Cyber-attacks represent one of the biggest operational risks facing the utility sector and ethical hackers allow you to see your systems through the lens of a cyber-criminal so you can plug security gaps.
Why the need for ethical hackers
The theft of millions of customer records, the tampering of industrial control systems to alter chemical and flow levels within the water supply, and computer bugs that bring the energy grid to a standstill – no, these are not storylines for a blockbuster thriller à la Die Hard 4, but scenarios that are giving security experts across the utility sector no end of sleepless nights.
Last year, EY ranked cyber-attacks along with extreme weather events as the biggest operational risks for utility companies. Meanwhile, a 2016 report from Cambridge University’s Centre for Risk Studies found that around 15 per cent of all cyber-attacks logged in the UK were directed at energy companies, giving the energy sector the dubious accolade of being second only to financial services as the most at-risk sector.
“Utilities are a soft target for malicious adversaries and a successful attack has the potential to cause mass disruption,” warns Dan Mosca, a cyber-security expert at PA Consulting. “They often operate legacy networks and systems that are not ‘secure by design.’”
Against a backdrop of rising geopolitical tensions, the likelihood of an attack on critical national infrastructure has moved from worst-case scenario to distinct possibility with “cyber” seen as the new weapon of choice. “This has already been seen in the attacks that caused electricity outages on the Ukraine grid in 2015 and 2016 and the incident in 2019 on the Western US grid where hackers used firewall vulnerabilities to cause periodic ‘blind spots’ for operators,” Mosca says.
The Cambridge report estimated that a cyber-attack on the electricity distribution network in the south and east of the UK could disrupt transport, digital communications and water services for up to 13 million people and cost the UK economy between £49 billion and £442 billion. Attackers aren’t just looking to cause costly network outages or gain unauthorised access to sensitive data but are also looking to cause physical damage to equipment to disrupt production or cause physical harm.
Risks aside, a ramping up of legislation is helping to focus minds and prompt utility players to beef up the resilience of their systems for compliance purposes. GDPR has put the spotlight on customer data breaches, and failure to comply with its provisions potentially entails fines of up to 4 per cent of turnover or €20 million. Similarly, the UK’s Network and Information Systems (NIS) regulations, the first formal cyber-security regulations for the utilities sector, adopted into law in May 2018, requires operators of essential services to take “appropriate and proportionate” security measures.
At the same time, with organisations under increasing pressure to embrace digital transformation, juggling business agility and security requirements is an inevitable but growing headache. For many corporations, the security risks of moving forward quickly with new information technologies are worth the rewards of improved customer experiences. But moving fast also introduces challenges and uncertainties about where vulnerabilities are hiding in networks and applications.
“They may procure and integrate solutions made up of commercial off-the-shelf technologies such as Windows and TCP/IP to become ‘smarter’ and take advantage of digital innovation. This creates vulnerabilities and, when combined with weak risk management practices such as not patching system vulnerabilities on a regular basis, increases the chances of a successful breach,” says Mosca.
How ethical hackers help
As both the intensity and frequency of cyber-attacks increase, the utility sector is increasingly turning to ethical hackers to identify vulnerabilities in systems. Essentially they are security experts, generally from outside the organisation, who role-play as malicious attackers and attempt to compromise the security of its systems – by emulating phishing attacks, trying to infect workers’ computers, or perhaps steal data – using all the tools, techniques and procedures that are seen used by cyber-criminals, albeit in a safe and controlled environment.
They use technical assessments known as penetration tests to find as many technical vulnerabilities as possible in a pre-defined system. Meanwhile, so-called red team exercises mimic a real-life attack against a company to evaluate the effectiveness of its security defences against cyber risks – from technical to policy to people, from a disgruntled employee or casual hacker to a hacktivist or state-sponsored cyber-criminal.
Exposing gaps in security policy and process helps clients to strengthen their cyber defences and provide assurance to the business, its stakeholders and regulators that its systems are a robust as possible.
“Typically, this kind of activity helps companies mitigate risk by addressing known vulnerabilities before criminals do,” says Daniel Smith, a security researcher and white hat hacker (aka a good guy) at Radware.
What emerges is a digital game of cat and mouse. “When vulnerabilities like ‘Shitrix’ are announced, we can see the spike in scans from both criminals and researchers. In general, researchers are scanning the internet to discover how many vulnerable systems are exposed online. Criminals are scanning the internet to create a list of vulnerable systems that they will revisit once a proof of concept hack or exploit has been published,” Smith explains.
Criminals are scanning the internet to create a list of vulnerable systems that they will revisit once a proof of concept hack has been published.
Bearing in mind that this is about trying to simulate real life security threats, the devious and creative lengths that ethical hackers (and their not-so-ethical counterparts) might go to in order to breach systems should not be underestimated.
We’re not just talking about writing code to hack into online systems remotely; it could also involve breaching the physical security at a location to access computers (effectively breaking in), targeting unwitting employees, for example through social media sites such as LinkedIn, or even “dumpster diving”, as our American friends would say. One expert I spoke to said hackers will even scatter memory sticks in a client’s carpark in the hope that they’ll be used by staff and subsequently transmit viruses.
“More targeted attacks could look to use insiders to physically get into a company, planting people to try to get access to systems or going in through the supply chain and claiming to access systems for maintenance purposes,” says Anthony Young, a director at Bridewell Consulting. “With red teaming, you have a goal such as shutting down a system. You might spend three to six months trying to hit that goal and we won’t be given any information other than which system the client wants us to access,” Young says.
The approach works because the mental process of trying to break into a system is very different to the process of trying to defend it, according to research conducted by Cranfield University. “If we are going to use an ethical hacker they have to think like the attackers we are likely to be defending against, whether that be ‘script-kiddies’ or nation states,” explains Dr Duncan Hodges, a senior lecturer in cyber operations at the university.
Ethical hacking is now mainstream, although it took a while for the utility sector to fully embrace the concept. This is perhaps due to political reasons, the absence until more recently of any real compliance stick to justify investments, and a reluctance to lay bare any security holes, experts speculate, amid concerns that weaknesses in systems reflect badly on those in charge.
“There’s normally a bit or resistance because people feel you’re attacking them. But attitudes are changing as people become more aware of the threats and more stories hit the news,” says Victor Acin of Barcelona-based cyber intelligence provider Blueliv.
Organisations are right to have some concerns. Ethical hacking brings risks of disruption, especially if it takes place in a live environment, Mosca warns. “Any tests need to be scoped and executed carefully by certified specialists to avoid disruption to networks, systems and the service. All risks need to be identified, and appropriate mitigations put in place to ensure that the business does not suffer any impact in the quest to increase security defences.”
If the risks of testing in a live environment are too great, especially where there could be safety implications, testing should be carried out in a replicated virtualised or offline test environment or use alternative non-intrusive methods such as health check assessments against best practice standards and frameworks, Mosca adds.
“Some organisations will attempt to reduce the risk during the engagement by defining the scope of the assessment to not include business-critical systems. This obviously reduces the realism of the engagement and the attacks then become a less useful identifier of potential vulnerabilities,” Hodges warns. Realistically though the focus of an ethical hacker’s attention will often be dictated by the defined scope of a project or be limited by a timeframe – unlike real hackers who can devote as much time as they want to breaking into your systems. “That’s why it’s so important to monitor changes to your infrastructure,” warns Acin. “It has to be an ongoing thing.”
Dan Mosca, cyber-security expert, PA Consulting
Any tests need to be scoped and executed carefully by certified specialists to avoid disruption to networks, systems and the service
Perhaps not surprisingly, the costs associated with these types of projects can be eye wateringly high. “It depends on the size of the organisation and how many sites they operate but generally speaking you might spend around the £40,000 to £50,000 mark for an assessment that gives them a real-world attack scenario,” Young says.
Success boils down to approaching the ethical hacking exercise in the most intelligent way, says Cranfield University’s Hodges. “The organisation must be mature enough to both work constructively with the penetration tester and engage with the results from the activity to generate real benefit.” That involves critical evaluation of the results to identify potentially systemic issues in the organisation, whether that be in training, recruitment, software development or security practice.
Network audits are meaningless unless companies learn how to proactively patch the identified or known vulnerabilities in their network, Hodges warns. “You solve nothing if you hire ethical hackers just to dismiss their concerns. This is something we see all too often in this community. Ethical hackers will report and corporations will ignore the threat.”
“Remember that ethical hacking will only expose risk – it will not fix vulnerabilities,” agrees Adam Brown, senior security manager at Synopsys. “Ethical hacking can only expose around 50 per cent of risks because 50 per cent of these come from flaws in design that hacking is not best placed to find. Use it as part of a process to discover risk and have a process to fix findings.”
Experts also warn that ethical hacking must be used in the context of continuous security improvement, as opposed to a one-off event. Unless the outcomes from security testing regimes are integrated with risk treatment practices, then any vulnerabilities you identify may not be quickly tracked through to remediation, or even worse, those vulnerabilities may be exploited by a real attacker.
“Whether it’s patching across your estate, or making sure passwords are not weak and that people aren’t sharing them – good security is a chain of events. You’ve got to make the bad guys really work for it by having good policies and procedures. But doing that at scale isn’t easy,” says Ed Williams, a 15-year veteran of the ethical hacking world who heads up SpiderLabs, the penetration testing arm of managed security services provider Trustwave.
Ethical hacking is very much the sexy side of digital security, but it is only effective if you get the basics right with simple “cyber-hygiene”. “A more holistic approach to cyber-security needs to be adopted, such as examining the management approach and ensuring policies and operating procedures are fit for purpose,” Mosca says. In short, you can spend millions of pournds shoring up your systems but if the receptionist plugs in a random memory stick and accidentally downloads a devastating piece of malware, it was all for nothing.
10 steps to ethical hacking success
• Work with the ethical hacking team to permit as large a scope as possible. This will ensure that the engagement is as realistic as possible.
• No single element of a security process should be viewed as a silver bullet; it’s about doing everything from the boring (asset registers and password strategies) through to the cool and sexy like penetration testing.
• A successful penetration test/red team exercise does not end after the test has been completed. To deliver value, your business must assess the impact of any issues found and action the recommendations.
• Know your objectives. Are there particular concerning threats you would want addressed? Are you looking to improve the security of a particular system or the overall network?
• Make sure you think a system is secure before spending time on a test so you don’t waste time testing issues you already know exist.
• Ensure the right people are conducting the test, those with the necessary technical skill set and qualifications (for example, CREST-Approved or an NCSC Certified Professional).
• Listen to your hackers and researchers. They are the experts. You solve nothing if you hire ethical hackers just to ignore the threats and dismiss their concerns.
• Any change in infrastructure should include cyber-security testing to ensure that change does not increase the company’s vulnerability to a cyber-attack.
• Tailor the scope of testing over time to focus on recurring problems, critical parts of the business, any high-risk systems and all external interfaces.
• Remember, this is not a one-off exercise.
Case study: United Utilities
Jon Wyatt, chief security officer of the UK’s largest listed water company, on its use of ethical hackers
“We’ve been using ethical hackers for about ten years. Before any new solution or IT system goes live, we bring in ethical hackers to test it, tell us if they find holes in it and what we need to do to fix it. It’s a really effective way of ensuring we build systems securely.
“We use red teaming too, where we’ll ask them to gain access to an operational site. We’ve not had anyone call the police yet, but staff do challenge them. It’s about building up the culture of challenging people. It lets us see where the holes are in our security; you don’t necessarily see it when you’re doing it every day.
“Our board is very enlightened and they see the benefits of this approach. I can’t say how much we spend altogether but penetration testers earn about £1,000 a day and a small system might take two or three days to test. They always find something. When you’re thinking like a defender, you build in different controls to an attacker. They have different mindsets.
“GDPR and the NIS regulations have reinforced a lot of the processes we already had in place. Now we have some governance to show a structure that we adhere to. It becomes a different pitch to the board and makes it easier to justify what we’re doing and justify the expense. But try not to let the cost of ethical hacking put you off. It does have value.”