Hackers that tried to interfere with the safety systems of an industrial plant are now looking at power utilities too, according to a cybersecurity company. Dragos identified the XENOTIME activity group expanded its targeting beyond oil and gas to the electric utility sector. This expansion to a new vertical illustrates a trend that will likely continue for other ICS-targeting adversaries.
Tim Mackey, Principal Security Strategist at Synopsys CyRC (Cybersecurity Research Center):
“With digital sensors and computing devices within industrial plants having life-spans far exceeding those of commercial devices, a comprehensive patch management strategy designed with a detailed understanding of the software supply chain powering these devices is a critical component of ongoing threat mitigation. This strategy should be based on a detailed software asset inventory which includes not only specific applications or control system device firmware, but also any dependencies on external components. For example, any given application likely is constructed using a combination of proprietary and open source code. Managing the patch cycle of open source components is different than that of vendor supplied code. With the Synopsys 2019 Open Source Security and Risk Analysis (OSSRA) report showing that 92% of industrial applications audited in 2018 containing at least one open source component, operators of critical infrastructure should look not only at vendor patch capabilities, but incorporate open source patch management as part of their overall cybersecurity strategy.”
Sam Curry, Chief Security Officer at Cybereason:
“Hackers work for many motives and goals. Those who are profit minded look for the most return for the least investment. Translated into security that means whomever is the weakest. Those who aren’t profit minded either want splash, and electrical power is showy; or they want options for the extension off politics by other means. However you slice it, the electrical grid is attractive to hackers.
Today, hyperbole is everywhere in cyber. The possibility of a Digital Pearl Harbor sounds and conjures images, but this is not an imminent risk at the moment. It becomes one under very different geopolitical circumstances. Pearl Harbor involved nation states going to war for years and was a strategic move in an attempt to neutralise the military assets of the US. The equivalent would have to match all of those, which makes it more than cyber, although nation states might build assets to prepare for such an attack in the future as an insurance policy and war gambit. A cyber 911 has less criteria to meet: strike at civilians, highly visible, terrorism. Either way, there’s no indication of anything like that here.
Regarding cyber attacks against critical infrastructure entities, the US and other governments should be looking to work together in law enforcement, with treaties and establishing new, more universal cyber norms. The time has come to deal with this as we deal with drug lords, war crimes and money laundering and not just ad hoc.”
Renaud Deraison, Chief Technology Officer and Co-founder at Tenable:
“The latest reports that Xenotime is targeting electric utilities in the US and Asia-Pacific region should come as no surprise, but certainly warrants concern. The on-going threats to operational technology (OT) and critical infrastructure are no longer theoretical, they have become our new reality. This is, in part, due to the convergence of IT and OT which has connected once-isolated OT systems to the outside world, exposing them to a variety of potential attacks While reports indicate these latest attacks didn’t result in a successful intrusion, this should be a stark wake up call for organisations everywhere.
An independent study, conducted by Ponemon Institute on behalf of Tenable, found that 90% of organisations reliant on OT systems had experienced at least one damaging cyber attack over the past two years and 62% had two or more. These attacks resulted in data breaches and/or significant disruption and downtime to business operations, plants and operational equipment.
The convergence of these two worlds has left OT in the purview and responsibility of CISOs. This means the IT and OT silos must be broken down and replaced with a single pane of glass to identify where organisations are exposed and to what extent. This is an important step in reducing the chances of mission- and safety-critical systems being compromised or taken offline.”