Series of cyber attacks against energy industry identified

Security officials are warning of a new “spear-phishing” campaign targeting employees within the North American energy sector.

The U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported an active series of cyber intrusions against companies in the natural gas pipeline industry dating back as far as December 2011. While few specifics are being released publicly, ICS-CERT says, “Various sources provided information … describing targeted attempts and intrusions into multiple natural gas pipeline sector organizations.”

The campaign targeted a variety of personnel within these organizations, though the number of persons appears to be tightly focused, according to ICS-CERT.

While ICS-CERT did not identify attacks outside the natural gas pipeline industry, others in the energy industry say the IT platforms used in the industry share some common vulnerabilities.

“The same, identical programmable logic controllers (PLCs) that are used in the pipeline and the compressor stations are used in power plants, refineries, steel mills, water systems,” security expert Joe Weiss told TransmissionHub on May 17, “We’re not talking similar; we’re talking exactly the same.”

Weiss said the supervisory control and data acquisition (SCADA) systems used in the pipeline and electricity sectors are very similar, “sometimes from the same vendors.”

Weiss, who was technical manager for 15 years at the Electric Power Research Institute (EPRI) before founding consultancy Applied Control Solutions, is considered an expert on control systems and electronic security of control systems.

“Spear-fishing” uses convincingly crafted e-mails that appear to be sent by a trusted source and with a credible message, according to ICS-CERT. Security experts say preparing and delivering such an e-mail usually requires intelligence-gathering to identify a proper target and to craft a convincing attack.

The e-mails included an attachment that would attempt to upload malware to the recipient’s host computer network. Analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign with spear-phishing activity, according to ICS-CERT.

Weiss said that, apart from the shared IT vulnerabilities, the electric industry is vulnerable because of the physical connection between the two utility sectors. “We have lots and lots of gas-fired power plants, and we have all these pipelines coming into the power plants,” so an interruption of the gas delivery system could cause a disruption in the electricity system, he said.