Just weeks after American law enforcement agencies, the Department of Homeland Security and the Federal Bureau of Investigation, in a joint non-public report warning of a critical infrastructure hack, the Government Communications Headquarters (GCHQ), one of Britain's secretive spying agency has reported the possibility of a similar attack within its borders. A copy of the document issued by the National Cyber Security Centre (NCSC), a branch within in GCHQ, obtained by Motherboard and later confirmed by the BBC states that industrial software companies have likely been compromised.
While the NCSC report does not mention specific instances where systems were compromised, unlike the US joint report which listed a company managed a nuclear power station in Kansas had been breached, it does appear that activity indicative of a campaign is discernible. It does not appear as if UK companies are the specific target, rather part of a global campaign targeting critical infrastructure systems and companies in the West. Both law enforcement agencies in Turkey and Ireland have reported similar suspicious activity.
The NCSC report goes to state:
The NCSC is aware of connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors, who are known to target the energy and manufacturing sectors,
NCSC believes that due to the use of wide-spread targeting by the attacker, a number of Industrial Control System engineering and services organizations are likely to have been compromised,
Later a spokesperson for the NCSC told reporters at Motherboard that:
We are aware of reports of malicious cyber activity targeting the energy sector around the globe. We are liaising with our counterparts to better understand the threat and continue to manage any risks to the UK.
While the motives for the attack are unknown as is any concrete evidence yet of an attack, fingers have inevitably pointed to state-sponsored Russian group Energetic Bear, as they have done so in the past. As concrete evidence of an attack is lacking the warning issued by the NCSC seems to be based on analysis of activity and the statistical likelihood of an attack.
Recent similar intrusions and breaches into industrial and energy sector organizations do not appear to be geared towards destruction or shutting down of a power grid. Rather it seems that the attacks are geared more towards intelligence gathering and espionage. This would implicate any nation with relatively advanced cyber espionage capabilities. The Times, a British newspaper, did report that the intention of the attackers was “to infiltrate control systems... This would also have given them the power to knock out parts of the grid in Northern Ireland.” However, no real evidence has come to light that this was the attacker’s intention. In any situation where control systems may be compromised, the potential threat is undoubtedly serious in nature and should be treated as such. That being said with regards to the earlier hack which occurred in the US the DHS and FBI went on record to ensure the public that while serious public safety was not at threat. Such an attitude can be safely assumed for other similar attacks until proven otherwise.
Energy sector an increasingly prime target
There is undoubtedly a growing trend in state sponsored actors targeting the energy sector and other industries closely linked to the sector, whether software manufacturers or others. Christopher Frei of the World Energy Council admitted to this ever increasing reality by stating:
“Cyber threats are among top issues keeping energy leaders awake at night in Europe and North America. Over the past three years, we have seen a rapid change from zero awareness to headline presence. As a result, more than 30 countries have put in place ambitious cyber plans and strategies, considering cyber threats as a persistent risk to their economy…What makes cyber threats so dangerous is that they can go unnoticed until the real damage is clear, from stolen data over power outages to destruction of physical assets and great financial loss. Over the coming years, we expect cyber risks to increase further and change the way we think about integrated infrastructure and supply chain management”
In 2016 the World Energy Council released a report advising industry leaders to adopt the following cyber security measures as well as informing how other sectors can help in combatting cyber security threats:
- Energy utilities must view cyber as core business risk, increase awareness and build strong technical and human cyber resilience strategies. Adopting a common cross-sector cyber security framework, for example, can help locating key areas of cyber risk management and identify those systems that need to be protected at all costs.
- Technology companies can play an innovative role. They must monitor the nature of cyber-attacks and embed security features into the products they are developing and delivering.
- Governments: Policymakers must stimulate the introduction of standards, regulation and support information sharing, and in doing so support strong responses from companies to cyber risks. A cyber security talent pool is vital given the demand for skilled workers exceeds the supply with a growth rate that is more than two times faster than all other IT jobs.
- Insurance and finance: The insurance sector must monitor cyber risks and focus on managing newly arising and changing risks. They need to develop appropriate cyber insurance products and better understand how their existing portfolios are impacted by cyber incidents. In analyzing energy sector information in detail, they must help companies to better quantify their cyber risks.
Keeping the lights on in future is going to involve a concerted effort by multiple government and private spheres. The ability to supply power and other forms of energy can be seen as the foundation of any thriving economy and thus any threat to it must be viewed seriously.