Energy

​• The Power Sector is in transition. Global trends are creating an environment of disruption and driving the need for digital industrial software and services for the energy industry to become more efficient, reliable, secure, and sustainable.

• At the end of 2018, more than 456 commercial nuclear power reactors (>400 GW) are in operation and provide about 12 percent of the world’s electricity. More than 140 GW of new capacity are foreseen by 2025.

• Organizations in the sector are thus expanding their networks and making them more efficient and dedicated through increased digitalization. This implies an extension and a strengthening of SCADA and ICS systems.

​In early May 2021, the Colonial Pipeline suffered a ransomware attack that forced it to shut down its entire network to prevent the malware from spreading.

Indeed, Colonial Pipeline, the largest oil pipeline in the United States, halted its operations after suffering what is believed to be a ransomware attack. Colonial Pipeline transports refined petroleum products between refineries on the Gulf Coast and markets in the southern and eastern United States. The company transports 2.5 million barrels per day through its 5,500- mile pipeline and supplies 45% of all fuel consumed on the East Coast.

​

​

• Interestingly, the malware used by Darkside does not seem to target CIS (Community of Independent States) countries and has a very good debugger and detection of virtual environments. The sample was found in multiple versions, using multiple packers, which may indicate that the attacker is running tests. One uncommon thing is that the URL of the data is in the hardcoded ransom note, which indicates that the malware was compiled after the data was stolen.

•  High profile attacks previously conducted by the DarkSide gang include CompuCom, Discount Car and Truck Rentals, Brookfield Residential, and Brazil’s Companhia Paranaense de Energia (Copel).

This attack demonstrates how a cybercriminal attack can affect the national security of a state. Indeed, the attack forced the company to shut down 5,500 miles of fuel lines, and led the Federal Motor Carrier Safety Administration (FMCSA) to issue a regional emergency declaration affecting 17 east coast states and the District of Columbia.

In 2015, Ukraine also suffered a cyberattack that had dramatic consequences for national security, causing a major electrical blackout in the west of the country. This incident is a landmark as it was the first successful cyberattack on a power grid. Hackers managed to access the systems of three energy distribution companies, forcing them to temporarily shut down their operations.

​In order to describe the threat landscape, we need to distinguish between two major types of attacks:

• Non-Targeted attacks: Not Power Sector specific. Could be targeting and overall vulnerability in an IT and / or OT system. Main intention is to maximize, spread the attack surface to multiple targets. Often IT focused, via Internet / Email, but also seen on OT / ICS equipment

• Targeted attacks: Specialized on the target or the industry. Often is tailored to infiltrate a specific type of equipment and using tailored attack methods. Actors are often extensively planning the attack in detail, have access to above average resources and using unknown method
   

​

​

​• The relatively small userbase of the OT local area control network and lack of a direct connection to the internet or email greatly diminishes the attack surface available to ambitious cybercriminals compared to the much more exposed IT environment.

• This difference tends to influencehackers to utilize the IT network as an easier attack vector into OT (indirect attack). Forensic analysis of some focused attacks on critical infrastructures show that access to the control network was gained by first compromising the more exposed IT network

• The preferred attack vector is often a successful email phishing campaign that either sophisticated malware to be installed which later allows successful harvesting of usernames and passwords and network architecture

​

​

•  Industrial control systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems play a critical role in critical infrastructure and industrial sector

• The number of vulnerabilities discovered in industrial control system (ICS) products in 2020 (893 flaws) was 24,72% higher compared to 2019 (716 flaws)

• 449 vulnerabilities were disclosed affecting ICS products from 59 vendors in the second half of 2020. The situation is worrisome considering that more than 70 percent of the issues received a high or critical CVSS (Common Vulnerability Scoring System) score

• The most affected critical in - frastructure sectors in the se - cond half of 2020 are manufac - turing (194 vulnerabilities), energy (186), water and wastewater (111), and commercial facilities (108)

• June 6, 2020: Disruption of the company’s internal computer network

• June 7, 2020: Confirmation of the attack. The incident is the work of ransomware operators EKANS (SNAKE). Enel has not commented on the name of the ransomware used in the attack, but security researcher Milkream found a SNAKE / EKANS sample submitted to VirusTotal on 7 June that shows it is looking for the domain «enelint.global» •

• June 8, 2020: All connectivity has been safely restored

• EKANS is an obfuscated ran - somware written in the Go pro - gramming language, first obser - ved in late December 2019. Its activity is similar to MEGACOR - TEX version 2 which appeared in mid-2019

• It checks for the existence of a Mutex value, «EKANS», on the victim

• • If present, the ransomware will stop with an «already encryp - ted!» message and if present the encryption proceeds using stan - dard encryption library functions

• The main functionality on vic - tim systems is achieved via WMI (Windows Management Instru - mentations) calls

• Before data encryption: EKANS stops the processes listed by pro - cess name in a hard-coded list in the malware’s coded strings for the majority of listed processes, databases, data backup solutions or ICS-related processes

• After that EKANS displays a ransom note

• IIT-focused ransomware could impact control system environments if it could migrate to Win - dows parts of control system networks, thus disrupting operations

• EKANS modifies this narrative seen above as ICS-specific functionality is directly referenced in the malware

• Some of these processes may reside in typical corporate computer networks, such as : - Proficy servers or Microsoft SQL servers

          - the inclusion of GUI software

• All of this indicates minimal knowledge of the processes and functionality of the control system environment

​

​