Power Grid Honeypot Puts Face on Attacks

Researchers from MalCrawler built a honeypot mimicking an energy management system at the heart of a power grid, exposing attackers’ behavior once they have access to critical infrastructure systems.

TENERIFE, Spain –The rhetoric around hacking the power grid would have you believe it’s a relatively mundane practice. Policymakers, intelligence agencies and vendors, for example, spread the word gleefully, leaning on scenarios such as state-sponsored hackers shutting off the lights in the dead of winter as a scare tactic to glean budget and influence.

One expert today at the Kaspersky Lab Security Analyst Summit pumped the brakes on the notion, backed up by data gathered from an extensive honeypot built to mimic an energy management system that controls a power company grid.

The resources need to pull off such an attack, for example, require a lot more than a phishing email or an exploit kit.

“It’s extremely difficult. You’ can’t just be a NSA or FSB hacker; you need an electrical engineer on board to weaponize attacks and figure out what’s going on,” said Dewan Chowdhury, founder of MalCrawler. The attackers behind Stuxnet, he said, need much more than hackers building a delivery method for their attack. “When it comes to weaponization, you need a power substation engineering who knows what needs to be done and tested.”

Also restricting the reality of power grid hacks are costs. Substation devices, Chowdhury said, may cost a relatively reasonable $5,000, for example, but it may take more than a $100,000 investment to properly configure those devices.

“These things are complex, and the skill set is unique,” Chowdhury said. “You need true engineers to understand it and figure out the logic.”

If your intent is to take down power, you’re likely to have more success with a squirrel or snowstorm than with a hacker who is not well versed in industrial control and SCADA systems.

“The grid is designed for self-preservation at all costs,” Chowdhury said. “Knocking down one substation can be remediated within seconds. It would take a massive amount of resources to attack high-voltage substations to disrupt the bulk grid.”

Chowdhury cautioned, however, that there are state actors who do target grids and critical infrastructure with a measure of success. The motivation for the honeypot his group built was to understand attackers’ behaviors once they and wormed their way onto a critical industrial network. The honeypot is a virtualized environment designed to mimic an EMS, a SCADA device that controls the grid. Access to an EMS could give a hacker complete access to an electric grid. Lures varied according to geographies and were tailored in some cases to particular APT groups known to chase power grid intrusions. Chowdhury said the honeypot’s file systems were loaded with dummy transmission diagrams, mundane engineering documents, AutoCAD documents, data related to locations and transmission information.

The honeypot gave the APT groups access to transmission controls and protection relays that could disconnect a power generating plant from the bulk grid, Chowdhury said, leading to massive outages for hundreds of thousands of people.

The honeypot beaconed out to hackers with intentionally misconfigured operational technology systems, open Wi-Fi, and more.

Behaviors varied according to the actors, Chowdhury said. Most of the activity, he said, was espionage; stealing technical data; mapping SCADA networks; installing additional malware. The groups had access to the HMI, which would allow them to manipulate the grid, but Chinese, U.S., and Russian groups, he said, stick to a gentlemen’s agreement and leave the grid alone. Middle Eastern actors, however, will try to perform control actions to sabotage the grid.

“They’re not even interested in data,” Chowdhury said. “Once they had access to the HMI, they were out to manipulate the power grid and shut stuff off. Anything they could get to, they went for it.”

While the major powers may keep at arm’s length from physically manipulating the grid, they are after data that would enable that type of activity.

“If anyone wants to successfully hack the grid, they need to know the inner workings of them,” Chowdhury said. “None are created equal. One power company likely has different vendors from one substation to the next. You need to know how to configure these things, and if you want to weaponize malware, this is the information you need.”

Suggested articles