US Power Grids, Oil and Gas Industries, and Risk of Hacking

A report released in June, from the security firm Dragos, describes a worrisome development by a hacker group named, “Xenotime” and at least two dangerous oil and gas intrusions and ongoing reconnaissance on United States power grids.

Multiple ICS (Industrial Control Sectors) sectors now face the XENOTIME threat; this means individual verticals – such as oil and gas, manufacturing, or electric – cannot ignore threats to other ICS entities because they are not specifically targeted.

The Dragos researchers have termed this threat proliferation as the world’s most dangerous cyberthreat since an event in 2017 where Xenotime had caused a serious operational outage at a crucial site in the Middle East. 

The fact that concerns cybersecurity experts the most is that this hacking attack was a malware that chose to target the facility safety processes (SIS – safety instrumentation system).

For example, when temperatures in a reactor increase to an unsafe level, an SIS will automatically start a cooling process or immediately close a valve to prevent a safety accident. The SIS safety stems are both hardware and software that combine to protect facilities from life threatening accidents.

At this point, no one is sure who is behind Xenotime. Russia has been connected to one of the critical infrastructure attacks in the Ukraine.  That attack was viewed to be the first hacker related power grid outage.

This is a “Cause for Concern” post that was published by Dragos on June 14, 2019. 

“While none of the electric utility targeting events has resulted in a known, successful intrusion into victim organizations to date, the persistent attempts, and expansion in scope is cause for definite concern. XENOTIME has successfully compromised several oil and gas environments which demonstrates its ability to do so in other verticals. Specifically, XENOTIME remains one of only four threats (along with ELECTRUM, Sandworm, and the entities responsible for Stuxnet) to execute a deliberate disruptive or destructive attack.

XENOTIME is the only known entity to specifically target safety instrumented systems (SIS) for disruptive or destructive purposes. Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar tradecraft. XENOTIME expressing consistent, direct interest in electric utility operations is a cause for deep concern given this adversary’s willingness to compromise process safety – and thus integrity – to fulfill its mission.

XENOTIME’s expansion to another industry vertical is emblematic of an increasingly hostile industrial threat landscape. Most observed XENOTIME activity focuses on initial information gathering and access operations necessary for follow-on ICS intrusion operations. As seen in long-running state-sponsored intrusions into US, UK, and other electric infrastructure, entities are increasingly interested in the fundamentals of ICS operations and displaying all the hallmarks associated with information and access acquisition necessary to conduct future attacks. While Dragos sees no evidence at this time indicating that XENOTIME (or any other activity group, such as ELECTRUM or ALLANITE) is capable of executing a prolonged disruptive or destructive event on electric utility operations, observed activity strongly signals adversary interest in meeting the prerequisites for doing so.”

Process Control - Annunciator Panel as Cyber Defense Measure

Standalone Annunciator Panel
Ronan Engineering Company

There are numerous applications for annunciator panels, stations, and equipment throughout the various industrial markets. One such application, arising and growing with the connectivity of industrial control systems to the internet, is in the cyber defense arena.

Industrial control systems are increasingly internet connected, making them vulnerable to cyber attack. There was a time when all that was necessary for plant or operation security was installing a perimeter fence around the property and posting a guard at the gate. Our industrial control systems are now subject to mischief or malicious attack from locations and parties unknowable and worldwide.

Do you know of ICS-CERT? If involved in industrial control, you should. It is the Industrial Control Systems Cyber Emergency Response Team, a part of the Department of Homeland Security that provides operational capabilities to defend control systems against cyber threats. You can follow them on Twitter, @ICS-CERT, and monitor the vulnerabilities and threats that they discover in the industrial control sphere. New items are added almost daily, naming specific vulnerabilities uncovered in named systems and equipment. Chances are that you will discover some of the equipment in your plant listed.

Annunicator systems and equipment can be employed as an isolated "watcher", monitoring process performance and providing alerts when conditions exceed specified limits.

A major impact of a potential cyber attack scenario is that, as operator, you can no longer fully trust what your software based internet connected control system is telling you, or whether it is doing everything it should and only those things that it should. An annunciator system, isolated from the primary control system and the internet, monitoring critical process conditions, incorporates a substantial level of safety against cyber attack.

There is more to be learned. Browse the document included below for a detailed visual demonstrating the set up of annunciators that can be isolated from your network. Share your process control challenges with specialists, and combine your process and facility knowledge with their product application expertise to develop effective solutions. And start following @ICS-CERT on Twitter and build your awareness and knowledge of industrial control cyber threats. 

Cyber Defense - Annunciators as watcher for critical process applications from MSJacobs-Cali