Nation-State Cyber Warfare: Energy Industry in the Crosshairs
May 19, 2020

Rob Anderson

It used to be that to keep your network safe, you only needed to be more secure than other networks. Attackers would go after easy targets and avoid the more secure ones. You might remember the adage, “You don’t have to swim faster than the shark to get away. You just have to swim faster than the guy next to you.” But what if the shark decides you’re worth the extra effort?

This is what an advanced persistent threat does.  It goes after specific targets based on what it wants to exploit from those targets.

Advanced Persistent Threat

An advanced persistent threat (APT) refers to a group of cyber-attackers who work together, are highly motivated, skilled and patient. They have advanced knowledge and a wide variety of skills to detect and exploit vulnerabilities in systems. They are persistent and focus on exploiting one or more specific targets rather than just any target of opportunity.

Governments typically set up and fund APTs but not always. Sometimes groups of organized criminals also fund and run them. APTs that target government agencies, critical infrastructure and industries known to contain sensitive data and property related to government are known as Nation-State Actors. When governments disagree on global policy, cyber-warfare is often used to prove power and to persuade.

Nation-State APT

A very well-known example was the Nation-State APT that created the Stuxnet disaster. Stuxnet was a worm that exploited several vulnerabilities with the intent of causing a significant amount of damage to Iranian nuclear facilities. In the attack, the APT targeted zero-day vulnerabilities in SCADA systems and destroyed several Iranian nuclear centrifuges controlled by those systems. (A zero-day vulnerability is a flaw in a system that is either unknown to a manufacturer or a known flaw that the manufacturer of the system has not got around to fixing at the time of exploit.)

In this type of Nation-State APT warfare, APTs identify high-value targets that will have the greatest impact on a country’s wellbeing, with utilities being clear targets.

APTs are slow, patient, and methodical. When they gain access to a network, their goal may not be to immediately exploit compromised assets to cause damage, but rather to use those compromised assets to slowly exfiltrate data that can be aggregated to form usable intelligence or find additional vulnerabilities for further exploit. The most common aims of Nation-State APTs are to gather intelligence and to establish the foundation for successful future cyber-attacks that can be used to cause maximum disruption in a time of war.

Avoiding the Crosshairs

The digitization of utilities’ OT assets has increased concerns about the security of critical infrastructure. As the utility supply chain becomes more complex, global and interconnected, increased oversight of the supply chain becomes a critical component of risk management. Indeed, there are many documented cases where APT exploits have been directed at trusted third-parties associated with utilities, rather than at the utilities themselves. This is because the third-party networks can be simpler, less secure targets.

One way that this type of risk is being mitigated in the US, as an example, is through the Federal Energy Regulatory Commission’s (FERC) implementation of a new regulatory requirement: NERC CIP-013-1. This requirement places increased responsibility on utilities to evaluate the cybersecurity of their third-party vendors and partners.

PSC Cybersecurity Services

PSC’s global specialists understand the electric utility and energy markets businesses, and the technical challenges utilities face in securing their digital assets. We combine our in-house IT security expertise with our deep electricity utility OT domain experience to help our clients minimize their risk.

Find out more about how our cybersecurity services can help increase your network’s resilience and how you can achieve full compliance with cybersecurity regulations. Contact us to get started.