Blog

Breach or Blackout? When ransomware locks the grid’s back office

David Wolf | April 17, 2020

Breach or Blackout? When ransomware locks the grid’s back office

Spearphishing. Rogue IoT devices. Brute-forced remote access. Forgotten legacy systems. Unpatched web servers. Compromised vendors. Random USB sticks. Watering holes. Evil janitors. Attack-by-air. Unsecured S3 buckets. Use of valid credentials. Flipped insiders. The occasional zero-day exploit. Luck.

There are lots of ways threat actors can penetrate the connected enterprise to drop ransomware. Of the technical variety, the MITRE ATT&CK adversarial framework details 11 techniques attackers use to gain Initial Access [1]—and it’s likely that at least one of these techniques is how attackers breached and dropped ransomware on European energy giant Energias de Portugal (EDP). That’s what we’re talking about in the Forescout Research Labs this week, along with notes of hope that the why is simply financial gain.

Breach vs Blackout: What’s the worst case for ransomware in Energy?

Data breach is bad for business and the cost of breach is increasing: While Healthcare and Financial Services are cited as having the costliest breaches, Energy is running a close third, at $5.6M per incident, according to IBM and Ponemon [2]. Energy’s $5.6M breach price tag pales, of course, in comparison to the almost $11M ransom demanded by EDP’s attackers, who used RagnarLocker ransomware to lock EDP’s back office after exfiltrating potentially 10 terabytes of corporate data [3].

Fortunately for EDP there was no physical blackout. The market brushed off the incident and expected cost of cleanup with a stock price that hit a 30-day high following the disclosure. That’s partly because it was just the utility’s back office—this time. EDP customers got lucky compared to South Africa’s JoBurg ransomware-and-blackout last July [4] and the national consequences of Russian attacks on Ukraine’s grid, which used specialty malware to target industrial control systems (ICS) in critical infrastructure.

Regulation, baselines and fines: New controls coming soon for the Bulk Electric System (BES)

The EDP ransomware incident occurred despite pending regulation intended to prevent such issues from happening. Effective July 2020, new required cybersecurity controls are coming via NERC CIP-013, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard. Against a 2019 backdrop of record-setting fines levied against utilities [5] [6] [7], NERC’s new cyber controls include limiting exposure to malware (like ransomware), remote access control, and a risk-based approach to vendor management and device procurement [8]. Ultimately, these controls—which require Asset Inventory, Network Access Control and Network Segmentation solutions—provide defensive layers to mitigate cyber risk and establish a baseline for measuring noncompliance and the basis for financial penalties. The stage is set for cyber incidents in Energy to become even more expensive.

What can we expect following the EDP ransomware incident?

Based on what we know today, the good news for the incident might be that it’s “just a cybercriminal gang” with a purely financial motivation. Although nation-state threat actors are well-versed in robbing banks [9] and stealing bitcoin [10], their motives for hacking utilities extend past digital extortion into the political and cyber-physical—areas of grave concern by U.S. officials [11] and futurist think tanks [12]. Blackouts can be catastrophic, causing operational downtime, economic damage, and even public unrest, as in the New York City blackout of 1977. Coupling blackout to physical attack could become a troubling damage multiplier. But as far as the markets are concerned about EDP, this week’s incident was just a spot of ransomware.

The bad news is that it’s still early stages—the first known U.S. grid cyberattack occurred just nine months ago [13] even while the U.S. grid continues to run with components from the 1890s that are increasingly unable to deliver to today’s power-consumption needs [14]. In the meantime, cybercriminal exploit kits have become more capable of targeting industrial controllers and operational technology (OT) systems made by vendors like Advantech/Broadwin, Schneider Electric, Siemens, Cogent, GE, ABB, Moxa, Yokogawa and more [15]. Air-gapped or not, the overarching trend of IT-OT convergence is bringing devices and networks closer together. It seems inevitable that someday soon it won’t just be nation-states probing for the best way to shut down the smart city—it’ll be common practice for criminal enterprises too.

For more information on how utility companies can implement cybersecurity controls and streamline NERC CIP compliance efforts using OT network visibility solutions, check out our eBook or chat with a cyber resilience expert.

Download the eBook

References:

[1] https://attack.mitre.org/tactics/TA0001/

[2] https://www.ibm.com/security/data-breach

[3] https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/

[4] https://www.bbc.com/news/technology-49125853

[5] https://www.eenews.net/stories/1060119265

[6] https://www.nerc.com/pa/comp/CE/Enforcement%20Actions%20DL/Public_CIP_FinalFiled_NOP_NOC-2622_Part-1.pdf

[7] https://www.nerc.com/pa/comp/CE/Enforcement%20Actions%20DL/Public_FinalFiled_NOP_NOC-2630.pdf

[8] https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-013-1.pdf

[9] https://www.cnn.com/2019/03/01/politics/north-korea-cyberattacks-cash-bank-heists/index.html

[10] https://www.reuters.com/article/us-northkorea-cyber-un/north-korea-took-2-billion-in-cyberattacks-to-fund-weapons-program-u-n-report-idUSKCN1UV1ZX

[11] https://www.eenews.net/energywire/2019/01/30/stories/1060118951

[12] https://www.cfr.org/report/cyberattack-us-power-grid

[13] https://www.eenews.net/stories/1061111289

[14] https://www.smartgrid.gov/the_smart_grid/smart_grid.html

[15] https://www.helpnetsecurity.com/2020/03/24/ics-attack-tools/