The dark side of the digital revolution

The dark side of the digital revolution

Annabelle Lee
Technological progress, which is fundamental to satisfy the growing global demand for low cost electricity, has increased the vulnerability of industrial control systems to attack and cyber threats

Over the last decade, the rise in cyberattacks on critical infrastructures, particularly in the energy sector, has resulted in cyber security becoming a central concern among industrial control systems (ICS) manufacturers, operators and users. These attacks are aimed at disrupting industrial activity for monetary, competitive, political or social gain, or even as a result of a personal grievance. The advances in technology and the inclusion of Industrial Internet of Things (IIoT) devices has expanded the attack surface of the ICS with the impact extending to all parts of the organization operating critical infrastructure, supply chain, and ultimately the end-use customer. Current cyber security solutions cannot provide comprehensive protection against all the known and unknown threats to the digital components that operate the critical infrastructure, and specifically the energy sector, and defenders are constantly playing catchup in cyber security. Cyberattacks may be launched by malicious insiders or nation-states, via the supply chain, inadequate network access controls, limited operational technology (OT) cyber security procedures and by unauthorized remote access. Unfortunately, attackers only have to be effective once and defenders need to be effective 100% of the time. This is not an achievable goal.


Historical Perspective

Traditionally, power sources were centralized, with most power produced by large generating stations. Power flowed one way, from the generation sources to the loads. Transmission grids were monitored and controlled via supervisory control and data acquisition (SCADA) systems that ran on specialized hardware, with proprietary software including proprietary operating systems and applications. OT that operated the grid was completely separate from IT that was used to run business functions such as finance and human resources. Communications between the SCADA systems and the grid devices were largely hard-wired; many of these grid devices, such as sensors, were analog and the protocols used to transmit information and controls were proprietary. This was the era of “security by obscurity” and “security by air gap.”


Modern Grid

Since then, a lot has changed:

- Integration of Commercial Off-The-Shelf (COTS) products: OT systems have been migrating away from using proprietary systems to using COTS technologies, for example, in operating systems and applications.

- Interconnected systems: Corporate and OT networks are increasingly being interconnected. For example, with alternative energy sources such as solar power and wind, there is increased interconnection across organizations and systems.

- Communications: Serial communications are being replaced with IP-based communications. The initial focus was on implementing open standards and ensuring reliability. Security, in large part, was an after-the-fact add-on.

- Distributed systems: Power sources are distributed and now include distributed energy resources (DERs) and other forms of distributed generation.


All of these changes have resulted in improvements in efficiency and reliability. However, these advances have also increased the attack surface and the set of vulnerabilities to which utilities are exposed, introducing new risks that could adversely impact the grid’s reliability and resiliency. In the OT environment, the impact of a cyber security incident can be wide-ranging, resulting in production losses, brownouts/blackouts, physical damage to power equipment, significant safety or environmental issues and even personal injury or loss of life. Following is a summary of new risks:

 - As substations are modernized, the new equipment is digital, rather than analog. This increased digital functionality provides a larger attack surface for an adversary because there are more potential points of entry to a system.

- Communication with external systems and the Internet allows for access points that may be exploited. Also, attacks that are launched using techniques such as spear-phishing to fraudulently obtain credentials such as usernames and passwords have increased significantly because of external connectivity by OT devices.

- Legacy technology in the electric OT environment will be operational for many years, even decades. Therefore, utilities will be operating with a combination of legacy and new technology. Legacy systems frequently have limited or no cyber security controls; for example, usernames and passwords are frequently shared by dozens of people. Typically, it is not possible to retrofit cyber security in these legacy systems.

- While security protections such as firewalls, access controls, and user policies and procedures are put into place, a physical connection to the outside world via the Internet now exists. This opens the way for a determined attacker to leverage zero day vulnerabilities and social engineering to find a path through the corporate network to these once isolated OT systems.

- Aside from targeted attacks, there is also a constant threat of a path opening via firmware and software vulnerabilities. Infected USB drives, websites and everyday social engineering attempts on corporate networks may open up paths to an ICS/SCADA network for adversaries.

- Traditional IT security solutions, such as patching, Intrusion Prevention System (IPS), network scanning and ongoing monitoring are often difficult or impossible to deploy in OT systems due to operational requirements including availability and limited system resources.


Threat Agents

Threat agents, either individuals or groups, who seek to exploit vulnerabilities and launch attacks include:

1. Governments/Nation-States/Nation-State Backed Organizations – These threats are well-funded and motivated by political, economic, technical and/or military agendas. They can execute large-scale and advanced persistent threat (APT) attacks. Nation-states do not fear reprisal and may use ICS attacks as a component of a geo-political conflict.

2. Criminals – They execute targeted attacks driven by profit, including ransomware attacks. They also will exfiltrate personally identifiable information (PII).

3. Hacktivists – They promote social, political and/or ideological causes. The intent is to benefit their cause or gain awareness for a specific issue.

4. Insiders – These are disgruntled employees or contractors that maliciously cause disruption. They may be driven by greed, personal gains or revenge.

5. Opportunistic – These are typically amateur criminals driven by the desire for notoriety.


Unfortunately, offensive cyber tools are becoming more accessible with a growing library of free tools and techniques available to the adversary to attack ICS.


Threat Landscape

Following is a summary of the changes in the threat landscape that are a result of the changes in the threat and technology environments.

People are the leading risk for compromised security and this includes insiders (staff and contractors) and vendors. This has been true historically and is still true today. However, because the new OT technology is more IT based and there are increased interconnections among systems and organizations, the impact from compromise by an individual has significantly increased. Based on a Fortinet survey, people present the greatest risk for compromise to an organization’s OT/control systems, because the human element lies at the heart of cybersecurity incidents and breaches. Following is a summary of the risks posed by different classes of individuals.


- Insider threat: Insider threats are particularly difficult to guard against, especially in the OT/ICS space, where situational awareness and process knowledge are essential to recognizing a potential safety or security issue. Physical access incidents are dominated by current workforce members (employees, service providers, consultants and contractors). A cyber security event may also be the result of non-malicious activity such as misconfiguring a device or specifying incorrect parameters. Unfortunately, the impact may be the same as for a malicious cyber security event.

- Third-Party Access: According to Fortinet, 64 percent of organizations give third-party IT vendors either complete or high-level access to their SCADA/ICS, nearly 60 percent give other business partners complete or high-level access and more than 50 percent give government agencies the same level of access. When it comes to industries, manufacturers are the most willing to provide complete access to outside organizations.

- Outsourcing: Many organizations outsource some of their SCADA/ICS security. The top SCADA/ICS functions outsourced to IT vendors were wireless security, intrusion detection, network access control and IoT security. According to Fortinet, 56 percent of the organizations surveyed outsource SCADA security to multiple vendors. In some cases, the use of multiple vendors creates a patchwork of defenses that don’t work well together.

- Criminals/hacktivists: Malicious attackers continue to be of major concern as is evidenced by several recent ransomware attacks. Although many of the ransomware attacks were not specifically targeted against the energy sector, this new attack vector has the potential to disrupt critical OT operations.

- Nation-states: The increase in geo-political tension raises the concern that nation-state adversaries may launch cyberattacks to cause temporary or extensive disruption of the energy sector. Both Russia and the U.S. have accused each other of hacking into energy sector systems.


Security architecture: With the increase in system assets, for example, industrial embedded, IoT, and IIoT devices installed in the OT architecture, a comprehensive device inventory is increasingly difficult to develop and maintain. Also, some utilities are now transitioning to the cloud for OT operations. Without a complete architecture for the cloud, “shadow IT” may increase the overall risk. Shadow IT is the infrastructure and applications that are managed and utilized without the knowledge of the enterprise's IT department.

Without a complete inventory, developing a comprehensive cyber security architecture for the OT environment that includes the attack surface and attack vectors becomes more difficult, and without a cyber security architecture, the overall OT cyber security risk cannot be determined. This inventory is necessary to define the network security strategy and select the mitigation strategies.

Security by design: Security engineering principles should be applied in the specification, design, development, implementation and modification of a system throughout the system life cycle. This is called “security by design.” Because legacy and many IIoT devices do not typically include cyber security, one approach is to “bolt on” cyber security controls. Unfortunately, this approach is not that effective and may adversely impact the performance of the devices.

IT security controls: The differences in how similar technology is used and deployed between IT and ICS networks mean that IT solutions cannot be ported over to the OT environment without tailoring. Some of these IT technical controls include patch management, ongoing monitoring, and vulnerability assessments.

Mobile devices: Mobile devices, particularly laptops used in field technician work, represent a significant risk. There are examples where laptops have been stolen or compromised by family members who installed games or accessed the Internet. In the United States, several US government agencies have banned the use of thumb drives because of cyber security concerns.

Wireless communications: Wireless communications and protocols are some of the most rapidly changing technologies and their use is increasing a means to transfer information from sensor networks in the OT environment. Wireless technologies extend the OT network perimeters and may create an attack vector that is easily accessible by an attacker.


ICS Attack Evolution

One trend in attack evolution is a two-stage approach to executing attacks. In the first stage, the use of common tactics, techniques and procedures (TTPs) are used for initial access and lateral movement. These initial attack vectors increasingly avoid using custom malware and techniques that provide signs of adversary activity. Because the attackers are relying on system tools that are already on the system, the attacker will blend in and there is less chance that the attack will be detected and blocked. Typically, the objective of the first stage is to collect and exfiltrate data about the system that is to be attacked. These first stage attack vectors are called “living off the land” or “fileless” attacks.

In the second stage, a different set of TTPs are used and ICS-specific malware is deployed to execute the attack. This ICS-specific malware may be uniquely designed for the target environment. This two-stage approach allows attackers to take advantage of existing TTPs for initial access and reconnaissance and then execute tailored ICS attack tools.



The advances in technology in the energy sector have resulted in higher resilience and reliability. The new technology is critical to address the increasing need for inexpensive electricity worldwide. However, these advances have also increased the challenge and complexity of addressing cyber security risks. This article includes information that may be used by utilities as they identify the highest priority risks in cyber security.

She is the founder and Chief Cyber Security Specialist of Nevermore Security. Lee’s experience comprises over 40 years of technical experience in IT system design and implementation and over 25 years of cyber security design, specification development, and testing. Over the last 15 years, she has focused on cyber security for the energy sector.


Annabelle Lee

She is the founder and Chief Cyber Security Specialist of Nevermore Security. Lee’s experience comprises over 40 years of technical experience in IT system design and implementation and over 25 years of cyber security design, specification development, and testing. Over the last 15 years, she has focused on cyber security for the energy sector.