Russian government hackers recently breached the business and administrative systems of U.S. nuclear power and other energy providers, though they don't appear to have successfully breached any power plant control systems, according to a report in the Washington Post.
A recent alert from the FBI and the Department of Homeland Security warned that foreign hackers had been using spear phishing attacks to acquire network login credentials for companies in the energy sector since at least May of 2017.
Officials told the Post the attacks mark the first time Russian government hackers have successfully breached U.S. nuclear power companies' computer networks, and suggested the breaches may indicate that Russia is trying to lay the groundwork for more damaging attacks -- in 2015 and 2016, Russian hackers launched a series of attacks that disrupted power grids in Ukraine.
"In some sense, this could be significant if this is precursor planning," a U.S. official told the Post. "That's what all cyber bad guys do. They do reconnaissance and they try to establish a presence and maintain access. This in my mind was a reconnaissance effort."
Outdated Security Systems
A recent Black Hat survey [PDF] of 580 cyber security professionals found that 60 percent of respondents expect to see a successful cyber attack on U.S. critical infrastructure within the next two years, and just 26 percent believe U.S. government and defense forces are equipped and trained to respond appropriately.
Varonis vice president of field engineering Ken Spinner told eSecurity Planet by email that it's not far-fetched to think there may be nation-state or rogue actors already resident in the networks of nuclear facilities and electrical grids. "Many of these infrastructure providers are relying on outdated security systems with limited detection capabilities," he said.
"We've seen malware impact energy systems dating as far back as 2003, when the Microsoft SQL Server worm, Slammer, infected an Ohio-based nuclear power plant network, causing a temporary outage," Spinner added. "The key difference today is that attackers are equipped with far more sophisticated malware that is designed specfically to infiltrate and damage things like electricity substation switches and circuit breakers."
One nuclear power company that was breached was Kansas' Wolf Creek Nuclear Operating Corporation, which claims the breach had "absolutely no operational impact." Spokesperson Jenny Hageman told the Post that's attributable to the fact that the plant's control systems are completely separate from its business networks and from the the Internet.
Intrusion Detection, Prevention
Still, Nozomi Networks CEO Edgard Capdevielle said that kind of air-gapping can no longer be counted on to offer any real protection. "We often see engineers plugging in their own devices to perform diagnostic checks," he said. "Should that person's device have been compromised, this action could unleash malware directly into the heart of each component being checked, which then crawls and burrows deeper into the infrastructure."
To block attacks like these, Capdevielle said, companies need to leverage advanced intrusion detection and prevention systems to identify and shut down anomalous behavior before any damage can be done. "Advanced monitoring and anomaly detection solutions provide actionable intelligence that enables them to identify intrusions and take immediate steps to ensure uptime and resilience of their critical operational technology environments," he said.
The U.S. now has to assume that all parts of critical infrastructure are being probed for vulnerabilities 24/7, Nozomi chief product officer Andrea Carcano added. "Risk management is an ongoing process," he said. "Up to date patching and the use of artificial intelligence and machine learning helps to harden the security that guards industrial control systems."
Ultimately, Plixer CEO Mike Patterson said by email, complete prevention simply isn't possible. "In addition to security tools aimed at prevention, these organizations must have incident response processes in place which leverage network traffic analytics to monitor every network connection and look for anomalous device behavior," he said.