Why Energy Providers Are So Vulnerable to Zero-Day Threats

From the Stuxnet and WannaCry hacks to the BlackEnergy and Flame malware, prominent energy provider threats have entailed exploits of zero-day vulnerabilities. Zero-day use illustrates how valuable hackers view energy networks.

Energy provider hackers, often nation-states, appear to be motivated primarily by espionage, as in the 2017 hack of Ireland’s EirGrid, or destruction, as in the 2015 and 2016 Ukraine grid hacks.

We frequently speak of detecting and blocking threats on the network edge. This prevents hackers from gaining entry and then moving laterally across networks, as well as establishing persistent access by which to conduct multiple exploits. Yet, edge detection is as important as it is difficult in the energy sector, given the unique networks often involved.

Many energy companies, from electric power utilities to oil refineries, employ three distinct layers of infrastructure:

  1. Traditional enterprise IT – Includes standard Windows and Linux systems, servers and devices.
  2. Operational Technologies (OT) – Control physical infrastructure components, such as circuit breakers in substations and valves in pipelines.
  3. Industrial Control Systems (ICS) – Usually placed between IT and OT architecturally, monitor and control OT.

The Stuxnet and Ukraine hacks caused physical damage not via IT systems, although IT was the beachhead, but by compromising ICS and then using the ICS to control OT – physical centrifuges in Stuxnet and remote terminal units in Ukraine.

Years ago, ICS and OT were analog and isolated from public networks. To remotely exploit, hackers first had to compromise traditional IT and then jump to “air-gapped” ICS/OT networks. In addition to IT, hackers had to know obscure ICS/OT. Traditional IT experts are usually not trained in ICS/OT, and until the internet, documentation could be difficult to find. The segmentation and obscurity of ICS/OT provided a degree of security.

Today, four factors have changed everything:

  1. ICS/OT modernization – Most visible in the power sector, the digitization of OT components introduces new vulnerabilities, including remotely exploitable zero days.
  2. Smart grid – The essential premise is bi-directional communication between ICS and OT, as well as remote control of OT. Increasingly, engineers use the internet and standard IP/TCP protocols.
  3. ICS/OT firmware – ICS/OT developers rarely emphasize security, so products are now accessible via the internet and exploitable via firmware vulnerabilities.
  4. Availability of ICS/OT documentation – Complete doc sets for the ICS components hacked in Stuxnet and Ukraine were available online before the attacks.

Security from isolation and obscurity is no longer adequate. Hackers now enjoy increased attack vectors across traditional IT to digitized OT – many riddled with known and unknown vulnerabilities. One researcher recently found vulnerabilities in solar panel components.

Along with more vulnerable targets, hackers find networks remotely accessible via public networks with direct communications links from centralized IT and ICS to geographically dispersed OT (e.g., electric distribution substations) – and vice versa. While these hacks are not trivial, they are getting easier.

Team member
Micheal Mullen
Micheal Mullen currently serves as Senior Product Marketing Manager at BluVector. Previously, he’s authored or edited content on sites including Metalogix, ZD Net, Deltek, The Washington Post and L-3 Communications.

All Threat Reports