US Power Grids, Oil and Gas Industries, and Risk of Hacking

A report released in June, from the security firm Dragos, describes a worrisome development by a hacker group named, “Xenotime” and at least two dangerous oil and gas intrusions and ongoing reconnaissance on United States power grids.

Multiple ICS (Industrial Control Sectors) sectors now face the XENOTIME threat; this means individual verticals – such as oil and gas, manufacturing, or electric – cannot ignore threats to other ICS entities because they are not specifically targeted.

The Dragos researchers have termed this threat proliferation as the world’s most dangerous cyberthreat since an event in 2017 where Xenotime had caused a serious operational outage at a crucial site in the Middle East. 

The fact that concerns cybersecurity experts the most is that this hacking attack was a malware that chose to target the facility safety processes (SIS – safety instrumentation system).

For example, when temperatures in a reactor increase to an unsafe level, an SIS will automatically start a cooling process or immediately close a valve to prevent a safety accident. The SIS safety stems are both hardware and software that combine to protect facilities from life threatening accidents.

At this point, no one is sure who is behind Xenotime. Russia has been connected to one of the critical infrastructure attacks in the Ukraine.  That attack was viewed to be the first hacker related power grid outage.

This is a “Cause for Concern” post that was published by Dragos on June 14, 2019. 

“While none of the electric utility targeting events has resulted in a known, successful intrusion into victim organizations to date, the persistent attempts, and expansion in scope is cause for definite concern. XENOTIME has successfully compromised several oil and gas environments which demonstrates its ability to do so in other verticals. Specifically, XENOTIME remains one of only four threats (along with ELECTRUM, Sandworm, and the entities responsible for Stuxnet) to execute a deliberate disruptive or destructive attack.

XENOTIME is the only known entity to specifically target safety instrumented systems (SIS) for disruptive or destructive purposes. Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar tradecraft. XENOTIME expressing consistent, direct interest in electric utility operations is a cause for deep concern given this adversary’s willingness to compromise process safety – and thus integrity – to fulfill its mission.

XENOTIME’s expansion to another industry vertical is emblematic of an increasingly hostile industrial threat landscape. Most observed XENOTIME activity focuses on initial information gathering and access operations necessary for follow-on ICS intrusion operations. As seen in long-running state-sponsored intrusions into US, UK, and other electric infrastructure, entities are increasingly interested in the fundamentals of ICS operations and displaying all the hallmarks associated with information and access acquisition necessary to conduct future attacks. While Dragos sees no evidence at this time indicating that XENOTIME (or any other activity group, such as ELECTRUM or ALLANITE) is capable of executing a prolonged disruptive or destructive event on electric utility operations, observed activity strongly signals adversary interest in meeting the prerequisites for doing so.”

Defending Industrial Control Systems From Cyber Threats

Industrial control system data cannot be protected by
a fence around the plant site.

Industrial control system owners, operators, and other stakeholders should be aware of their exposure to malicious intrusion and attack by individuals or organizations intent on inflicting physical damage, stealing information, or generally wreaking havoc throughout an industrial operation. The risk of intrusion, regardless of the size or type of facility, is real and deserves the focused attention everyone involved in the design and operation of industrial control systems.

The National Cybersecurity and Communications Integration Center, part of the US Department of Homeland Security, ...

serves as a central location where a diverse set of partners involved in cybersecurity and communications protection coordinate and synchronize their efforts. NCCIC's partners include other government agencies, the private sector, and international entities. Working closely with its partners, NCCIC analyzes cybersecurity and communications information, shares timely and actionable information, and coordinates response, mitigation and recovery efforts. (from www.us-cert.gov/nccic)

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is a division under NCCIC. It has published a set of seven basic steps toward establishing a more secure industrial control system. I have included the publication below, and it is interesting and useful reading for all involved in industrial process control.

Having a fence around an industrial site, with a guarded entry gate, no longer provides the level of security needed for any industrial operation. Read the seven steps. Take other actions to build your knowledge and understanding of the risks and vulnerabilities. Cybersecurity is now another layer of design tenets and procedures that must be added to every control system. It will be a part of your company's best practices and success, now and in the future.

There are uncountable legacy controllers and communications devices throughout industrial America. All need to be reassessed for their vulnerability in the current and upcoming security environment. When reviewing your processes and equipment, do not hesitate to contact Analynk Wireless for assistance in your evaluation of our products.

Defending industrial control systems from cyber attack from Analynk Wireless, LLC