By Heather Douglas
Another month, another Russian hacker attack on an electricity control centre in Kiev, Ukraine, which plunged parts of the city into total darkness. Some experts suggest these attacks are trial balloons so the hackers can perfect their attack methodology on critical infrastructure and then it can be replicated across the world on other vulnerable power grids, midstream processing assets, pipeline infrastructure, and refineries.
If Western Canada’s electrical grid or midstream infrastructure was ever attacked, few would be surprised at the potential health, safety, and environment (HSE) damage it could cause, especially given the large number of plants processing sour gas.
Security researchers at CrowdStrike — a company founded in 2011 and located in Irvine, CA, which uses the most advanced endpoint protection combined with expert intelligence to pinpoint adversaries perpetrating the attacks — believe the hackers sent malware through email to employees at Kiev’s control centres, which allowed them to steal the login credentials and shut-down the substations. Eight control rooms were attacked and two were vulnerable enough to be knocked out.
The researchers say the “attack took out 200 megawatts of capacity — about 20 per cent of the city’s nighttime consumption.”
The intruders also sabotaged operator workstations on their way out the digital door to make it harder to restore electricity to customers. The lights came back on in three hours in most cases, but because the hackers had sabotaged management systems, workers had to travel to substations to manually close breakers the hackers had remotely opened.
CrowdStrike reports that “an eerily similar incident” hit the Ivano-Frankivsk region in Ukraine in December, 2016. The Ukrainian media reported it as the first major assault on a nation’s power grid.
Details are scarce, but the attackers likely froze data on screens, preventing them from updating as conditions changed, making operators believe power was still flowing when it wasn’t. To prolong the outage, they also evidently launched a telephone denial-of-service attack against the utility’s call centre to prevent customers from reporting the outage. In this case, the centre’s phone system was flooded with bogus calls to prevent legitimate callers from getting through.
Power Grids at Risk
This could easily be duplicated on Canada’s power grid if a piece of malware infected any electricity generation control room. Not only would this plunge several million people into darkness, but would impact water distribution, sewage disposal, shut down ATMs, gas pumps, and elevators, as well as create black-outs impacting telecommunications and city transit.
What’s interesting is that the black-market on the Internet of Things (IoT) is now pedaling botnets – a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge – is active, growing, and up for grabs. Bots have been blamed for several internet failures across large areas of the U.S. eastcoast (in January), and telephone outages to almost a million customers in Germany of Deutsche Telekom (in February) in a failed attempt to recruit the company’s routers as devices for a botnet.
Experts now say the hackers appear to be trying to swell the ranks of their botnet armies and offer their services for a fee, which could make future attacks far more serious. They estimate the number of devices connected in IoT botnets could be as high as half a million. In February, Forbes Magazine reported a hundred-thousand connected computers could be rented for a mere $7,500 (U.S.).
In late February, another pair of hackers advertised their botnet-for-sale for $3,000 to $4,000 (U.S.) and claimed to have “400,000 devices at the client’s disposal for an attack.” According to their ad, a customer must rent “their desired quantity of bots” for a minimum of two weeks. The price is determined by: the number of bots (more bots = more $$s), attack duration (longer = more $$s), and cool-down time (longer = discount $$s).
When questioned, the hackers define a “DDoS cool-down” as a distributed denial of service (DDoS) and the time between consecutive attacks “to avoid maxing out connections, filling and wasting bandwidth, but also preventing devices from pinging out and disconnecting during prolonged attack waves.”
Midstream Assets + Pipelines Vulnerable
A number of midstream companies have quietly fretted about their vulnerabilities. Many of the gas plants in Western Canada are run by older hardware that is less secure and could be easily compromised by sophisticated botnets. “The problem is we’ve taken this old infrastructure and only upgraded the computer technology…but the actual assets are old.”
Some midstreamers are skeptical that many control rooms would withstand an attack duration of one hour plus a five to 10-minute cool-down from 50,000 bots. They also worry about potential damage to operator workstations, post-attack, which could make it harder to bring the compressors, tie-ins, and producing wells back on-line.
They are also apprehensive faulty software could be targeted to blow up natural gas pipelines and disrupt the North American supply. This happened in Siberia when software that was to run the pumps, turbines, and valves was programmed to go haywire, and after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds.
Ironic isn’t it that something being pioneered by Russian hackers is gaining momentum in the rest of the world? One wonders how much it would cost to rent the necessary number of bots to take out the Canadian natural gas industry?
#hackers #Midstream #technology #naturalgas #industry #powergrid #DDoS #CrowdStrike #Siberia
