Inside the modern power plants, transmission facilities, and electrical substations that make up a power grid, nearly everything is controlled by computers, and those systems haven’t gotten more secure since Russian government hackers triggered an electrical outage in Ukraine over a year ago. Now there are indications that North Korea may be working to follow Russia’s lead, and sizing up the U.S. as a target.
Those are some of the takeaways from new research by the Maryland-based cybersecurity firm Dragos, which specializes in industrial-control systems like those in the electrical grid and on factory floors. The company analyzed 163 new security vulnerabilities that surfaced last year in industrial-control components, and found that 61 percent of them would likely cause “severe operational impact” if exploited in a cyberattack.
Most of the vulnerabilities could only be exploited if the attacker has already gained access to a plant operations network—only 15 percent actually allow an attacker ingress from the outside. But Dragos also found serious problems in how equipment makers warn utilities and other customers about new security holes. Among other issues, the vast majority of security advisories—covering 72 percent of last year’s vulnerabilities—provided little guidance on closing the security hole. “They lacked alternative mitigation data,” says Reid Wightman, senior vulnerability analyst with Dragos. “If you can’t apply the patch, there’s no other mitigation that can take place.”
If there’s a bright spot in the new findings it’s that the majority of industrial-control security holes are in equipment that uses protocols and architectures so inherently insecure that an extra vulnerability isn’t that big a deal. “There’s not really any security on the device to begin with,” Wightman says. And so far, sophisticated control-system attacks are the province of a handful of nation-state-level hacking operations like those in the U.S., Russia and, reportedly, Israel.
But in September, Dragos picked up a new adversary, code-named “Covellite,” that appears to be trying to join that club. Covellite has been targeting electric utilities in the U.S., Europe, and parts of East Asia with spear-phishing attacks that employ code and infrastructure eerily similar to that used by the so-called Lazarus Group, the most destructive and outright criminal of the state-sponsored hacking gangs. Dragos doesn’t link attacks to specific nation-states, but the U.S. government has publicly identified the Lazarus Group as North Korea.
If Kim Jong Un is trying to duplicate Russia’s electricity-killing capability, he’s in an early reconnaissance stage—Covellite hasn’t shown any particular expertise in the arcana of industrial-control systems. But Dragos’ Joe Slowik says it’s a worrying development. “From a risk standpoint, that actor could be really interesting,” says Slowik. “Particularly if things on the Korean Peninsula get worse.”
The findings cap a year of serious advances in attack techniques against electric utilities. In June, researchers at Dragos and the European security firm ESET discovered that attackers deployed startlingly sophisticated malware dubbed Crash Override to trigger a blackout in Kiev the previous winter—an attack the Ukrainian government has convincingly attributed to Russia. And late last year an unknown perpetrator attacked a Saudi petrochemical plant with a new breed of code called Triton, which was built to deliberately kneecap a plant’s safety systems.
That latter move signals dangerous new rules of engagement on the cyberbattlefield, says Slowik. “Even if it wasn’t the direct intention of the operation, someone said, this is OK—to create something that could harm or even kill someone.”