Hackers don't know what to do when they access the operational technology level of power grid SCADA systems.
That was the conclusion of a talk given by Dewan Chowdhury, chief executive officer of MalCrawler, a Washington DC based cyber-security consultancy.
Chowdhury told the audience at the 4SICS Summit in Stockholm, Sweden, today about his experiences of setting up power grid honeypots to lure hackers and then allow them to operate unhindered in an environment built to emulate the control system for a working power station.
In this respect, his talk echoed comments made by FBI officials at the GridSecCon conference in Philadelphia, USA.
Chowdhury said that there is some truth to the scare stories that government and the media tell about terrorists and nation states wanting to hack power systems.
“Power is the mother of all critical infrastructure,” he said. “Financial systems are useless without power as are telecoms and water treatment facilities… and they are the most targeted systems by cyber-attackers.”
His research was borne of curiosity about what real-life hackers do when they manage to breach the perimeter defences of a power company. “Let's create the nightmare scenario, let's put some of the baddest hackers in the world, some of the cleverest APT groups out there, put some of the worst crimeware and malware out there and see how they react to our honeypot.”
His company created a honeypot to emulate the energy management system (EMS) which he describes as the “heart and soul” of the SCADA within electrical utility companies. It was built so attackers could shut down substations and would show them a realistic graphical user interface (GUI).
He went as far as researching real networks and using the names of generators, substations and other network assets on the GUI to fool even the most savvy attackers.
He tested a number of scenarios:
- The fake electrical substation with unsecured wireless connection
- Misconfigured firewall allowing access to OT side of the company from the corporate IT network
- Planting and opening up malware samples (eg, APTs and crimeware) on the honeypot network.
No one responded to the unsecured wireless connection apart from some teenagers looking for free Wi-Fi networks, he said.
The pivot from IT to OT met with disappointing results, he said. Most of the hackers that ended up on the OT side didn't know what they were doing.
The malware angle yielded almost immediate results.
They got interest from an estimated 40 APTs but the level of interest the APTs took in the honeypot depended on the identity that the honeypot had been given.
“The Chinese for instance have several dozen APT groups which are specifically pinpointed to look for certain groups,” he said, with separate groups dedicated to hacking Taiwan, South Korea and the Philippines.
“You have to understand this element when you start creating the honeypot so they feel comfortable, like this is very interesting I'll go for it or they'll know straight away there's something wrong,” he said.
The environment was made to be as hackable as possible, running Active Directory and LM Hash and only using passwords of less than 14 characters. A flat subnet structure was used to make it easy to explore everything.
To make his honeypots more credible, he submitted fictitious network specifications to US state regulators which the hackers would be able to access because they are public documents. The documentation would then corroborate the data about the networks which the attackers were finding in the honeypot.
Inexplicably, when the APT hackers got down to the OT side of things, they almost never took any action against the network.
“They accessed the network but not one of them dared when they got down to the OT side to even move the mouse,” Chowdhury said. “Maybe they were spooked. We knew they were on the GUI, but none of them touched it. Didn't even move the mouse around. It's one of those mysteries.”
He added: “Why they didn't do anything on the OT remains a mystery but it may have to do with agreements among nations not to take propitious action against each other.”
Speaking to SCMagazineUK.com after his presentation, Chowdhury told us: “The people that governments and national security figureheads say will cripple the grid, when we gave them access to the ‘grid', they did nothing. It's interesting to see that we have seen IP [intellectual property] being stolen non-stop, but when it comes to disruptions we don't see it. We have not seen the Chinese, Russians or Indians cross that line. But there's still a lot of interest in how the grid operates.”
He added that most of these attacks against the grid remain theoretical in western countries but in the Middle East, cyber-warfare is very real.
“It's weaponised. It's more theoretical in the West but in the Middle East it's actually taking place. We have done incident response in oil refineries, electrical substations in that part of the world. There is actual information warfare going on,” he said.