The real cyber security threats lie in the critical infrastructure sector. Currently the Energy and power sector is facing critical cyber security challenges. Emergency services, water treatment plants, traffic management, and other critical infrastructure rely on operational technology solutions to operate correctly. Operational technology (OT) uses hardware and software to manage industrial equipment and systems in the energy, industrial, manufacturing, oil and gas, robotics, telecommunications, waste control, and water control industries. Cybersecurity is vital to OT systems to protect critical infrastructure. Any momentary delay or period of unplanned downtime can cause manufacturing plants, power plants, or water supply systems to shut down.
These attacks are far more sophisticated and complex. Access to OT devices usually have to be restricted to small groups of people within organizations. The highly specialized nature of OT means it typically requires custom software rather than standard operating systems, such as Windows. We hear more about IT attacks and are more acclimatized to it. But OT attacks are debilitating. There are significant OT and IT differences. The primary ones are that OT systems are autonomous, isolated, self-contained, and run-on proprietary software. In contrast, IT systems are connected, lack autonomy, and typically run on popular operating systems like iOS and Windows.
Industrial control systems (ICS) are one of the most prominent forms of OT. They control and monitor the performance of industrial processes and deploy systems like Supervisory Control and Date Acquisition (SCADA) which gather and analyze data in real time to manage plant equipment. These systems typically use programmable logic controllers (PLCs), which use information from sensors or devices to perform tasks like monitoring machine productivity, tracking operating temperatures, and automating machine processes. Securing OT relies on solutions like Security Information and Event Management (SIEM) which provides real-time analysis of applications and network activity, and Next-Generation Firewalls (NGFWs) which filter traffic coming into and out of the network.
Power companies have OT and IT systems converging as companies digitize and build the power sector’s version of the industrial internet of things, including the “smart grid” and the challenge is expanding exponentially, since today’s interconnected world also requires them to secure vast, far-flung, and increasingly complex global supply chains.
Power companies purchase information, hardware, software, services, and more from third parties across the globe. And threat actors can introduce compromised components into a system or network, unintentionally or by design, at any point in the system’s life cycle. This may be through software updates or “patches,” which are downloaded frequently, or through firmware that can be manipulated to include malicious codes for exploitation at a later date. Adversaries may also compromise the hardware that utilities install in their operating systems.
The Central Electricity Authority, Ministry of Power has prepared the guideline for the Cyber Security in Power Sector with the objective of creating a cyber secure ecosystem. It lays down a cyber assurance framework, that strengthens the regulatory framework, puts in place, mechanisms for security threat early warning, vulnerability management and response to security threats, securing remote operations and services, protection and resilience of critical information infrastructure, reducing cyber supply chain risks, encouraging use of open standards, promotion of research and development in cyber security. Keeping in line with the Ministry’s framework, WhizHack, in partnership with NPTI (National Power Training Institute) , provides training across Basic, Intermediary and Advanced levels to employees of Power and Energy companies
WhizHack is India’s only vertically integrated cyber security organization that wants to be a completely self-reliant outfit to digitally secure India. It has developed ‘Made in India’ threat detection product TRACE and Zero Day cyber-attack prediction and remediation engine ZEROHACK. This is currently being used in strategic Indian defence, power sector and academic establishments in India. The company has a global services team that is deployed to provide on-site resolutions of advanced attacks. Its training division uses advanced pedagogy, personalized hand-on labs and access to top faculties from IITs and industry experts in creating highly empowered cyber defenders.
There are many scenarios of threat, detection and solution one can cite in the Energy and power sector which Whizhack’s TRACE + Zero Hack can counter and provide holistic solutions to. An Attacker can gain control of many consumer electronics and infiltrate the power generation. Such infiltration can lead to an attacker controlling the power grid by taking advantage of the characteristics of the consumer electronics for influencing the frequency within the grid causing a power outage. Botnets such as Conficker, Hajime, or WannaCry, which can be used for controlling millions of devices making such attacks less unlikely than it appears. To combat such issues, Whizhack TRACE Sensors can be deployed as decoy sensors in substations which can set up a tripwire and initiate alarms before a potential attacker gains large-scale control over these IOT sensors.
Another classic case scenario can be in Process Control Networks (PCN). Devices in the PCN use dated and insecure protocols such as DNP3 and IEC 60870-5-104 for communication. These protocols do not support basic security mechanisms, such as authentication or integrity protection. These Protocols are supported by our TRACE sensors enabling automated threat detection with detailed insights on the attack vectors. The detailed insights can be used for taking necessary actions for securing the PCN.
In another complex cyber security attack scenario in the Power & Energy sector, attackers can gain access to machines in the office network via spear-phishing and can then passively listen for user credentials and search for the VPN tunnel to the PCN. In case of insider attacks there is direct access to the PCN or field devices via control room and therefore they can directly control devices or introduce malware, even to air-gapped systems. To reduce the attack surface from office network to the PCN specially designed decoys emulating SOCKS5 proxy can be deployed for deceiving the attackers and to prevent insider attacks ZeroHack agents can be set up for detecting lateral movements in the office networks.
There are multiple scenarios and attackers are coming up with new ones every day. The domain of cyber security and cyber security threats is a dynamic one and hence we have to continually develop ourselves if we have to counter this. An integrated approach of product, services and manpower development is the only way forward.
Article by: Sanjay Sengupta, CTO, Whizhack Technologies Pvt. Ltd.