US cybersecurity specialist Mandiant demonstrates hacking and switching off a North American electricity utility smart meter.
The simulation, conducted as a red team exercise at the unidentified utility, illustrates the potential for sophisticated cyber attackers to breach and gain control of a utility’s smart grid – in technical speak, gaining access to the OT systems via the IT environment.
And in this case one meter, but with opportunity for many more at the same time.
In a discussion of the demonstration, Mandiant researchers say they leveraged “weaknesses in people, process and technology” to gain remote access from the public internet and to then work through the systems to achieve their objective.
The initial hold in the IT network was achieved with a spear phishing exercise, with two scenarios deployed, an embedded link for a malicious file hosted on a Mandiant owned domain on the internet and an email attachment for an MS Office document with auto executable code.
With code execution on a user workstation, an unattributable communication path could be established to an external Mandiant command and control centre.
Publicly available hacking tools were then used to escalate privileges and obtain domain administrator-level access. This in turn permitted command and control to be established over selected user workstations, enabling the capture of keystrokes, login to file shares and extraction of network documents and configurations.
Once into the OT network, the researchers were able to identify communication paths and a server managing software patches from where they could move to the meter control infrastructure and issue a disconnect command.
The researchers point out that they, like real world threat actors, dedicated significant effort to internal reconnaissance in the IT network to map the architecture and identify people, processes or technology as targets.
“The information we acquire helps us to (a) define paths to propagate from the IT to the OT network and (b) achieve our final objective in the OT network without raising alarms,” they write.
They also followed a real attacker’s cost-benefit analysis to determine which sources or methods were most likely to help in obtaining that information.
Although specific capabilities such as malware and tooling vary amongst incidents, internal reconnaissance and network propagation are consistently needed for sophisticated adversaries to expand remote operations from external networks to OT systems, the researchers write.
“Focusing collection, detection and hunting efforts on assets or information that are likely to be compromised during these phases presents defenders with strategic opportunities to hunt for and detect targeted adversary activity before it poses a risk to control systems.”