSight%20Insights%20-%20A%20Growing%20Risk%20Ignored%20-%20Critical%20Updates.pdf?t=1496944784037&utm_campaign=Q217%20BitSight%20Insights&utm_source=hs_automation&utm_medium=email&utm_content=52515743&_hsenc=p2ANqtz–3taBHmLJ9mFDRlsz6fBuZDx51wqsvo_wJigWcGRXX-ETGymjI-cur–Wj3e8dvaXAoXBgmyZjWPaJWoFHFp_ixaHelA&_hsmi=52515743
EXPLORING THE PREVALENCE OF OUTDATED SYSTEMS AND THEIR LINK TO DATA BREACHES
Tomi Engdahl says:
Report Released on Malware Designed to Attack Electric Grids
http://www.tdworld.com/grid-security/report-released-malware-designed-attack-electric-grids?NL=TDW-01&Issue=TDW-01_20170614_TDW-01_465&sfvc4enews=42&cl=article_2_b&utm_rid=CPG04000001994923&utm_campaign=14476&utm_medium=email&elq2=6f834e846d264b98ad4269ae9061b116
Researchers have discovered the malware capability used in the Dec. 17, 2016, cyber-attack on a Ukraine transmission substation that resulted power outages in Kiev. ESET, a Slovakian anti-virus software maker, and Dragos Inc, a U.S. critical-infrastructure security firm, released an industry report to inform the electric sector and security community of the potential implications of the malware.
The two firms said they did not know who was behind the cyber attack. Ukraine has blamed Russia, though officials in Moscow have repeatedly denied blame, according to a Reuters report. Still, the firms warned that there could be more attacks using the same approach, either by the group that built the malware or copycats who modify the malicious software.
“There are concerning scenarios in how this malware can be leveraged to disrupt grid operations that would result in hours of outages at targeted locations leading into a few days if done at multiple sites,” said Robert M. Lee in a Dragos blog.
CRASHOVERRIDE
https://dragos.com/blog/crashoverride/
Today the Dragos, Inc. team is releasing a report titled CRASHOVERRIDE: Analyzing the Malware that Attacks Power Grids. CRASHOVERRIDE is a malware framework that has not been disclosed before today but is the capability used in the cyber-attack on the Ukraine electric grid in 2016 (not the 2015 attack). Dragos can also confirm that we are tracking the adversary group behind the attack as ELECTRUM and can assess with high confidence the group has direct ties to the Sandworm Team which targeted infrastructure companies in the United States and Europe in 2014 and Ukraine electric utilities in 2015.
The purpose of this blog is to introduce some high-level items for everyone to be aware of (especially those that do not have time to read the full report).
The electric grid is extremely reliable. CRASHOVERRIDE represents alarming tradecraft and the ability to disrupt operations, but the public must understand that the outages could be in hours or days not in weeks or months. The electric grid operators train regularly to restore power for similar sized events such as weather storms. The first thank you that needs publicly stated is to those men and women responsible for having put the electric grid into a defensible situation through their dedication to reliability and safety of electric power.
The Slovakian anti-virus firm ESET informed Dragos on June 8th, 2017 that they would be releasing their report on June 12th on a piece of malware they identify as “Industroyer.” The request was to validate findings to reporters they were speaking to because Dragos has subject matter experts focused on ICS security.
Dragos was able to confirm much of ESET’s analysis and leveraged the digital hashes to find other undisclosed samples and connections to a group we are tracking internally as ELECTRUM. Because of the new functionality, connections to the threat group, numerous references to crash.dll in the malware, and our analysis that this is not industry-wide focused but specific to electric grid operations led the team named this malware CRASHOVERRIDE.
The CRASHOVERRIDE malware is a framework that has modules specific to ICS protocol stacks including IEC 101, IEC 104, IEC 61850, and OPC. It is designed to allow the inclusion of additional payloads such as DNP3 but at this time no such payloads have been confirmed. The malware also contains additional non-ICS specific modules such as a wiper to delete files and processes off of the running system for a destructive attack to operations technology gear (not physical destruction of grid equipment).
The modules in CRASHOVERRIDE are leveraged to open circuit breakers on RTUs and force them into an infinite loop keeping the circuit breakers open even if grid operators attempt to shut them. This is what causes the impact of de-energizing the substations. Grid operators could go back to manual operations to alleviate this issue.
The CRASHOVERRIDE malware appears to have not used all of its functionality and modules, and it appears the Kiev transmission substation targeted in 2016 may have been more of a proof of concept attack than a full demonstration of the capability in CRASHOVERRIDE.
CRASHOVERRIDE’s wiper searches for specific ABB files to delete off of a system, however, there are no vulnerabilities in ABB that this malware takes advantage of
ESET’s report cites a Siemens SIPROTEC denial of service based on a publicly disclosed 2015 vulnerability. However, we cannot confirm the existence of this module.
There are concerning scenarios in how this malware can be leveraged to disrupt grid operations that would result in hours of outages at targeted locations leading into a few days if done at multiple sites. However, it is important to know this is not a catastrophic scenario; there is no evidence the ELECTRUM actors could use CRASHOVERRIDE to do more than a few days of outages, and even to get a few days, would require the targeting of multiple sites simultaneously which is entirely possible but not trivial.
Indicators of compromise for the CRASHOVERRIDE malware can be found in the industry report. Indicators of compromise are available, but the most important thing for security teams to watch for is malicious behaviors and set patterns associated with the ICS communications.
Tomi Engdahl says:
Hacking Into…. A Wind Farm?
http://hackaday.com/2017/07/06/hacking-into-a-wind-farm/
Pick a lock, plug in a WiFi-enabled Raspberry Pi and that’s nearly all there is to it.
There’s more than that of course, but the wind farms that [Jason Staggs] and his fellow researchers at the University of Tulsa had permission to access were — alarmingly — devoid of security measures beyond a padlock or tumbler lock on the turbines’ server closet. Being that wind farms are generally in open fields away from watchful eyes, there is little indeed to deter a would-be attacker.
[Staggs] notes that a savvy intruder has the potential to shut down or cause considerable — and expensive — damage to entire farms without alerting their operators, usually needing access to only one turbine to do so. Once they’d entered the turbine’s innards, the team made good on their penetration test by plugging their Pi into the turbine’s programmable automation controller and circumventing the modest network security.
Researchers Found They Could Hack Entire Wind Farms
https://www.wired.com/story/wind-turbine-hack
Tomi Engdahl says:
Power firms alerted on hack attack scenarios
http://www.bbc.com/news/technology-40766757
Power firms around the world are being warned about how to spot if they are being targeted by hackers who shut down parts of Ukraine’s electricity grid.
The warnings have emerged from analysis of the malware used in an attack in Ukraine in December.
That left about 230,000 people without power for hours after substations were shut down via implanted malware.
The move comes as researchers at Black Hat and Def Con reveal ways power firms are lax on security.
Immediate risk
“Power grid operators need to be aware that these styles of events are out there and they need to prepare for them,” said Robert M Lee of Dragos Security during a talk at the Black Hat show which detailed its work to analyse the malware used in the Ukraine attack.
Ukraine suffered two attacks on its network – one in March 2015 and another in late 2016.
The warnings detail the text and code combinations used by the attackers as they infiltrated networks and started the process of shutting down key parts of the grid. The information should help power firms scan internal systems for tell-tale signs of intrusion and prepare other defences so they can spot reconnaissance.
Mr Lee stressed that there was little evidence that the hackers behind the Ukraine attack were taking aim at other power networks.
He also criticised governments for not doing enough to raise awareness about the seriousness of the events in Ukraine.
“No senior policy makers in any government has come out and condemned the Ukraine attack,” he said. “That’s done nothing but embolden the attackers and that’s a worrying trend.”
Power plans
The Black Hat and Def Con shows saw other security researchers share information about work to catalogue ways that the power network could be attacked.
Security researcher Harrys Konstantinou and colleagues at New York University led a project to find out how easy it was to build up a detailed picture of the make-up of power networks in the US.
The three-person team drew on information in press releases, regulatory filings, grid maps, case studies and blackout reports to build a detailed model of sections of the US power transmission system.
They also drew on freely available software tools that let them map power flows and test out what would happen if different parts of the network were turned off.
“There exists a wealth of information out there that can accurately model the grid and enable a widespread attack,” said Mr Konstantinou.
“The increased reliance on renewable energy sources will draw attention from attackers for all kinds of reasons,” he said.
He added that his work revealed weaknesses in the hardware used to manage wind farms and in the software that allows them to be managed remotely.
In many cases, he said, it was “trivial” to get access to the control consoles and management systems used to keep turbine blades spinning. Poor internal controls meant an attacker that got physical access to one turbine tower could inject software and infiltrate an entire network of wind farms, he said.
“These networks are extremely susceptible to attack,”
If an attacker triggered turbines to shut down it could cause real harm to their drives, brakes and blades.
An hour of downtime on a relatively small wind farm would cost a power firm up to $30,000 (£23.250) for every turbine that stopped turning
Tomi Engdahl says:
Flaws in solar panels potentially threatening European power grids
http://securityaffairs.co/wordpress/61750/hacking/solar-panels-flaws.html
The Horus scenario, is a scenario describing a large scale cyber attack targeting the vital electrical infrastructure triggering flaws found in solar panels
Willem Westerhof, a Dutch security researcher at the security firm ITsec has found a serious vulnerability in a component of solar panels that could be exploited by hackers to cause widespread outages in European power grids.
The vulnerability resides in the inverters that are the components of solar panels used to convert direct current to alternating current.
The vulnerabilities affect the inverters manufactured by the German market leader SMA.
The attack scenario hypothesized by the expert is disconcerting, it sees hackers taking control of a large number of inverters and switch them off simultaneously. The attack can cause a huge power outage in large parts of Europe.
According to a research conducted by Westerhof, vulnerable solar panels manage around 17 gigawatts of power, clearly, a successful cyber attack could have a catastrophic effect.
Inverters of solar panels are just an example of the billion of IoT devices that could be targeted by hackers.
Tomi Engdahl says:
The Week In Review: Manufacturing
https://semiengineering.com/the-week-in-review-manufacturing-168/
aiwan on Tuesday suffered a blackout after an accident occurred at a gas-fired plant, according to a report from Bloomberg. The outage, which lasted from 5 p.m. to 10 p.m., impacted more than 6 million homes and disrupted some IC production on the island, according to the report. Taiwan’s president was criticized for the event, as the government plans to shutter the island’s nuclear plants and cut the use of coal.
Tomi Engdahl says:
Stun Gun vs 220v Mains Electricity
http://hackaday.com/2017/08/19/stun-gun-vs-220v-mains-electricity/
Those fearless Ukrainians are at it again! This time around they’re giving wall outlets some high voltage stun gun shocks and observing the results, as [Kreosan] decided to see what would happen when you use a stun gun on mains electrical sockets. Surprisingly, they are still alive and well, and creating more videos. .
Shocking a light switch blew up some light bulbs, while shocking an extension cord with a TV plugged in blew the TV up. It seems these guys never run out of appliances to fry, or totally insane experiments to try out that no one else would really have the stomach for.
Tomi Engdahl says:
Can North Korean nukes hit US mainland? Maybe. But EMP blast threat is ‘highly credible’
El Reg talks to experts on Kim’s capabilities
http://www.theregister.co.uk/2017/08/22/nork_nukes_could_emp_us/
When they said a week is a lifetime in politics, they weren’t kidding.
One moment, President Donald Trump talks of “fire and fury,” the likes the world has never seen, in response to an increasingly aggressive North Korea, which is trying to menace the US with nuclear weapons.
This week, the US and South Korea are carrying out military drills that North Korea claims could lead to “uncontrollable phase of a nuclear war.” The Kim Jong-Un-led hermit nation is also hell bent on building an arsenal of nukes despite international resistance, and even its ally China is urging it to calm down.
So, what can the Norks actually achieve: do they have working nukes, and can they reach the US? Realistically, the chances of either North Korea or the US slinging missiles at each other are slim.
China says it will retaliate if America launches a preemptive strike against North Korea, filling the skies with warheads aimed at US cities. So it’s, as we say around here, suboptimal even for Trump to wipe North Korea off the map.
And whatever happens, if North Korea is going down, it’s taking South Korea with it. And no one wants the blood of Seoul on their hands.
However, experts are still skeptical that North Korea has the ability to successfully lob a nuke all the way to the American mainland.
So far, the answer to the question, can North Korea reach California with a rocket, is: probably possibly. Can it actually survive reentry and nuke the Golden State? maybe.
But there is another option for the North Koreans, and one that could potentially do far more damage than a single nuclear strike. Before reentry temperatures kick in, the bomb could be detonated in the upper atmosphere – and the electromagnetic pulse (EMP) generated would do more damage than a single missile could ever manage. Emitting an EMP blast over the US West Coast, with Silicon Valley within its grasp, or further inland, would be extremely bad news for our future on this planet.
In other words, Kim Jong-Un doesn’t have to strike America, setting off a cliched mushroom cloud: using EMP high in the skies to wreck our electronics and communications could be, potentially, enough to upturn society and put us on the path to global thermonuclear war.
EMP, silent but deadly
Testimony to the US Congressional EMP Commission stated that in the event of a massive EMP attack on the US using multiple high-yield warheads, around 90 per cent of the American population would be dead after 18 months due to famine, disease, and societal breakdown.
Small bomb, big noise
“EMP is the most asymmetric threat there is in terms of a single weapon taking out large categories of infrastructure,” Dr George Baker, former leader of the Defense Nuclear Agency’s EMP program, told The Register. “It’s a lot easier to achieve, since you don’t need reentry capabilities.”
Baker said that a low-yield device such as that thought to be owned by North Korea, detonated at optimum height, would generate EMP over an area with a diameter of around 1,000 miles
the consequences for power grids, computing centers and telecommunications systems could be catastrophic
“A North Korean EMP attack is extremely credible,”
“No reentry is required and a low-yield weapon could produce a significant impact on the electrical grid. The grid is designed to be resilient to single failures but not multiple simultaneous failures.”
Most vulnerable would be the handful of massive transformers needed to keep power regulated through the grid. These enormously costly and complex pieces of equipment currently take around 22 months to build and deliver, so the power companies don’t keep many in reserve.
The telecommunications cables that make up the communications backbone of the US, and the world, would also be extremely vulnerable. Signal amplifiers, switching stations and routers could all be burned out by a strong EMP pulse, and that would have a massive knock-on effect on the computing infrastructure of the nation.
Some more alarmist scenarios depict an EMP pulse destroying all electronics completely, with modern cars, all electronics with chips, and anything with a current getting taken out. That’s unlikely, but we don’t really know because so little testing has been done on the matter.
Protect and survive
As the American military prepared to use EMP it also developed shielding against it. Ever since the 1960s military communications systems, control centers and missile bases have all had their systems hardened against attack. Even Air Force One has a measure of EMP shielding.
But the civilian sector has very little in the way of protection.
most of our infrastructure is totally unprotected
“There is no single point of responsibility to develop and implement a national protection plan. Nobody is in charge,”
“You can’t just build a Faraday cage around the data center and call it safe,”
Putting these kinds of protection into an existing data center is almost prohibitively expensive, but applying them to a new-build unit only increases the cost by around eight per cent, he explained.
“Most big data center infrastructure firms like Google and Amazon aren’t that interested,” Pressman said. “They think, ‘If we lose one or two facilities then so be it, we have 40 globally.’”
He told The Register that the kind of 10 or 20-kiloton device that the North Koreans are supposed to have might cause damage, but it wouldn’t be the massive population killer that some have suggested.
Tomi Engdahl says:
Security measures need to measure up to sophisticated attacks
http://www.controleng.com/single-article/security-measures-need-to-measure-up-to-sophisticated-attacks/3af942c101d92a503305d98075375b77.html
Security needs to be improved in order to combat attackers getting more and more dangerous and skilled each day, demonstrated by the attack on Ukraine in December 2016.
Industrial control system (ICS) and supervisory control and data acquisition (SCADA) users across the board need to understand they need to create a holistic security program to protect against targeted attacks like this past December’s Ukraine utility assault.
“The attacker had been developing its capabilities for at least a year, maybe two, and they discharged this tool and they will not use it anymore,” said Marina Krotofil, lead security researcher at the Honeywell Industrial Cyber Security Lab and an investigator on the December Ukraine utility attack. “It means they have developed much better capabilities, much higher and advanced. This what is scary because we don’t know what to prepare for.”
Tomi Engdahl says:
Tuesday, August 22, 2017
No Gas No Electric Power – Yes, it Happend
http://blog.iec61850.com/2017/08/no-gas-no-electric-power-yes-it-happend.html
Taiwan was hit recently by a massive blackout caused by simply closing two gas valves that powered six power generators with a total capacity of some 4,0000 MW or 4 GW!
How could that happen? The peak generation did not have reserve power. So the 4 GW tripped could not be compensated by other generations. It happens so fast!
The general stress was one aspect – another was an error made by humans, “almost 9 per cent of the island’s generation capacity, stopped after workers accidentally shut off its natural gas supply”.
I am not aware of any details of the human error. One thing is clear: Our infrastructure is really under stress! It will take some efforts to get it fixed.
Massive power blackout puts Taiwanese energy policy under scrutiny
http://www.powerengineeringint.com/articles/2017/08/massive-power-blackout-puts-taiwanese-energy-policy-under-scrutiny.html
An accidental power cut at Taiwan’s largest gas-fired power plant triggered a full scale blackout on Tuesday, leading to growing scrutiny of the government’s energy policy.
The Taiwanese grid is under severe pressure thanks in part to President Tsai Ing-wen’s efforts to reshape the island’s power mix. The latest incident has led to the country’s economy minister, Lee Chih-kung, submitting his resignation.
Power outage in city
A combination of unusually hot weather, infrastructure damage from typhoons and Tsai’s drive to abandon nuclear power left Taiwan barely able to supply sufficient electricity to residential and business users in the past week.
Six generators in the plant failed shortly before 5pm, affecting the supply of 4 million kilowatts of electricity. The blackout came amid a heatwave that saw maximum temperatures in Taipei hit 36 degrees Celsius for at least ten days running, leading to peaks in power consumption.
The government’s pledge to phase out nuclear and cut coal is now under the microscope.
The disruption Tuesday occurred when engineers replacing power supply equipment for a control system at Tatan’s metering station didn’t switch the system from automated to manual before starting the work, according to CPC Corp., which provides the plant natural gas. That resulted in two valves being automatically closed, one for about six minutes, shutting off gas supplies.
Both the operator and supplier of the plant, Taiwan Power Co. and CPC Corp., are state-run and the country’s recent difficulties have led to fears that the business sector has lost faith in Taiwan’s energy reliability.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Symantec: Dragonfly group of hackers has penetrated operational networks of multiple US and European energy companies that control key parts of the power grid — Intrusion into power companies’ operational networks is a dramatic
Hackers lie in wait after penetrating US and Europe power grid networks
Intrusion into power companies’ operational networks is a dramatic escalation.
https://arstechnica.com/information-technology/2017/09/hackers-lie-in-wait-after-penetrating-us-and-europe-power-grid-networks/
Nation-sponsored hackers have penetrated the operational networks multiple US and European energy companies use to control key parts of the power grid that supplies electricity to hundreds of millions of people, researchers warned Wednesday.
The incursions detected by security firm Symantec represent a dramatic escalation by a hacking group dubbed Dragonfly, which has been waging attacks against US and European energy companies since at least 2011. In 2014, Symantec reported that Dragonfly was aggressively establishing beachheads in a limited number of target networks, mainly by stealing the user names and passwords used to restrict access to legitimate personnel. Over the past year, the hacking group has managed to compromise dozens of energy firms and, in a handful of cases, install backdoors in the highly sensitive networks the firms use to supply power to the grid.
“What’s most concerning is we now see them intruding on operational networks of energy companies,” Eric Chien, technical director of Symantec’s security response and technology division, told Ars. “Before, we were talking about them being one step away, and what we see now is that they are potentially in those networks and are zero steps away. There are no more technical hurdles for them to jump over.”
The escalation is troubling because operational networks—sometimes called electronic security perimeters in the energy industry—can often wield significant influence over the stability of the electric grid they’re responsible for. In the Northeast Blackout of 2003, a contributing cause was the failure of a system in an operational network that tracked the health of the grid in real time. When a separate fault occurred, the grid supplying electricity to 55 million people shut down.
At a minimum, attackers who have control of a company’s operational network could use it to become de facto operators of the company’s energy assets. That control includes the ability to turn on or off breakers inside the companies’ infrastructure and hijack systems that monitor the health of the grid. That’s an unsettling scenario, but there’s a more troubling one still: the attackers might also be able to use their control of multiple grid-connected operational networks to create the kinds of failures that led to the Northeast Blackout of 2003.
Wouldn’t be the first time
If Symantec’s worst fears were to materialize, it wouldn’t be unprecedented. In December 2015, a hack attack on a power distribution center just outside Kiev, the capital of Ukraine, caused about 225,000 people to lose power for as long as six hours. It was the world’s first known instance of someone using hacking to generate a real-world power outage. Almost to the day one year later, a hack attack on a Ukrainian power transmission facility caused a smaller number of Kiev residents to lose power for about an hour. Researchers have attributed the attacks to a hacking group dubbed Sandworm.
In the 2015 attack, Sandworm used a revamped version of a tool known as BlackEnergy to break into the corporate network of the targeted power companies and from there to collect passwords and other data that would allow the hackers to penetrate the supervisory control and data acquisition systems the companies used to generate and transmit electricity.
Dragonfly, by contrast, uses a completely different set of tools, leading Chien to believe the two groups are completely separate.
Tomi Engdahl says:
DragonFly 2.0: The Alleged Nation-State Actor Hits the Energy Sector Again
http://resources.infosecinstitute.com/dragonfly-2-0-alleged-nation-state-actor-hit-energy-sector/
Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test.
Security experts at Symantec have uncovered a hacking campaign against companies in the energy industry that appears to be an activity linked to the infamous Dragonfly group.
“The energy sector in Europe and North America is being targeted by a new wave of cyber-attacks that could provide attackers with the means to severely disrupt affected operations. The group behind these attacks is known as Dragonfly.
Dragonfly gang conducted a cyber espionage campaign against energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers.
Now the malware experts from Symantec reported Dragonfly targeted energy companies in Europe and the US, but with a substantial difference compared with past campaigns, this time the alleged state-sponsored hackers aimed to control or even sabotage operational systems at energy facilities.
“The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially can sabotage or gain control of these systems should it decide to do so,” continues the report published by Symantec.
“The energy sector in Europe and North America is being targeted
The energy sector has become a privileged target for state-sponsored hackers over the last years due to the number of critical infrastructures operated by companies in the industry. Most clamorous cases are the power outages caused in Ukraine in 2015 and 2016 that were attributed to Russian APT groups.
Tomi Engdahl says:
Department of Energy Invests $50 Million To Improve Critical Energy Infrastructure Security
https://hardware.slashdot.org/story/17/09/12/2117224/department-of-energy-invests-50-million-to-improve-critical-energy-infrastructure-security
Today, the Department of Energy (DOE) is announcing awards of up to $50 million to DOE’s National Laboratories to support early stage research and development of next-generation tools and technologies to further improve the resilience of the Nation’s critical energy infrastructure, including the electric grid and oil and natural gas infrastructure. The electricity system must continue to evolve to address a variety of challenges and opportunities such as severe weather and the cyber threat, a changing mix of types of electric generation, the ability for consumers to participate in electricity markets, the growth of the Internet of Things, and the aging of the electricity infrastructure. The seven Resilient Distribution Systems projects awarded through DOE’s Grid Modernization Laboratory Consortium (GMLC) will develop and validate innovative approaches to enhance the resilience of distribution systems
DOE invests $50 million to improve critical energy infrastructure security
https://www.helpnetsecurity.com/2017/09/12/critical-energy-infrastructure-security/
Today, the Department of Energy (DOE) is announcing awards of up to $50 million to DOE’s National Laboratories to support early stage research and development of next-generation tools and technologies to further improve the resilience of the Nation’s critical energy infrastructure, including the electric grid and oil and natural gas infrastructure.
This investment builds on the Department’s ongoing efforts toward the rapid development and widespread adoption of tools and technologies that will help create a more resilient, secure, sustainable, and reliable electricity system that can meet the demands of the 21st century and beyond.
“A resilient, reliable, and secure power grid is essential to the Nation’s security, economy, and the vital services that Americans depend on every day,” said Secretary of Energy Rick Perry. “As round-the-clock efforts continue to help communities recover from the devastation of Hurricanes Harvey and Irma, the need to continue strengthening and improving our electricity delivery system to withstand and recover from disruptions has become even more compelling. By leveraging the world-class innovation of the National Laboratories and their partners, this investment will keep us moving forward to create yet more real-world capabilities that the energy sector can put into practice to continue improving the resilience and security of the country’s critical energy infrastructure.”
Tomi Engdahl says:
U.S. Energy Department Invests $20 Million in Cybersecurity
http://www.securityweek.com/us-energy-department-invests-20-million-cybersecurity
The United States Department of Energy announced on Tuesday its intention to invest up to $50 million in the research and development of tools and technologies that would make the country’s energy infrastructure more resilient and secure. Over $20 million of that amount has been allocated to projects focusing on cyber security.
Tomi Engdahl says:
Is Winter Coming in Industrial Control Systems Cybersecurity?
http://www.securityweek.com/winter-coming-industrial-control-systems-cybersecurity
In 2005, the breach of Card Systems (a major payment card processor), which exposed 40+ million credit cards, was labeled “The Biggest Hack of All Time” – the breach made worldwide news and the cover of Newsweek with a multipage article highlighting the dangerous new reality of cyberthreats. Fast forward to just last week with the announcement of the Equifax breach impacting 143 million individuals’ personally identifiable information, credit histories and card details and it should be apparent that nothing has gotten better in the world of IT security in the past 12 years. To the contrary, our ability to counter and combat threats has been nothing short of a failure.
Why reference these IT network breaches if my focus is on the industrial control systems (ICS) or operational technology (OT) networks that power critical infrastructure and run our global economy? I point to them as stark reminders to anyone thinking that the security of these networks is either “on par” (a horrible standard at best) or better than those of their IT counterparts. This could not be further from the truth. IT networks have been where “the bloodshed” has been for so long now that they’ve rightfully commanded the lion’s share of investment in new solutions, people and processes. Conversely, despite all the conversations related to how we must prepare against nightmare outcomes from breaches in the OT domain – as there (until recently) has been a lack of major threat activity in this space – there has been a dearth of funding and advancement.
Just last week, Symantec released a report claiming that an advanced adversary has gained access to the OT networks of dozens of firms in the energy sector – giving them the ability, Symantec claims, to “turn off the lights” if they so wished. This follows the July disclosure of a major campaign targeting U.S. energy and nuclear facilities – which was likely conducted through lateral movement from IT to OT networks.
Tomi Engdahl says:
Iranian Hackers Target Aerospace, Energy Companies
http://www.securityweek.com/iranian-hackers-target-aerospace-energy-companies
A cyber espionage group linked by security researchers to the Iranian government has been observed targeting aerospace and energy organizations in the United States, Saudi Arabia and South Korea.
The threat actor, tracked by FireEye as APT33, is believed to have been around since at least 2013. Since mid-2016, the security firm has spotted attacks aimed by this group at the aviation sector, including military and commercial aviation, and energy companies with connections to petrochemical production.
Specifically, the cyberspies targeted a U.S. organization in the aerospace sector, a Saudi Arabian business conglomerate with aviation holdings, and a South Korean firm involved in oil refining and petrochemicals. In recent attacks, the hackers used job vacancies at a Saudi Arabian petrochemical firm to target the employees of organizations in South Korea and Saudi Arabia.