More than meets the eye: deceptive cybersecurity for the energy sector

Umar Ali 25 November 2019 (Last Updated November 22nd, 2019 15:00)

The energy industry is particularly vulnerable to cyber-attacks due to increased interconnectivity of energy systems, but what can be done to protect these systems? Umar Ali speaks to Tony Cole, CTO at cybersecurity company Attivo Networks, about a technology that could provide a solution.

More than meets the eye: deceptive cybersecurity for the energy sector
The energy sector is vulnerable to cyber-attacks due in part to the cost of upgrading systems. Credit: NSWC.

Umar Ali (UA): Could you give me a brief overview of the technology?

Tony Cole (TC): In 2019 we see massive breaches taking place every day. Many of these companies have legacy preventive technology that’s the focus but they seem to stick to from the past, so we came at this from a completely different angle.

We’ve taken the new virtualisation technology that’s available and gone further with it, taking a company’s production, enterprise network, status networks or Internet of Things [IoT] networks-specifically talking about energy, all the way down to human-machine interfaces [HMI] and storage models- and replicate that with decoys that use real operating systems and look real to any attacker, but if they’re touched by attackers it causes an alert immediately.

So these are systems that mimic the real operating systems and can run in the unused IP space of an energy corporation. So deception from the production enterprise side on IT all the way down to the operational technology [OT] levels.

Most attacks today are typically phishing attacks. So a guy comes into work one day, sits down at his desk, and opens his inbox. And he’s got an urgent message from the CEO, or at least someone who looks like the CEO. So very quickly, he opens the email to respond to his boss. Unbeknownst to him it’s actually a phishing email that has malicious code in it, maybe just a snippet that has now slipped by all the preventative technology that the organisation has.

So the first thing that this attacker does look around, they will use tools that are widely available in the dark net and scrape memory. What we do is we’ve got bread crumbs and lures that you would have, that really amounts to a mousetrap on the production side.

So we’ll place fake Active Directory credentials inside memory, no users should ever be scraping them, and it’s not something that we’re allowed to do. It’s not a tool they’re supposed to have. And here’s that guy who came in and clicked on an email that has malicious code in it. So the adversary pops up on that system.

They look at memory, the first thing to do is scrape memory and they find our malicious credentials, and it leads them directly into our decoy environment. So now they’re trapped in a decoy environment. And unbeknownst to them, they don’t even know they’re in that decoy environment.

UA: How could this technology specifically help energy companies?

TC: Most organisations out there today, aside from a few in for some special areas, have no preventative tools that you can put on the OT side. Many of them also don’t collect telemetry, so you can’t collect any evidence from the system sitting out there.

That’s why we’ve created deceptive OT systems that can run down into the data site, we can do deceptive HDMI systems, deceptive historians- all kinds of stuff to the lowest level across the board, with a lot of energy customers running our technology today.

In fact, earlier this year in July the US Department of Energy liked it so much that they awarded a grant to Pacific Northwest National Labs in one of their own labs that named us in it, as well as their partners, to further develop deception at the lowest levels to protect the US energy grid.

Of course that’s just where the grant was done, we own the technology. So we’ll have all our customers as we further develop our capabilities in this area. We already have a lot of energy customers that are very pleased with the telemetry we were able to gather, where no telemetry was able to be gathered before.

UA: Do you have any experiences you could talk about with the technology in a real life energy setting?

TC: I will say that many of the breaches will take place on the energy side, we catch them earlier on the production side, they’ve not moved down to the OT side. So we’re in the enterprise. And we’ll catch them early when a phishing email comes in, or when somebody gets hit by a watering hole attack, that’s very common in the energy sector.

A watering hole attack is a simple concept; if you want to target a specific organisation, you start looking at that organisation via social media, where you can start to paint a picture very quickly of what the website is.

So say if an attacker goes to Power Technology, your company, I’m sure like 99% of the companies out there will use advertisements on the web page. Those advertisement servers are quite often a target, because many of them are smaller companies, and they do third-party advertising themselves then sell that time back to magazines like yours. Many of them have limited capabilities for security, because they’re such small companies.

So they will target those companies, compromise them, and you end up with a vulnerability on your website that can compromise energy users that are focused on the target that they want. So in this instance a guy comes in, it’s not a phishing email he clicks on, he goes to your magazine and there’s malicious code on there. He sees an advertisement he likes, clicks on it, and he’s compromised.

That’s generally where we’ll catch them most of the time before they have a chance to move anywhere down to the OT side.

UA: What do you think is about the energy industry specifically that makes it vulnerable to cyber-attacks?

TC: The big challenge for the energy sector is the fact that most of the time, the technology they buy is there for 15, 20, 30 years or so, and they want to get their value back out of it. Well that long ago, it was never designed with cybersecurity in mind, so when you look at that across the board, that’s a massive issue.

There’s a significant cost to upgrading the systems. And it’s extremely problematic to try and take operational technology and drop preventative cybersecurity technology and even detection technology into old structures.

To give you an example, the OT technology that is running the grid in part of the UK is going to run for 15-20 years. And there’s no way they want to do any modification and the operators are very resistant to change, because their primary goal across the board is to ensure that every home, business and the government has a continuous energy source.

So imagine putting preventative technology in there that takes the grid down by doing an upgrade. So that’s one of the problems they have for trying to put this technology in place.

Another piece is there’s no telemetry gathered on any of these systems as well, which is also problematic.

UA: Is there anything else that energy companies can do to take a more proactive approach to cybersecurity?

TC: I think it’s becoming more aware and training their users, because for the longest period of time in the energy sector, there was a significant separation between the corporate IT asset folks and the operators running the grid.

We’re finally starting to see that bridge get gathered and crossed, and there’s more and more focus on trying to make them aware of the issues.