STATE OF CLOUD SECURITY BULLETIN Information Security in the Energy Sector Summer 2013 FROM APR SEP 2012 67% of Alert Logic customers in the energy industry experienced BRUTE FORCE ATTACKS 61% of Alert Logic customers in the energy industry were subject to MALWARE/BOTNET ATTACKS Companies in the energy sector are highly attractive targets for cyber attacks. The Department of Homeland Security s (DHS) Industrial Control System-Cyber Emergency Response Team (ICS-CERT) found that, of the malware attacks reported to them in 2012, 41% were made on the systems of energy companies, like grid operators and natural gas pipeline companies. Although the overall number of incidents reported was relatively small 198 the proportion aimed at energy was not. The sector receiving the next highest number of threats (Internet facing industrial systems) experienced only 11% of them. In an analysis of security incidents among its energy industry customers, Alert Logic found that energy companies are subjected to a broad range of attacks. Data captured over the period from April 1 to September 30, 2012 showed that 67% of Alert Logic s customers in the energy industry experienced brute force attacks (hackers looking for opportunistic points of vulnerability), while 61% were subject to malware/botnet attacks. 1 1 Alert Logic State of Cloud Security Report, Spring 2013 1
THE CATALOG OF RECENT ENERGY-SPECIFIC IT HACKING ACTIVITY ALSO INCLUDES: 01. Four zero-day vulnerabilities were discovered in products from ABB, which provides controls and automation to the energy industry. 02. GeorgeTheGod breached an oil provider, dumping 330 sets of credentials. 03. Anonymous targeted the energy news media, grabbing the credentials of 3,456 users. 04. 05. Anonymous hacked a German business organization and stole documents relating to Bahar Energy and SOCAR (State Oil Company of Azerbaijan). SCADA software vendor TelVent was hacked, and project files related to control systems for electric smart grids were stolen. 06. Voldemort targeted an oil marketing company, compromising over four thousand users credentials. 07. 08. Central Hudson Gas and Electric, a New York utility, had to alert its hundreds of thousands of customers that a cyber attack might have compromised their banking information. The Department of Energy s Savannah River Project (nuclear energy) had the personal information of 12,000 employees stolen. TARGETING THE ENERGY SECTOR There is a large and growing list of major cyberattacks that have specifically targeted the energy sector. During 2012, Anonymous #OpSaveTheArctic hacked employee emails from major oil companies, and exposed credentials. In August 2012, thirty thousand workstations at Saudi Aramco were offline for ten days after an externally introduced virus penetrated their internal network. In early 2013, hackers breached the U.S. Department of Energy, compromising fourteen servers and twenty workstations, and making off with the personal identification of several hundred employees and contractors. Also in 2013, JEA, a major Florida utility, was the victim of a DDoS attack that shut down its online and telephone payment systems. In May 2013, it was reported that hackers backed by Iran have been mounting an increasing number of cyber attacks on energy companies, and had successfully accessed the control-system software that could enable them to sabotage oil and gas pipelines. Earlier in the month, two congressmen released a report on a survey of 150 power companies. The The list is far longer, and the attacks relentless. While some of the attacks are aimed at stealing consumers personal financial information i.e., are not necessarily energy-specific in nature a troubling number are after information that s highly confidential, highly proprietary, and highly valuable: government and private sector files on energy exploration, production, and delivery, detailed maps, geologic information, survey and assay data, information on technology, other intellectual property, deal financials, and political analysis. It s also interesting to note that even government entities, which invest heavily in cyber-security, have been breached. Energy companies that believe that the government will be able to track down all threats should keep this in mind. 2
State of Cloud Security Bulletin Information Security in the Energy Sector www.alertlogic.com HOW THE BAD GUYS DO IT survey revealed that more than a dozen utilities reported daily, constant or frequent attempted cyber attacks. And in a notable 2012 incident, Canadian energy firm Telvent revealed that some of its SCADA systems which are used to control more than half of the pipelines in North America and Latin America had been breached, potentially exposing information that could be used to sabotage systems. HIGHLY VALUABLE, HIGHLY VULNERABLE It is precisely the value of energy-related information that makes it such an attractive target. The attractiveness is especially heightened when it comes to emerging technologies around fracking to extract natural gas and light tight oil from shale. While there are ample business reasons for targeting energy companies, there are even more insidious reasons lurking. For entities (state or non-state actors) bent on conducting cyber-warfare, the opportunity to inflict catastrophic damage on a nation by attacking its energy infrastructure is highly enticing. There are a number of factors that contribute to energy sector IT security vulnerability: SCADA (Supervisory Control And Data Acquisition) systems are widely used in all critical infrastructure industries, including oil and gas pipelines and the electric grid, yet they are considered vulnerable to hacking. Prevalence of Subcontracting Major energy sector companies (resource extraction) rely extensively on using smaller firms with limited IT resources used as subcontractors. Their systems may be interconnected with those of the larger companies that hire them, making those larger companies more vulnerable to attacks. Risk vs. Reward The costs associated with securing IT infrastructure have sometimes been weighed and found wanting when placed against the costs of doing nothing. Fixing the damage (or paying the fine) can sometimes be seen as the financially optimal choice. ANATOMY OF A BREACH In the energy sector, one of the simplest ways to attack the major providers is by targeting subcontractors, which are often small companies with few IT resources and little or no in-house cyber-security expertise. Research the Industry > > Determine the energy companies to target. > > Find contract companies that are doing business with large energy companies. Research and Compromise a Contractor > > Find employee data through social networking sites. > > Identify those in technology positions, their experience and technologies used. > > Create list of usernames and passwords. > > Determine level of access through VPN by reviewing user logs. Research technology positions, required experience and technologies used in the targeted energy company > > Craft phishing email to the employee lists. > > Use exploit that takes advantage of technologies used in the company, or distribute a link that will lead to a generic exploit landing site. > > Install Trojans or credential-stealing code. > > Create list of usernames and passwords and determine level of access. Breach energy company using the contractor s workstation Escalate privileges using the credentials collected during the energy phishing campaign Find data that is of value and start collecting the data to a centralized source Remove data to offsite storage Breach complete 3
BYOD The Bring Your Own Device (BYOD) trend can put corporate systems at significant risk. Even a seemingly harmless device like a USB thumb drive can be a virus carrier introducing catastrophic harm. BYOA Whether or not they re bringing their own devices, employees are increasingly using their own applications for collaboration, communication/social media, file transfer, and productivity. The Human Element As with BYOD and BYOA, there is nothing industry specific about the use of worst practices (e.g., password = 1234, employees accessing suspect sites while at work, etc.) in the energy sector. Still, in isolated locations (remote sites, oil rigs), introducing infected files by downloading music and video files occurs with some regularity. ATTACKS ON ENERGY INDUSTRY COMPANIES: JANUARY 2013 MAY 2013 Between January 1 and May 23, 2013, Alert Logic observed 8,840 incidents among its energy sector customers. An incident is an event or group of events detected via IDS that has been confirmed as a valid threat based on advanced automated analysis by Alert Logic s expert system and verified by a team of the company s GIAC-certified security analysts. ATTACKS ON ENERGY INDUSTRY COMPANIES: DATA TABLES January 2013 through May 2013 Proportion of Incidents Incidents are grouped by class in the categories listed below. The results showed: INCIDENT CLASS NUMBER OF INCIDENTS PROPORTION OF INCIDENTS Application Attack 294 3.3% Brute Force 2699 30.5% Denial of Service 21 0.2% Malware/Botnet 4321 48.9% Policy Violation 117 1.3% Reconnaissance-Vulnerability Scan 1123 12.7% Web Application Attack 265 3.0% Total 8840 4
State of Cloud Security Bulletin Information Security in the Energy Sector www.alertlogic.com AVERAGE THREAT DIVERSITY (the number of different types of incidents experienced by a customer) was 2.68 Percent of Energy Sector Customer Impacted The table below illustrates the percentage of customers impacted by each incident category. Among impacted customers, the average threat diversity was 2.68. INCIDENT CLASS PERCENT OF ENERGY SECTOR CUSTOMERS IMPACTED Application Attack 20.9% Botnet/Malware 76.7% Brute Force 60.5% Denial of Service 9.3% Reconnaissance 23.3% Vulnerability Scan 34.9% Web Application Attack 23.3% The top ten incidents accounted for over 75% of overall incidents. Percentage of Overall Incidents The top ten incidents experienced, which accounted for over three-quarters of overall incidents, were: INCIDENT CLASS SPECIFIC INCIDENT TYPE PERCENTAGE OF OVERALL INCIDENTS Malware/Botnet Trojan activity 22.78% Malware/Botnet Blackhole exploit kit download detected 11.01% Brute Force Brute force (non-specific) 9.73% Brute Force Multiple Failed SMB Login Attempts 6.76% Brute Force RDP attempted administrator brute force attack 6.61% Reconnaissance Suspicious activity 5.88% Brute Force SSH brute force attempt 4.42% Malware/Botnet Blackhole exploit kit download attempt detected 3.35% Web Application Attack SQL injection exploit attempts 2.92% Application Attack Application attack 2.83% 5
Insight Malware/botnet and brute force are the most prevalent attacks made on our energy sector customers; underscoring how important it is to have proper security in place. WHAT ENERGY COMPANIES NEED TO DO The energy industry represents a high-value target for security breaches. It possesses significant intellectual property, and also provides an exceedingly attractive target of interest for cyber-terrorism. As such, taking adequate security measures is of paramount importance. With the widespread industry use of contractors and subcontractors, it is incumbent on larger companies to include security items on their checklist for contractor evaluation. For contractors, the ability to demonstrate that they are practitioners of sound security measures should be seen as a valuable differentiator. Our analysis shows that malware/botnet and brute force are the most prevalent attacks made on our energy sector customers. The prevalence of these relatively unsophisticated attacks underscores the importance of fundamental practices: multi-layer security, close attention to basic management practices (such as patch management and upgraded operating systems), the use of monitoring and defensive technologies to identify and stop attacks, and continual awareness-raising among employees on the basics of security hygiene. CONTRIBUTORS Lead Researcher Stephen Coty Lead Analysts Tyler Borland Mukul Gupta, PhD Patrick Snyder Kevin Stevens Editors Maureen Rogers John Whiteside Copyright 2013 Alert Logic, Inc. All rights reserved. 6