The Department of Homeland Security is hosting a series of secret briefings to address "ongoing" cyberthreats to energy control systems, according to security experts.
Hackers rarely target the controls of electric utilities, oil and gas pipelines, chemical manufacturers and other critical industries. Only three ICS-focused cyberattacks have ever been disclosed publicly.
So researchers were surprised to see DHS officials spreading the word this week about two attacks, including one thought to be dormant. The agency's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has scheduled about a dozen meetings at FBI field offices across the country to discuss the Havex malware family and the recently discovered BlackEnergy cyberthreat, sources say.
"They have two case studies of targeted ICS campaigns to brief to participants -- that's huge," said Robert M. Lee, who researches critical infrastructure cybersecurity at King's College London and is familiar with ICS-CERT's activities.
"There is something to be said for the level of [DHS] response," he added. "You have two campaigns that are going on almost back to back: this Havex malware campaign bumping up right next to what's happening with BlackEnergy."
A DHS official said ICS-CERT regularly conducts briefings "to communicate relevant classified and unclassified contextual details about ongoing cyberthreat activity" but declined to share specific agendas.
ICS-CERT has issued alerts on the latest pair of cyberthreats, however. The government task force first warned about the Havex malware -- also known as Dragonfly or "Energetic Bear" for its reported interest in the energy sector -- in June (EnergyWire, July 1).
This month, cybersecurity firms iSight Partners Inc. and Trend Micro Inc. analyzed a strain of the BlackEnergy criminal malware, prompting another alert from ICS-CERT on Tuesday.
In both cases, ICS-CERT warned electric utilities, ICS equipment vendors and other potentially infected companies before notifying the public.
The latest BlackEnergy malware leverages the file directory for GE Intelligent Platforms' CIMPLICITY line of software, which can be used to manage power grids and other energy systems.
What makes the new BlackEnergy variant so unusual, according to experts, is how it zeroes in on technical, industrial environments -- in this case, a GE human-machine interface platform. (GE has recommended that its customers upgrade to a newer, more secure version of the software if they can.) ICS-CERT said BlackEnergy has also targeted Advantech/Broadwin WebAccess and Siemens WinCC HMI products.
Siemens industrial equipment was also targeted by the sophisticated Stuxnet virus, which infected Iranian nuclear centrifuges in the late 2000s and was said to be the brainchild of U.S. and Israeli intelligence forces.
The Havex or Dragonfly threat took aim at three Europe-based equipment providers known to supply a range of industrial systems, from energy to pharmaceuticals. The campaign's architects hijacked the vendors' websites and corrupted ICS software updates as recently as April.
"A lot of malware impacts control systems, like Conficker or Slammer," said Joel Langill, security consultant and author of the SCADAhacker blog, referring to two computer worms that caused headaches for tens of thousands of people using Microsoft. "Those have consequences on industrial environments, but ... Stuxnet, Dragonfly and now Black Energy have specific ICS payload components; they are targeting specifically industrial control systems. This is very disturbing."
Several electric power industry executives and representatives pointed to the ICS-CERT warning as evidence of effective threat communication.
"As the cyber terrorists -- if you want to call them that -- continue to develop, our risk profile continues to change," said Chris Crane, CEO of Exelon Corp. "What we're doing as a sector is really focusing on what's that new developing threat, and what can we do to put the systems in place to help prevent -- or minimize the impact of it."
Crane, whose company is the largest nuclear power generator in the United States, said preventing attacks is the "No. 1 priority" and has brought the industry into closer collaboration.
"Even as competitors, we work together in this area to make sure that we take care of the vulnerabilities," he said. "We feel good about the communications ... and we really have some interesting technologies that we've been able to get from the government to put on our systems to [protect] them against cyberthreats."
Scott Aaronson, senior director for national security policy at the Edison Electric Institute, called the latest DHS alert a "further illustration of the close coordination between the affected industries, our government, the CERT community and researchers and academics."
"The vast majority of this industry is taking the basic security precautions very seriously and are constantly taking opportunities like this to understand where vulnerabilities arise," he added.
A decade ago, the notion that hackers would target industrial control systems was little more than a theory. Routine cyberthreats could cause damage if they somehow infected ICS components, but hackers were broadly assumed to be going after cash or intellectual secrets, both rarely found on the control room floor.
Even if someone tried to attack control systems, ICS operators could trust that their operating networks were "air-gapped," or kept isolated from the Internet.
In recent years, search tools such as Shodan have turned up thousands of industrial devices facing the Web, often without their owners' knowledge, undermining the concept of the "air gap" in the eyes of many security researchers.
Some power companies still subscribe to the air-gap model wherever they can, however. Public Service Enterprise Group CEO Ralph Izzo said yesterday that the utility holding firm's "most critical control systems are wholly separate and not connected to the Internet."
Izzo, whose company owns the biggest electric utility in New Jersey, added that he hires hackers "to come in and try to penetrate our systems, and when they do find ways to do that, sometimes we plug those holes."
Such "pentesting" has become an increasingly common practice for electricity companies hoping to shore up their security.
Izzo told reporters yesterday that he wasn't familiar with the "specifics" of the BlackEnergy malware, but he pointed out that "you can't have a lengthy conversation about [cyber] much as you couldn't have a lengthy conversation about physical security at our nuclear plants."
"It's best to not talk about it," he added.
Cybersecurity companies are more eager to discuss the ins and outs of new malware campaigns.
ISight Partners claimed BlackEnergy's "cyber espionage operators" were likely based around Moscow or Saint Petersburg, based on the timing of the attacks, Russian language in the code and the strategic value of known targets such as NATO and energy companies.
ISight has named the cyberspies Sandworm, after a recently disclosed vulnerability in Microsoft Windows that the group also used to launch its offensive.
DHS's alert on BlackEnergy coincided with the release of a separate report by FireEye. The cybersecurity firm laid out new allegations against Russia, a "whispered frontrunner among capable nations for performing sophisticated network operations."
A spokesman for Russia's Foreign Ministry did not respond to an emailed request for comment yesterday afternoon. Cybersecurity researchers cautioned against drawing ties between FireEye's "APT28" group and iSight's Sandworm.
Lee of King's College said it is "really early" to be drawing conclusions about the architects of the energy-focused BlackEnergy campaign.
"There seems to be overlay between malware samples between APT28 and Sandworm, but I don't know if I would feel comfortable saying, 'Definitely, yes, they're the same group," he said.
Reporter Rod Kuckro contributed.