Power Industry / Incident Response Case Study
The Story
Much like other power generation organizations, the Company’s technologic environment was comprised of an operational network and a dedicated network for the information technology functions. The networks were split at each site with either physical firewalls that blocked traffic to and from the networks, or virtual LAN segmentation in between the two networks.
However, proper segmentation was not completely implemented across all the remote sites. Furthermore, holistic cybersecurity protections were not uniformly utilized across the remote sites. Several of the sites were subsequently lacking critical layers of protection and also housed antiquated operating systems. The organization did implement proper protections and monitoring at the headquarter site. However, the recent acquisition of several remote facilities led to a lack of visibility that later proved to be critical in the impending incident.
The Problem
Directly after the acquisition of the smaller independent power production facilities, the parent organization set out to conduct an audit of the IT networks at the independent facilities. The audit was underway and had three main goals: to assess security, functionality, and compliance among the independent sites. The audit resulted in multiple egregious findings that did not conform to the NERC-CIP protocols and standards. Several systems were found to be running outdated and unsupported operating systems, personnel were not properly vetted to be performing maintenance activities, vulnerability remediation was not taking place, and most importantly, the IT environments were not properly segmented from the operational networks.
The findings were taken to the board room at the parent company, which had begun to schedule and budget for the necessary changes. However, immediately linking the smaller and more vulnerable networks to the parent company was not an option due to the risks they posed. This would be a multi-year and very costly mitigative journey that would require several millions of dollars and sufficient resources. The parent organization subsequently decided to postpone major remediations and architecting until the next fiscal year when the organization had the supporting budget.
The Incident
During the hours of 1 a.m. and 7 a.m, the plant manager at one of the remote sites had called the parent organization to report a malfunctioning system within the corporate network. The user was not using the system at the time, but upon returning to the corporate network desktop, it appeared as though the system was running a program within a black screen that looked like a command prompt. When the dialog box closed the system then appeared to be running extremely slow.
The on-site system administrator noticed several items on the users’ desktop that did not belong. One of which was a link to a social media web page that when clicked, led to the social media account of a person that did not work for the company. Additionally, several programs were running on the system that were not installed by the administrator or the user.
At this time, the system was deemed to be suspicious and the parent organization was called. The call was shifted from the parent company to an incident response team member and the triage began.
10 a.m. EST: The system was placed onto a cellular standalone network and the incident responder logged into the system after capturing a forensic image to preserve evidence.
10:45 a.m. EST: The incident response team had noted that the system connections were reaching out to a known malicious command and control (C2) system within the US Virgin Islands. It appeared to be traversing HTTPS and the communication stream was encrypted.
1 p.m. EST: Upon investigating the system, it was eventually discovered that several pieces of malware were present that did not have active signatures in known Antimalware databases. This means that the malware was either new or was specifically obfuscated for reasons of stealth.
2 p.m. EST: The incident response team had also conducted several reconnaissance actions on the corporate network that led to the discovery of improper segmentation between the corporate (IT) network and the lateral control network. The control network was the bridge to the power generation systems and was completely open to traversal from the compromised corporate network.
The incident response team soon learned that the infection took place merely 12 hours prior when an employee had opened a malicious email attachment that contained a link to a malware distribution site. It was clear the attackers had specifically targeted the facility due to the nature of the phishing email. The email contained the legitimate signature of a corporate employee and the address was spoofed to appear as though the email originated at the remote site.
The malware in question was quickly able to exploit the workstation in which it was opened due to a combination of poor vulnerability management and improper protections at the desktop level. The attackers were able to compromise 4 other workstations within the environment before being detected by an employee. Since the organization did not have strong vulnerability and patch management practices, this left the organization open to malicious attacks
The Solution
The incident response team spent more than two weeks sifting through logs, examining systems, interviewing staff members, and formulating a report. The total engagement impacted the organization significantly cost them tens of thousands of dollars in lost employee time, incident response fees, and subsequent mitigation
This case study confirms what we already know—the critical infrastructure industry is under heavy attack from both domestic and foreign adversaries. Many independent power producers, energy brokers, and distribution entities are prime targets and vulnerable to such attacks.
By implementing the following cybersecurity services, as this customer did, organizations can significantly improve their cybersecurity posture and bolster defenses against such attacks.
Nodeware™ to conduct continuous asset inventory of all systems and software, new device alerts, and perform continuous vulnerability scanning and discovery of system and software security flaws
IGI Penetration Testing and Vulnerability Assessments: IGI’s Penetration Testing team performs ethical hacking of multiple organizations to identify risks to the organization that could result in a data breach or cybersecurity incident.
IGI Incident Response Services: IGI offers services for cyber-incident response in the event that organizations are compromised. This ensures a quick response by an effective, trained, and prepared team.
IGI Proactive Compromise Assessments: For the organizations that are unsure of whether or not they have been compromised. This solution is geared to organizations that may be experiencing strange or suspicious events that need to be addressed.
IGI Virtual CISO Services: IGI offers virtual Chief Information Security Officer services to a wide array of industries. These services can help to keep cybersecurity initiatives in a proactive state, achieve compliance with NERC-CIP, and create a resilient and strong cybersecurity posture.
*The identity of the client has been redacted to ensure their privacy and keep them secure.