Most attacks against energy and utilities occur in the enterprise IT network

Most attacks against energy and utilities occur in the enterprise IT network

Most attacks against energy and utilities occur in the enterprise IT network

Chris Morales
November 1, 2018

The United States has not been hit by a paralyzing cyberattack on critical infrastructure like the one that sidelined Ukraine in 2015. That attack disabled Ukraine's power grid, leaving more than 700,000 people in the dark.

But the enterprise IT networks inside energy and utilities networks have been infiltrated for years. Based on an analysis by the U.S. Department of Homeland Security (DHS) and FBI, these networks have been compromised since at least March 2016 by nation-state actors who perform reconnaissance activities looking industrial control system (ICS) designs and blueprints to steal.

There is a difference between attacks that probe enterprise IT networks for information and access to critical infrastructure versus attacks against the ICS on which the critical infrastructure operates. The two are interconnected, but the targeted assets are different.

NIST published an abstract topology of the electric-grid energy delivery system, which shows how the power system (primary equipment) interconnects with IT systems (information management). The topology highlights the growing importance and scale of enterprise IT networks within energy and utilities as the industry pivots toward two-way communication within the smart grid, including the use of IT devices and communication that combine IoT networks with ICS networks.

Inside these information management networks, cybercriminals for years have been testing and mapping-out attacks against energy and utilities networks. These slow, quiet reconnaissance missions involve observing operator behaviors and building a unique plan of attack. The attack that shut down Ukraine’s power grid in 2015 was reportedly planned many months in advance by skilled and sophisticated cybercriminals.

This underscores the importance of identifying hidden attackers inside enterprise IT networks before they cause damage to the ICS and steal information related to the critical infrastructure. The Vectra 2018 Spotlight Report on Energy and Utilities focuses on the unique threat behaviors used in the latest attack campaigns to steal vital ICS information.

These and other key findings underscore the importance of detecting hidden threat behaviors inside enterprise IT networks before cyberattackers have a chance to spy, spread and steal. These threat behaviors reveal that carefully orchestrated attack campaigns occur over many months.

When attackers move laterally inside a network, it exposes a larger attack surface that increases the risk of data acquisition and exfiltration. It’s imperative to monitor all network traffic to detect these and other attacker behaviors early and consistently.

Remote attackers typically gain a foothold in energy and utilities networks by staging malware and spear-phishing to steal administrative credentials. Once inside, they use administrative connections and protocols to perform reconnaissance and spread laterally in search of confidential data about industrial control systems.

The covert abuse of administrative credentials provides attackers with unconstrained access to critical infrastructure systems and data. This is one of the most crucial risk areas in the cyberattack lifecycle.

Other key findings in the 2018 Spotlight Report on Energy and Utilities include:

  • During the command-and-control phase of attack, 194 external remote access behaviors were detected per 10,000 host devices and workloads.
  • 314 suspicious remote execution behaviors were detected per 10,000 host devices and workloads.
  • In the exfiltration phase of the cyberattack lifecycle, 293 data smuggler behaviors were detected per 10,000 host devices and workloads.

It is also important to note that the attackers covered their tracks to defeat log-based alerting systems. Accounts and applications used in the attacks were removed and deleted.

For example, VPN clients installed at commercial facilities were deleted along with the logs that were produced from its use. It was only through an extensive forensic analysis that the DHS was able to determine that the threat actors were able toremove evidence after the attacks already succeeded.

Lesson learned: Detect the first signs of a cyberattack as it happens, not after the damage is done.

To learn more about attacks against enterprise IT networks in the energy and utilities industry, get the Vectra 2018 Spotlight Report on Energy and Utilities.

About the author

Chris Morales

Chris Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.

Author profile and blog posts

Most recent blog posts from the same author



December 10, 2020
Read blog post
Threat detection

攻撃者がビジネスメールを使ってOffice 365を侵害する方法

December 3, 2020
Read blog post

攻撃者が使用するOffice 365ツールとオープンサービス

October 19, 2020
Read blog post