ICS Cyberwarfare: The Latest Threat to America’s Power Grid

The modern world is dependent on electricity, and the United States is no exception. I remember the notorious blackouts that affected the eastern U.S. and Canada in August 2003. The duration of the mass power outage lasted anywhere between several hours and a week depending on where you were. I was in Hamilton, Canada, and it was chaos.

Hospitals’ ability to perform emergency surgeries depends on their backup power units, and if the blackout had lasted longer than their battery capacity, there would have been actual deaths. Police departments were overburdened with having to manually direct traffic at intersections all over multiple cities. Thousands of retailers and other businesses had to suspend their operations. Subway systems in Toronto and New York City ground to a halt. If the blackout had lasted longer than it did, it would have been a large-scale disaster for both countries.

And all of this was caused by a software bug in an Ohio power plant. It wasn’t even a cyberattack.

Cyberattacks on industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems are no laughing matter. They’re some of the most dangerous attacks imaginable. According to current Dragos research, the Xenotime cyberwarfare group is ready and willing to attack the U.S. power grid. At this point, it’s more a matter of ‘when’ rather than ‘if’ such an attack happens.

Along those lines, let’s talk about Stuxnet. Stuxnet was a very specifically designed worm that targeted programmable logic controller (PLC) specific vulnerabilities. The malware targeted power facilities in Iran, and its code was so obscure that it stumped many malware reverse engineering experts for quite some time.

From David Kushner at IEEE Spectrum:

“Recognition of such threats exploded in June 2010 with the discovery of Stuxnet, a 500-kilobyte computer worm that infected the software of at least 14 industrial sites in Iran, including a uranium-enrichment plant. Although a computer virus relies on an unwitting victim to install it, a worm spreads on its own, often over a computer network. The worm’s authors could spy on the industrial systems and even cause the fast-spinning centrifuges to tear themselves apart, unbeknownst to the human operators at the plant.”

Once Stuxnet hit, the cybersecurity field finally started to take cyberwarfare and industrial cyberattacks more seriously.

Xenotime – the Next Stuxnet-Like Threat?

Dragos has been researching the Xenotime cyberwarfare group since 2017, and have surmised that they currently pose a Stuxnet-like threat to America’s power grid. In theory, they could even take down the electricity supply across the whole of the United States.

Xenotime first came to the researchers' attention through their Saudi Arabian oil and gas facility ICS cyberattack with Trisis malware. From there, Xenotime's attacks spread to oil and gas facilities elsewhere in the Middle East.

When cyberwarfare targets ICS systems, we’re talking about very carefully targeted operations. It takes the resources of militaries to pull off this kind of planning. Extensive research and fingerprinting are done on their targeted facilities and the most minute details of their software and computer equipment. Often, supply chains are infected through vendors, so equipment specifically made for a certain facility can be infected with malware before it is installed. These are often advanced persistent threats (APTs) which go on lurking for years, often undetected.

After the Trisis attacks of 2017, Dragos has observed Xenotime engaging in external scanning, network enumeration, and open source research of both European and North American targets. Now it appears they’re targeting America’s power grid.

From the Dragos report:

“In February 2019, Dragos identified a change in Xenotime behavior: starting in late 2018, Xenotime began probing the networks of electric utility organizations in the U.S. and elsewhere using similar tactics to the group’s operations against oil and gas companies.

Multiple ICS sectors now face the Xenotime threat; this means individual verticals – such as oil and gas, manufacturing, or electric – cannot ignore threats to other ICS entities because they are not specifically targeted. As such, a key element in defense against sophisticated, expanding threats is understanding threat behaviors and methodologies, beyond simply indicators of compromise.”

Mitigating Future ICS Cyberattacks

What can industrial utilities do to make threat groups like Xenotime less likely to be successful? How can we help protect America’s power grid and save human lives?

Threat intelligence specific to ICS is more important than ever before. Procuring greater visibility into ICS systems and their networks is an absolutely vital starting point. Network activity must be thoroughly monitored and meticulously logged. Process-specific data and network events must be watched carefully. All industrial and computing assets must be identified, as they’re all vulnerable.

As adversary methodologies evolve over time, unique threat behavior patterns emerge. These trends all have to be identified so that ICS systems can effectively harden their security. Cyberwarfare groups like Xenotime are highly advanced; the challenge is to be even more highly advanced.

The Dragos report notes:

“While none of the electric utility targeting events has resulted in a known, successful intrusion into victim organizations to date, the persistent attempts, and expansion in scope is cause for definite concern. Xenotime has successfully compromised several oil and gas environments which demonstrates its ability to do so in other verticals. Xenotime expressing consistent, direct interest in electric utility operations is a cause for deep concern, given this entity’s willingness to undermine fundamental process safety in ICS environments, placing lives and environments at great risk.”

Dragos emphasizes that the observed behavior is an expansion, a proliferation of the threat, and not a shift – oil and gas entities must still grapple with this adversary’s activity. While unfortunate, the expansion should serve as a clear signal to ICS operators, not only in oil and gas or electric utility operations, that the time to plan, implement, and enforce security standards and response processes in industrial environments is now.

I also see the benefit in ICS-based utility entities across the world sharing intelligence, internationally and between possibly competing corporations. The public sector must be involved in much the same way. Defending against threats like Xenotime absolutely must be a collaborative and cooperative effort to prevent future mass societal chaos.