(This is the first installment of a two-part series exploring how critical infrastructure like power plants are proactive in implementing protective measures to safeguard against future cyber attacks, but challenges remain.)

Power plant networks are under constant attack from Chinese, Russian and other unknown hackers across the world 24 hours a day and 365 days a year. A hacker’s goal is to breach critical infrastructure, such as a power plant’s external firewalls, to gain access to the internal networks and find a way into the control system environment.

Hackers typically use port scanners, password-guessing software and other readily available Internet tools to perform non-stop attacks against a power plant’s external environments. These tools look for and exploit any potential weaknesses that could be used to access internal networks. Once inside, the hacker can continue to run tools against control networks to exploit any weaknesses that might allow them to take control of plant control networks.  

Social engineering attacks such as ransomware are used to trick a user into clicking an attachment (i.e., phishing schemes) in order to extract and encrypt data files. This enables a hacker to extort money and decrypt information. The more access a user has to a system environment the greater the damage that can be done. Limiting administrative privileges reduces these risks. 

Control system data, operational data and sensitive financial data can be encrypted and only restored if backups are currently performed. Phishing attacks can also trick users into providing their username and passwords, which can then be used to login remotely to other systems. People tend to use the same passwords across many different sites with little to no variations. This can allow a hacker to gain access to many other systems using the same login credentials and passwords from a compromised account, including control systems, banking information and other applications.  

Many power plants lack dedicated IT staff that can effectively identify and repel a cyber attack so user diligence is key to identifying problems. Without proper controls, it is only a matter of time before hackers gain access to targeted resources and establish control of the environment. 

Lack of Proactive Risk Mitigation and System Updates

Historically, control systems have been physically separated – or “air gapped”. However,  these environments are now connected at various firewalled points as businesses increasingly rely on real-time plant data. Firewalls can provide security needed to prevent access to control networks. However, misconfigurations are common and they are sometimes not tested, thus enabling security weaknesses. Control networks continue to move closer to the Internet and many are now running on Microsoft-operating systems, which can expose them to similar security vulnerabilities.

Lack of Updates and Risk Mitigation

Complex passwords, two-factor authentication and user awareness are all lines of defense that help mitigate a successful hack. Many power plants do not want passwords that change on a set interval and do not use complex options because they are difficult to remember. Passwords such as “Password”, “2018Texans” or other dictionary words only take a few minutes of hacking to gain access to a network. 

"Security updates are critical to mitigating cyber hacking attacks by closing vulnerabilities that could provide access to the system without having to provide login identification and passwords."

More power plants are using virtual private network (VPN) connections for remote starting of power plants. VPNs move critical control networks closer to the Internet. which can provide the ability for someone to hack into the plant and start or stop operations.  If hackers figure out how to operate plant control systems, damage can be significant. 

Security updates are critical to mitigating cyber hacking attacks by closing vulnerabilities that could provide access to the system without having to provide login identification and passwords. Recent Cisco AnyConnect VPN software and Cisco Switch vulnerabilities have provided a great opportunity for network breaches or complete network failures if these issues are not patched up in a timely period. 

Once a critical vulnerability has been identified, it is key that a technical team is deployed to make a fix. Critical patches need to be identified and fixed as soon as possible. Oftentimes, clients do not have an active IT group that updates servers, firewalls and other devices when vulnerabilities arise. Computer systems require maintenance, backups and regular updates. Without these processes in place, power plants become an easy target for hackers looking for a thrill or a foreign government who may seek visibility by taking control of power plant environments.

Cyber Attack by Chinese Actor – A Case Study

Opportune LLP was engaged by a client to review a power plant on concerns that their site may not be secure from external cyber attacks. During our review, it was found that China had hacked into the control system through a Microsoft Windows machine connected directly to the Internet without firewall protection.

The local IT resource lacked security experience and did not understand the risks of how the computer was at risk. The malicious activity was subsequently traced back to China to hack into the power plant control system. Consequently, the hacked machine was eventually rebuilt, patched and moved behind firewalls to fix the issue. It is not known what China’s intent was for hacking the asset. We suspect it could have been using these easy targets to figure out a way how to cause physical damage to a power plant with an intent to disrupt the power grid.