Siân Green

Persistent, aggressive ‘cyber attacks’ are on the increase and are now a reality for many companies. Energy utilities are particularly vulnerable, and should be working hard to protect their operations.

Key findings from a new report by IT security firm Riptech shows that internet-based attacks on companies are on the rise, and that attack activity remains intense, pervasive and potentially severe. The report projects an annual growth rate in attacks of 64 per cent, with power and energy companies topping the list of those most likely to suffer a severe attack.

Riptech’s operations centre monitors activity on its clients’ internet security devices around-the-clock
Click here to enlarge image

The report is based on data gathered from Riptech’s clients over the first six months of 2002, and shows an increase in activity of 26 per cent over the last six months of 2001. And while the report shows that companies are having some success in defending against attacks, it also states that the risks for power and energy companies have increased since the end of 2001.

According to Riptech’s data, 70 per cent of power and energy companies on its books suffered a severe attack in the first half of 2002, compared with 57 per cent in the second half of 2001. Not only do these companies suffer the largest levels of attacks by volume, they also suffer from the most aggressive attacks.

“Aggression and volume of attacks are two key factors in determining whether an attack will succeed,” noted Tim Belcher, co-founder and chief technology officer of Riptech. “Aggressive attacks are 26 times more likely to succeed than other attacks, so the industry that faces the most aggressive attacks is also most likely to suffer the most compromises.”

Cyber criminals

Power and energy companies generally suffer from the same types of intrusions as companies operating in other industries. Hackers will attempt to compromise their systems and inflict damage on the company and its assets. The intent is usually theft, fraud, or the collection of intellectual property.

Cyber terrorism is also a reality for energy companies. “For power and energy companies, the threat is much more significant in terms of their role in critical infrastructure and in the communities in which they do business,” says Belcher. “Every power company has connected EMS and SCADA systems which are critical networks for controlling the generation and distribution of power, and they are very viable targets for cyber terrorism. So while some companies might stand to lose money, power and energy companies stand to lose the capability to provide services, which has a cascading effect on the surrounding community.”

Utilities’ role in critical infrastructure and their high profiles make them popular targets for hackers
Click here to enlarge image

Every security compromise has a different impact on the company being attacked. Some are simply a nuisance and some are damaging, and this usually depends on the motivation and persistence of the hacker.

“If the hacker spends hours rather than minutes on an attack, or if they do it gradually over a period of time so as not to be detected, or if they’re going to launch several attacks against one company, then that’s aggressive,” says Belcher. “But if they launch a multitude of attacks on companies in the ISP, then they will hit maybe 500 companies but we don’t consider that to be very aggressive because they’re actually looking for any vulnerability anywhere.”

He continues: “A significant percentage are out for fun and notoriety and want to demonstrate their mastery of technology. But also the world is littered with criminals looking for credit card information and financial information on people and one of the things that power companies often don’t realise is that they have an enormous amount of personal information stored about the people in the communities in which they do business – addresses, telephone numbers, billing information and so on.”

Monitoring security systems is the key to success against cyber attacks
Click here to enlarge image

In addition, the move to increased use of the internet by utilities has also made them more vulnerable. “Many [utilities] are also moving more towards e-commerce with their clients so that they can do on-line billing and so on. That information is certainly at risk during cyber attacks,” notes Belcher.

Critical role

So what is it about power and energy companies that makes them such a target for hackers? According to Riptech, it is mostly down to the fact that utilities play a key role in the control and operation of infrastructure that is critical to the economy, i.e., power generation plants, transmission and distribution lines and substations. “Based on their role, profile and critical infrastructure it’s no surprise that they’re targeted,” says Belcher. “It’s not unknown for utilities to have large IP infrastructures that are connected to critical systems that control power generation and distribution. They make a very attractive target.”

An added factor is that energy utilities are usually large, public companies with high profiles in the region or community in which they do business. According to Riptech’s report, large companies (with over 1000 employees) and public companies are more likely to be targeted than small or private organizations.

Defensive challenges

Riptech’s message is that companies at risk should be taking measures to protect their operations from internet-based attacks, the first step being the adoption of best-of-breed security products such as intrusion detection systems that can be deployed on an enterprise-wide or global basis. According to Belcher, web servers are highly targeted systems and are one of the easiest ways to compromise a company.

“There is no shortage of products that provide security enhancements to everything from web servers to UNIX systems and so on. The adoption of these take time, money and effort, but we are seeing a significant level of adoption by power companies,” comments Belcher. “We are seeing a rapid deployment of these devices and that is a step in the right direction.”

Power and energy companies still face challenges in defending themselves, however. “Power and energy companies are adapting security products and solutions faster than any company that I know of,” notes Belcher. “The problem is that the IT infrastructures of most power companies are very large and complex and are not easily defended. They have wireless connections, vulnerable entrances to the IT infrastructure from remote locations and so on.”

Companies that have the ability to monitor activity on these security systems generally see the most dramatic fall in compromises, says Belcher. “The products sitting there alone will work to some degree, but given time and effort you can circumvent them in most organizations,” notes Belcher. The ability to monitor security devices also allows companies to become aware of an attack as soon as it starts, defend themselves in the appropriate manner as well as rapidly fix any damage.

Severity scale

Riptech monitors the internet security systems of over 400 companies around the world, some five per cent of which are energy companies. It takes data from firewalls and intrusion detection devices and uses a combination of its own technology and in-house experts to analyze the data and identify and investigate cyber attacks on corporate networks in real time, 24 hours a day. Between January and June 2002, the company analyzed individual data points consisting of over 11 million firewall logs and IDS alerts, and from these identified over 180 000 confirmed attacks.

Riptech has a central operations centre from which it monitors all of its clients in real time. “We see the attack start, see how it progresses and if it looks like it has any chance of being successful then we’ll adapt the company’s defences to rebuff it,” says Belcher. “We have people looking at thousands of attacks per day and analyzing them for success and severity. We notify the client when necessary or take defensive action on behalf of the client.”

Riptech’s system imports data from its clients’ firewalls and intrusion detection systems, normalizes it and stores it in a dedicated client database. This data is continuously mined and patterns of potentially malicious activity are isolated and stored as sub-events. If these sub-events meet certain criteria and characteristics, they become a security event and are posted to a graphical user interface in Riptech’s operations centre and are examined by security analysts. Some security events turn out to be false alarms and are eliminated, while confirmed attacks are categorized in terms of type and severity.

Riptech assigns an attack to one of four levels of security. The first two levels are ‘nuisance’ levels where no action is needed to protect the company. Attacks that appear to be coordinated, aggressive attacks, or attacks that show any likelihood of success, are assigned a higher severity level. In severe cases, Riptech will isolate a company from the internet in order to protect it. This is a worst-case scenario, “but it happens frequently, so it is not an uncommon scenario by any means”, notes Belcher.

Riptech also does ‘contract intrusions’ where it emulates a hacker to find weaknesses in a company’s system. “Our success rate there is well above 95 per cent and that’s against companies with hardened defences,” says Belcher. “It goes to show that it’s not enough to have the [security] products, you have to watch them and take adaptive defensive measures to keep people out. Given time, effort and expertise, a hacker will be successful in getting into almost any network.”