The Mothership: Critical Vulnerabilities in the Smart Grid

In the past decade, our traditional electrical power grids have slowly evolved toward technology-enabled smart grid architectures.  A smart grid integrates traditional electrical power grids with information and communication technologies that empower electrical utilities providers and consumers and improve the efficiency and the availability of the power system while constantly monitoring, controlling and managing the demands of customers. 

These networks become large and complicated by the composition of traditional network infrastructure integrated with IoT SCADA sensors and devices, resulting in increased monitoring and management challenges and lots of security concerns and vulnerabilities. Most of our traditional power systems also coexist alongside and often converge with legacy IT systems, heavily burdened with technical debt, guaranteeing that outdated equipment is still in service, completely incompatible with smart power system devices and highly vulnerable to cyberattacks.

Leveraging Digitization for Leadership Advantage

The need for convergence is driven by efficiencies in integrated data pathways into ERP IT systems, so that maintenance, billing, order fulfillment, inventory and supply chain management can be optimized for performance and timeliness.

In addition, many IT organizations now use a hybrid cloud combining public cloud services with on-premises server infrastructure. As both the public network infrastructure and the public cloud become more reliable, more and more storage and compute is outsourced to third-party public cloud service providers.

Soon, edge computing will dominate planning and execution around factory automation so that integrated systems can be optimized even further and all companies can leverage digitization opportunities to market leadership advantage.

Ransomware, Phishing and RCEs

Large-scale ransomware attacks such as WannaCry or NotPetya and targeted attacks on critical infrastructure at Colonial Pipeline and JBS Foods are becoming increasingly common. ICS environments and their administrators are now prime targets based on their easily leveraged vulnerabilities and their connections to their IT network and back office systems.

An RCE (Remote Code Execution) is the ability to trigger an arbitrary code execution over a network (like the internet) and is achieved through control over the instruction pointer of a running process. Since the instruction pointer points to the next instruction in the process that will be executed, the ability to change the value of the instruction pointer gives control over which instruction is executed next.

In addition to phishing and code-based attacks, RCEs are a popular attack vector because the bad guys easily bridge over the execution of a privilege escalation exploit which gives them cover from normal monitored visibility and complete administrative privileges over the system under attack.

Losing Control of the Grid

The last critical CVSS that opened a gateway for an RCE that led to a large, and damaging (reported) breach was the unpatched Apache Struts vulnerability at Equifax. It’s one thing to lose 145.5 million records.

It is entirely another to lose control of the whole energy grid.

The Vulnerability that Haunts Your Nightmares

PrintNightmare (CVE-2021-1675) is a current nightmarish vulnerability that allows an attacker with a regular user account to take over a server running the Windows Print Spooler service. This service runs by default on all Windows servers and clients, including domain controllers, in an Active Directory environment.

The effect is that an attacker with a regular domain account can take over an organization’s entire Active Directory.

An example of the severity of the threat and the complexity involved in repairing it in our increasingly complex environments, is that although CVE-2021-1675 was supposedly patched on June 8th of last month, the PrintNightmare exploit still works on a fully patched domain controller.

Latest Headline: Microsoft

We continue to warn that Microsoft, simply due to the immense volume of layered code and complexity of the interactions among functionality, will remain the primary threat headline going forward.

Microsoft is the story in cybersecurity.

The Killers of Cyber Defense

This is not a theoretical or abstract threat and if you were an attacker, there are lots of ways to design an exploit. One way is to leverage recent advances in the development of swarm-based intelligence technologies. Two years ago, scientists announced a new methodology that uses natural swarm behaviors to control clusters of nano-robots. These robots can be orchestrated to perform precise structural changes in real-time enabling a high degree of network and system re-configurability on the fly.

Configuration drift is one of the deadly killers in cyber defense. Imagine it happening in real-time upon execution.

The resulting swarmbots can be directed to act collaboratively and autonomously to discover zero-day vulnerabilities in physical system interfaces and to train security devices and software to intentionally overlook certain threats.

Like attacks on energy grids, for example.

Swarms of Evil Robots for Sale

Dark web black market versions are readily available in Swarm-as-a-Service configurations that are designed to use machine learning to break into a specific device or network, perform AI fuzzing to detect exploit points like unpatched code vulnerabilities, and move laterally across networks expanding the attack surface while collecting and exfiltrating specific data targets.

And yes, there are swarms specifically designed to cross the cyber/physical device divide to take control of a target’s physical as well as networked system and virtual resources.

That Sounds Bad, But What Can I Do About It?

But you, like many, may find that threats to our energy infrastructure are too arcane or just implausible or impossible to relate to as in “OK, that’s bad, but what am I supposed to do about it?” Then instead, let’s focus for a minute on the RCE itself and how plausible a threat it represents to our closer-to-home enterprise infrastructure where there are actually well-defined things we can and should be doing about it.

Two years ago, RCE vulnerabilities dominated Google’s Android Security Bulletin. The vulnerabilities were part of 53 unique bugs that had been patched by the Android security team, including 11 critical (CVSS 10) vulnerabilities – six of which were RCE flaws tied to the operating system’s Media Framework and System components. Any enterprise with a BYOD policy is vulnerable to an Android RCE exploit in the same way that Equifax’s Apache Strut was exposed.

If, now that folks are returning to physical office spaces, they are bringing their Android phones into the computing environment, organizations are expanding their threat landscape dramatically.

An Unexpected Updated

At around the same time, Microsoft went out of its swim lane and released an emergency patch for an RCE vulnerability in Internet Explorer (IE) on a Wednesday instead of its usual Tuesday patch day. That is a big signal, all by itself.

That vulnerability (CVE-2018-8653) allowed an attacker to take complete control over a machine thanks to the way in which the scripting engine handles objects in memory. It allows an attacker to gain the same user rights as the current user and take complete control of the system, install programs, view, change or delete data, and create new accounts with full user rights.

It Gets Better

In a web-based attack scenario, an attacker could host a website designed to exploit the vulnerability through IE and then convince a user to view the website by sending an email. The threat is alive in version 9 or 11 or Windows 7-10 or Windows Server versions 2008, 2012, 2016, or 2019.

Enterprises who have not applied the patches are exposed, even today.

Linux users are not immune either.

Loads of Linux Vulnerabilities

Researchers continue to discover loads of RCE vulnerabilities in the Linux operating system, related to its failure to properly handle certain parameters involved in HTTP redirects. It is triggered via a man-in-the-middle attack or a malicious package mirror, resulting in an RCE gateway and a system takeover in exactly the same way that the IE/Windows flaws provide.

How important is that?

Most ICS systems run on Linux.

There are reams of additional examples of RCE vulnerabilities sprinkled throughout our computing environments and enterprise networks, and not unlike their counterparts in the smart and IoT-laden energy grids, unpatched exposures remain high-value exploit targets for attackers.

Fundamentals Out the Window

I have argued long and hard for basic hygiene as a fundamental information security assurance protocol, and while some progress has been made, we are nowhere near doing what is necessary to prevent cyberattacks. Instead of ratcheting up the speed with which we address applying patches to known vulnerabilities, we are ratcheting up the threats instead by continuing to expand our target landscapes.

We encourage BYOD programs, install insecure IoT devices, leverage insecure open-source software and spend an inordinate amount of time evaluating the latest end-point protection products, while leaving our end-points open to the latest vulnerabilities. While we do all this, the bad guys spend much of their time monitoring CVSS announcements and devising new and improved exploits and threat vectors.

Running the Wrong Way

Instead of a race for cybersecurity superiority in which some politicians seem to believe we are presently engaged, we appear to be running as fast as we can, but in the opposite direction.

Up Next?

SCADA and ICS in critical infrastructure and systems controlling water, agriculture, communications, transportation, energy, electricity, oil and gas, and military logistics.

We can go for a while without food and air conditioning, hot water and natural gas, but 4 days without water and the ship sails.

Read more: