Author: Phil Muncaster
Both customers and regulators of energy and utilities firms demand a reliable, resilient service from suppliers. That means utilities must take special efforts to mitigate the impact of any IT outages, engineering challenges, bad weather and natural disasters. Now add cyber threats, also known as reconnaissance attacks, to the list.
The 2022 Verizon Data Breach Investigations Report (DBIR) is a global annual analysis of security incidents and breaches that highlights the growing threat of cyber attacks to all industries. For the energy and utilities sector in particular, the surge in reconnaissance attacks in recent years could be a potent warning of disruption to come. Today, power grid hacks pose a real and growing threat, and the attacks are often financially motivated.
Fortunately, there are steps companies can take to help minimize the potential for a power grid hack, starting with identifying risks at an early stage through advanced threat intelligence.
What is a reconnaissance attack?
A reconnaissance attack occurs when a bad actor gathers information about a target before actually launching an attack. It's the cyber equivalent of a burglar scoping out which properties to rob.
A popular way to describe typical advanced persistent threat (APT) attack methodologies is the cyber kill chain. There are seven key stages:
- Reconnaissance: Initial harvesting of information on the potential victim.
- Weaponization: Combining an exploit with backdoor malware in a deliverable payload.
- Delivery: Ensuring the payload arrives in the victim's network via email, USB and so on.
- Exploitation: Exploiting a vulnerability to run code on the victim's system.
- Installation: Installing malware on a key asset.
- Command and control: Opening a communications channel to remotely control malware.
- Actions and objectives: Accomplishing the original goals of the attack, such as a power grid hack.
During the reconnaissance stage, the threat actor’s aim is to gather information on the target system's weaknesses to help ensure the best chance of a successful attack. The end goal could be anything from installing ransomware to stealing sensitive data or hijacking and sabotaging key assets.
Reconnaissance attacks: Active versus passive
Reconnaissance attacks can be broken down into two key types: active and passive attacks.
An active reconnaissance attack is the quicker and more direct option, although it also exposes the attacker to potential discovery. These types of attacks will usually attempt to map your network, identify hosts and services, and conduct a port scan, typically using the powerful scanning tool Nmap. During this process, any vulnerable services associated with open ports may be exploited to clear an attack path into your network.
Passive reconnaissance is intended to provide useful information on your networks, hosts, security policies and employees without setting off any alarms and uses Open Source Intelligence (OSINT) techniques to gather information about the target.
If active reconnaissance involves trying to open virtual windows or doors, passive reconnaissance is about observing from a safe distance. This could be achieved by investigating source HTML files on your public-facing website and information on employees' social media sites or by searching public online records. Attackers may even try to impersonate an authorized user by hijacking employee accounts.
Why are utilities at risk?
The utilities sector is one of the most frequently targeted by attackers, according to Verizon's 2020-2021 Cyber-Espionage Report. As a percentage of total cyber attacks, there were more breaches of confidential data (23%) in the utilities sector than in virtually any other vertical over the past seven years.
In March 2022, the Federal Bureau of Investigations (FBI) issued a bulletin obtained by CBS News noting that at least five U.S. energy companies have experienced “abnormal scanning” from Russian-linked IP addresses, which “likely indicates early stages of reconnaissance, scanning networks for vulnerabilities for use in potential future intrusions.”
Furthermore, the bulletin noted, “This scanning activity has increased since the start of the Russia/Ukraine conflict, leading to a greater possibility of future intrusions.”
How can utilities better defend themselves?
Fortunately, there are various tools and tactics companies can employ to help reduce their risk. These include:
- Reviewing information publicly available via your website and other online resources to minimize accidental data exposure.
- Educating employees about the risks of sharing personal information online, being alert to phishing attacks and managing passwords securely.
- Rolling out multi-factor authentication to reduce the risk of account hijacking.
- Mapping all your network-connected devices, ensuring appropriate security controls are applied and disabling any devices not in use.
- Disabling any high-risk services and closing ports where appropriate.
- Conducting red team exercises to test detection and response capabilities.
- Conducting regular pen testing to find security gaps and patch any vulnerabilities.
- Considering firewalls and intrusion prevention systems to detect and block port scans.
In addition, a number of resources are available, including Verizon’s educational webinars about the DBIR’s key findings and a panel discussion with chief information security officers about the changing cyber threat landscape.
Threat intelligence and managed services
Threat intelligence is another important tool to help detect and block reconnaissance activity early on. The best approaches blend automated machine-based learnings with human intelligence to proactively address threats.
Managed services are a good option for organizations that would prefer to outsource this capability to trusted global partners who can offer a team of trained experts in this field.
With reconnaissance attacks on the rise, it’s important that energy and utility companies today have an understanding of what a reconnaissance attack is and how they are at risk. Learn how Verizon's network threat advanced analytics service can help better protect your company and prevent a power grid hack.
The author of this content is a paid contributor for Verizon.