Emerging Risk Brief
Small Suppliers, Big Security Threats for the Grid
Electric utilities grapple with a myriad of cybersecurity challenges affecting the critical electric grid infrastructure. One area in particular that attackers have homed in on is industrial control systems (ICS). There have been increasing reports of hackers tied to nation-states burrowing into utility ICS, seeking to learn how systems operate and positioning themselves to control critical physical assets.
A growing attack vector for these ICS systems is the thousands of companies that comprise the electric sector supply chain. Power companies purchase information, hardware, software, services and more from third parties across the globe. Threat actors can introduce compromised components into a system or network, intentionally or by design, at any point.
For example, in 2016-2017, Dragonfly, aka Energetic Bear, breached hundreds of utilities’ ICSs through multiple supply chain partners in the United States, Turkey and Switzerland to conduct reconnaissance, assessing control system design, capabilities, configurations and vulnerabilities. Having such information lays the groundwork for future attacks.
When assessing threats from attacks on third-parties, many utilities start with their largest suppliers. They may not take time to assess the security precautions employed by their smaller suppliers. These vendors are likely to fly under the radar, leaving utilities open to more risk than they might imagine. Fortress Information Security analysts have researched companies that deliver ICS services to utility companies and found that roughly 100 companies with less than $1 million in revenue may have access to ICS.
Common Security Issues with ICS
In 2018, Kaspersky Labs research found that while three quarters of companies surveyed state that they will likely become a target of a cyber security attack in the ICS space, only 23% comply with minimal industry or government guidance and regulations around cybersecurity for ICS. The percentage of ICS computers attacked at least once in the first half of 2018 reached 41.2%, up from 36.6% during same period in 2017. This increase in the percentage of ICS computers attacked was due primarily to an increase in malicious activity.
Fortress research found that the most common security vulnerabilities with ICS systems include:
Weak authentication—This occurs when the strength of the authentication mechanism is relatively weak compared to the value of the assets being protected. An application that protects highly valuable systems or information should feature strong authentication, such as multi-factor authentication.
Configuration management issues—Every device plugged into the network must be configured properly, and network managers must know how these devices are configured and secured. Failure to properly configure devices can lead to numerous security issues. For example, if someone changes a firewall setting, they could unwittingly allow traffic that would otherwise have been blocked.
Lack of hardware/software/firmware updates—Vendors release updates to fix specific security flaws or provide additional security features. Companies may need to upgrade hardware to run these new software versions. Since hackers often target known vulnerabilities, it’s vital to keep up with the latest software/firmware/hardware updates to keep them out.
Poor physical security—Many organizations lack adequate systems and procedures to ensure that physical security for hardware, computer systems and data centers is authorized and monitored. For example, employees may fail to follow “no tailgating” policies in data centers, allowing someone to tag along with an individual who is authorized to enter a restricted area, putting the data center’s physical access control at risk.
Standard and preconfigured network security—Many software and hardware products come out of the box with overly permissive factory-default configurations intended to make them user-friendly and reduce troubleshooting time. These default configurations are not geared toward security. Leaving them enabled creates an avenue for an attacker to exploit.
Default or hard coded passwords—“Default” passwords are simple, publicly documented passwords that are identical among all systems from a vendor. Intended for initial testing, installation and configuration, they’re easily obtained from product documentation or lists on the internet. “Hardcoded” passwords are non-encrypted passwords that are put into the source code, which can easily become publicly available.
Poor encryption—Encryption weaknesses include not protecting data in transit, in use and at rest. They can also include poor management of encryption keys, for example, by storing encryption keys with the encrypted data or when applications store keys in memory while they’re in use.
Default “on” connectivity—All too often, applications or systems are delivered with services or features turned on by default, when such services may not be necessary. These features should be turned off when not needed, to help reduce the attack surface open for an attacker to exploit.
 “The State of Industrial Cybersecurity 2018.” Kaspersky Labs, June 2018
The effects of a “Third-Party” Breach combined with known emerging cyber risk vulnerabilities could impact your company in various areas:
Identify critical third parties
Utilities can have thousands of contracts with third-party suppliers. It’s impossible to fully assess the security for each one. The most important vendors to assess are ones that provide information technology, information communications technology and/or industrial control systems that are critical for the operation of the electric grid, as well as third parties that maintain connectivity/access to critical bulk power system networks. Critical sector vendors may also hold or maintain sensitive data about electric sector operations, including designs and blueprints.
Evaluate third-party security
Next, assess the maturity of critical vendors’ control environments for proactively managing cybersecurity threats and remediating incidents. Areas to consider include:
Risk Assessment and Treatment, Security Policy, Organizational Security, Asset and Information Management, Human Resource Security, Physical and Environmental Security, Operations Management, Access Control, Application Security, Incident Event and Communications Management, Business Resiliency, Compliance, End User Device Security, Network Security, Privacy, Threat Management, Server Security, Cloud Hosting
Monitor third parties
Continuously monitor these critical third parties in real time. Seeing real-time alerts when a third party’s network security is impacted can help utilities work directly with their critical vendors to reduce the impact of a cyber incident.
Cyber criminals are increasingly targeting ICS solutions in their attempts to access the grid. As these attacks evolve, bad actors are exploiting weaknesses in third-party vendors. Addressing these potential exploits means being aware that all third-party vendors—even the smallest—are subject to attack, and taking actions to safeguard ICS from as many attack vectors as possible.