The return of Dragonfly, a sophisticated cyber espionage group, has put the energy sector on red alert. The group, which has been in sporadic operation since 2011, recently stepped up its attempts to compromise energy infrastructures, specifically targeting the USA, Turkey and Switzerland. According to researchers at Symantec, the group was trying to determine how power supply systems work and what could be compromised as a result.

It is no longer a surprise that our energy systems fall victim to such cyberattacks. While the perpetrators may be bedroom hackers seeking no harm other than ‘seeing if it’s possible’, a more popular motive is monetary gain. Ransomware is a mainstay of the seasoned hacker’s toolkit. What is becoming clearer is that energy firms are prime targets for state-sponsored threat-actors, seeking to uncover privileged information and to potentially disrupt a nation’s critical infrastructure.

 

Are nuclear plants secure?

Nuclear facilities are of course no stranger to cyber threats. There is already a wealth of examples to point to in recent decades, including the worm infection of the Davis Besse nuclear power station in 2003; a cyber espionage campaign against South Korea’s KHNP power plant operator in December 2014; and another worm infection of the Gundremmingen power plant in Germany only last year.

This is a major concern. The European Union depends on nuclear power for over 25% of its electricity, meaning a successful attack could cause plant outages that create major loss of power throughout the continent. Although the UK has issued a civil nuclear cyber security strategy to protect the industry against attacks, there is a fear that other nations in Europe are not responding quickly enough to mitigate these growing threats.

Dragonfly group did not cause any significant damage in its latest return. The lights remained on. What is more worrying
is the intelligence that could have been gained, which could lead to a more dangerous cyberattack in the near future. Now is the time for nuclear and energy facilities to up their security game and ensure they are prepared.

 

How did Dragonfly occur?

The methods detected in this latest Dragonfly attack include email phishing, Trojan malware and watering hole websites. The good news is these are all well-known attack vectors and most security teams, especially in a nuclear environment, will already have the correct processes in place to mitigate these threats. But on this occasion the attack was still successful. How did Dragonfly bypass pre-existing security measures?

A key lesson is the importance of continued education. Dragonfly hackers proved themselves very effective at phishing via email, for example, and using it to access servers. Security specialists should work closely with organisations to implement good, basic practice at every level. Together, infrastructure providers and their security partners must make awareness of the dangers of such attacks part of a positive, proactive company culture.

Nonetheless, we all know that end-user education alone will never be enough. This should also be bolstered by layered defence-in-depth.

 

Preventing a blackout

What does defence-in-depth mean for the nuclear sector? To ensure Europe is fully prepared for an attack against its energy infrastructures, the conversation must change from one of mitigation to include prevention. No longer is it good enough to clean up the mess a breach leaves in its wake. It will be far more effective for security teams to avoid an infection from the outset. Our plants, and the technology within them, must be secure by design.

Proactive regimes that include regular retraining and offensive exercises, such as penetration testing will help support security readiness and pinpoint vulnerabilities across the supply chain. This will require ongoing investment and a commitment at all levels of industry, but it remains essential to keep our defences sharpened.

As well as prevention, it is still of vital importance to invest time and money in the ability to respond to an incident. Specialist forensic skills and knowledge have to be developed within the ICS and SCADA environment, so that once an incident is detected it can be quickly neutralised and identified with the least disruption to operations. As was the case with Dragonfly, dedicated attackers will often find a way through the gates.

The nuclear sector must focus not only on the physical safety and security of its premises, but also increase its efforts in this new cyber world. The Dragonfly report by Symantec highlights the very real threat of a cyberattack on our power networks, but the technical abilities and knowledge exist to build proactive policies and tools to reduce risk, mitigate damage and minimise disruption to services. Prevention is key; the lesson learnt from Dragonfly is that we must act to implement this now. There will be another attack, of that we can be certain.  


Jalal Bouhdada is Founder and Principal ICS Security Consultant for Applied Risk. He has over 15 years’ experience in ICS security assessment, design and deployment.