When Utilities Become Cyber Attack Casualties
Cyber attacks against individuals, governments, industrial targets and regular companies each come with their own set of risks, challenges and impacts. However one particular type of cyber attack target can cause widespread damage while usually being relatively weakly secured: Utility providers.
In this briefing, we will discuss why utilities are high value targets and at why their information security is often lackluster before taking a look at what happened when a Guyanese electrical company was compromised earlier this year.
Why utilities are high value targets
Cyber attacks obey economic rules. Attackers invest their time and resources in the hopes of gaining something in return. This can be as basic as a teenager investing an afternoon to gain the thrill of having touched a school’s or company’s backend systems, to a state actor investing millions into an advanced cyber warfare program hoping to gain military and political power.
Utilities offer relatively few direct monetary rewards, but they provide a lot of leverage for other aims. A shutdown of the electrical grid will bring most modern countries to a halt as computer and communications systems break down. Shutting down gas supplies can hamper food preparation and heating, as well as cause secondary problems with gas-based electricity generation. Disruptions to the water supply can lead to severe health risks from dehydration and bad sanitization within hours.
An attacker able to control a country’s utilities for a longer term can make almost any demand, but even a short term compromisation can assist military campaigns or breed uncertainty among the general population.
Why are utilities not hard targets?
In this series of briefings, we often distinguish between “hard” and “soft” targets. The former being targets such as governmental or military networks that present a much stronger barrier to potential attackers.
Considering how essential utilities are, it is easy to assume that they are treated as hard targets and well secured. Unfortunately this is often not the case. For one, depending on the country, utilities are often provided by private companies and thus not under governmental control when it comes to securing them.
However the second reason is more important: Utilities rely on heavy machinery and are thus affected by the same long timelines hampering all heavy industries. While laptops or access systems can, and often are replaced on short cycles of a few years, heavy equipment such as generators, pumps or reservoirs have lifetimes measured in decades. Since such long timeline systems nowadays include at least some computer components, these computers must either last just as long or be seamlessly replaced.
In an ideal world, every system would be perfectly maintained, but the reality looks very different. There are plenty of instances where industrial equipment is still being controlled by software run on out-of-support operating systems like Windows NT. While it is negligent to do so, in cases where the provider of even one key component has since gone out of business, the alternative would be to replace the entire piece of equipment. With price tags often in the tens of millions, this can be difficult or outright impossible.
Therefore, utilities are often relatively insecure when observed from a cyber-security perspective.
The case of Guyana Power and Light
On February 6th 2019, Guyana Power and Light Incorporated - the primary electricity provider for the island nation of Guyana - was hit by a ransomware attack. It is unclear whether the attack targeted the company on purpose or whether regular ransomware worms infected it at random.
The attackers demanded a ransom in Bitcoin, which the company refused to pay. This is the correct course of action. Paying to remove ransomware strongly incentivizes future attacks and is not guaranteed to actually lead to files being recovered. Since the infrastructure required to manage and deliver decryption keys leads to additional overhead and risk, many attackers don’t bother to maintain it.
Unfortunately, this lead to significant interruptions of the local power grid lasting for 4 days. Fortunately, the overall unsteady supply of electrical power in Guyana means that many of the affected consumers were equipped with their own diesel generators.
Utilities are targets of relatively high value due to their essential nature and often relatively low security due to the long-term nature of the machinery they rely on. Whether through directed attacks or random chance, successful breaches of utilities can have significant impact on the local population.