Power & Energy Industry Is Not Isolated from Attack
The power and energy industry, which was thought to be isolated from cyber attack just a few years ago, is at as great if not greater risk than organizations in sectors commonly associated with malicious activity, such as eCommerce and financial services. Security was historically based around protection against physical attacks, whether sabotage from within or destruction and vandalism of power lines, pipelines and field control units.
But no more: The specter of logical attack has become manifest. Control systems that were once the sole province of engineers are now extensively and irrevocably linked to modern networks and the Internet. Therefore, critical infrastructure is at risk from mass attacks that threaten all enterprises, generated from botnet armies scanning thousands of networks and exploiting known vulnerabilities.
More disturbing, however, is rising concern that hostile nation states, terrorists - anyone with the means and the motive - can launch highly sophisticated, targeted attacks against electric utilities, and oil and natural gas companies, disrupting the distribution of the power and energy that sustain businesses, homes and public infrastructure. These attacks use combinations of exploits of known and previously unknown (zero-day) vulnerabilities, obfuscation and polymorphic techniques to mask themselves and adapt to changing conditions, ingenious propagation methods and devious social engineering that challenge even the strongest logical defenses.
This paradigm shift is the result of proprietary control systems increasing dependence on modern, standard platforms. Cost and competitive considerations have led SCADA (supervisory control and data acquisition ) vendors - and their industry customers - to move to commodity hardware and software, client-server architecture, Ethernet networks and TCP/IP, replacing closed network infrastructure. As a result, standard, modern IT architecture is used to tie into control systems, such as SCADA systems and distributed control systems (DCS), for more efficient management and communication within primary locations, and to remote locations and control devices, such as remote terminal units (RTU) and programmable logic controllers (PLC).
Web portals and applications are essential components of modern business, but expose power and energy providers to the general and targeted attacks that threaten financial institutions and online retailers. Central control stations rely on standard Windows and Linux systems, and the associated security measures, such as server hardening, OS and application patching, and intrusion detection and prevention.
Adoption of "smart grid" technology also raises security concerns. The smart grid will link most of the country's power grid to the Internet, and there is concern about hacking "smart meters" and grid management software.
The stakes are far too high to ignore the potential danger. This is not FUD (fear, uncertainty and doubt) but a palpable threat. Stuxnet demonstrated that even an isolated control network can be penetrated and sabotaged. The attacker, most probably a nation-state, was able to insinuate infected USB drives into the control networks of Iran's Natanz uranium enrichment plant, infect control computers and destroy a number of centrifuges used in the process. Stuxnet leveraged no less than four zero-day exploits to initiate its attack and self-propagate through other systems using advanced worm-like techniques. Stuxnet was a weapon, designed for a single attack on a single critical target, but it was proof of the kind of damage that can be done, given the motivation and sufficient resources.
Stuxnet cannot be dismissed as an isolated incident. Given the use of standard platforms and connectivity to corporate networks and Internet, the risk is quite high. There's ample evidence of the growing threat to critical infrastructure:
- A video leaked by the Department of Homeland Security showed how engineers at Idaho National Labs demonstrated how they could cripple a diesel electric generator by remotely exploiting a vulnerability dubbed "Aurora", leaving it coughing in a cloud of smoke.
- In January 2008, a CIA analyst revealed that a number of cyber attacks had cut power to several cities outside the U.S.
- The Government Accountability Office (GAO) issued a scathing report on the number of security vulnerabilities at the Tennessee Valley Authority, the nation's largest public power company.
- In April 2009, The Wall Street Journal reported, according to unnamed current and former national security officials, that Russian and Chinese attackers penetrated the U.S. power grid, installing malware that could potentially be used to disrupt delivery.
- Michael Assante, who was then NERC CSO, told the House subcommittee on Emerging Threats, Cyber Security, and Science and Technology, "Cyber threats to control systems are still evolving and are not yet fully understood. The potential for an intelligent attacker to exploit a common vulnerability that impacts many assets at once, and from a distance, is one of the most concerning aspects of this challenge."
- A survey report by the Center for Strategic and International Studies (CSIS) said that SCADA systems are being attacked, and often security issues around the connection of SCADA systems to IP networks and the Internet weren't being properly addressed.
- Another CSIS report, in April 2011, said that 30% of IT security executives in the electricity utility sector believe their company is not prepared for a cyber attack, and 40% expect a major cyber attack within the next year.
Risk of Data Breaches
Power and energy companies must also be concerned about data breaches. They are entrusted with and responsible for thousands, often millions of customer records, including account credentials, credit cardholder data and personally identifiable information stored in databases on their networks. Companies doing business online are required by compliance mandates such as PCI DSS and state data breach notification laws, and their obligations to their customers and partners, to protect these records against unauthorized access.
The average total cost of a single data breach was more than $7.2 million dollars in 2010, according to a survey by the Ponemon Institute.
The 2011 Verizon Data Breach Report, which analyzes some 800 breach investigations by Verizon and the U.S. Secret Service, found that nine out of 10 breaches involved external agents (a 22% increase over the 2010 report), indicating a continued, even growing need for protection against outside attacks. Half the attacks involved some type of malware (an 11% increase), again underscoring the need for improved defenses on the network.
Corero Network Security Solutions
Corero Network Security provides superior solutions that protect power and energy companies against intrusions that could disrupt the critical infrastructure services that fuel the economy and literally mean the difference between life and death.
Corero’s First Line of Defense® is an organization’s new perimeter. It stops the latest breed of cyber-attacks, including DDoS attacks, zero-day exploits, remote exploit insertions, server targeted threats and access attempts from malicious IP addresses and unwanted geo-locations, all of which easily bypass traditional network security defenses and compromise enterprise networks.
Intrusion Prevention System
Corero's Intrusion Prevention System (IPS) solutions provide continuous, comprehensive protection against external attack, leveraging unique technology that discerns between legitimate and malicious traffic, providing more accurate detection and fewer false positives than other IPS products. Corero uses stateful protocol inspection and inspection of payload data files to determine if suspect traffic is behaving correctly or represents a threat.
Corero IPS features bidirectional traffic inspection, enabling response behavior analysis, in order to stop application layer attacks and detect compromised computers communicating with their command-and-control servers.
Corero solutions provide a high level of visibility into network activity, and help meet internal audit and regulatory compliance requirements critical in the power and energy sector through the Network Security Analyzer (NSA), a security information and event management tool. NSA provides robust and highly flexible logging, reporting and forensics capabilities.
Corero's IPS features a highly flexible and granular policy control, which allows power and energy company security personnel to craft rules that reflect their unique infrastructure and application environments to distinguish between good and bad traffic in both specialized control and more typical corporate networks.
DDoS Defense System
Corporate online presence also makes power and energy companies vulnerable to distributed-denial-of-service (DDoS) attacks, disrupting customer services, such as support requests, payments and account inquiries, as well partner transactions. The growing prevalence of hacktivism should be a concern, as attacks may be politically motivated, or in response to some real or perceived affront to the attackers' beliefs. A successful DDoS attack can cripple corporate websites, cutting off essential information and online services.
Corero's DDoS Defense System (DDS) products, leveraging Corero's award-winning DDoS defense technology, deliver nondisruptive protection from attack against the networks and servers that support power and energy companies' web services. It provides maximum protection for critical IT assets, detecting and blocking malicious traffic while allowing full access to legitimate users and applications.
The DDS delivers unmatched DDoS attack detection and mitigation against both the well-known network layer flooding attacks and the more insidious application layer attacks that are nearly impossible to detect without DDS patented technology. DDS delivers on-premises protection that traditional network security technologies, such as firewalls and other vendors' IPS products, cannot.
In concert with DDS, SecureWatch PLUS DDoS defense configuration/implementation, 24/7 monitoring and incident response services provide the most comprehensive DDoS defense available on the market.
Power and energy companies can deploy Corero's IPS and DDS solutions in line in full confidence that they will protect all the information in their trust while maintaining full levels of performance and service for their constituencies, from customers and employees to suppliers and partners. Corero appliances offer the lowest latency and highest reliability of any security products available on the market today. Corero's Core Platform, built on the Tilera multicore processor architecture and CoreOS software, provides real-world protection at real-world performance levels