On the heels of the news reports describing cyberattacks on the energy sector that have continued to accumulate over the last few years, the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a technical alert on March 15 describing ongoing attacks on critical infrastructure by hackers associated with the Russian government. The alert described the cyberattacks as part of a “multi-stage intrusion campaign by Russian government cyber actors” that targeted the energy sector networks, as well as computer systems used by entities in the nuclear, water, aviation, and critical manufacturing sectors. The alert is the latest in a string of reported cyberattacks on industrial control systems (ICS) in recent years, and can only serve to ratchet up the regulatory pressure on these industries to demonstrate their resilience in the face of these well-organized attacks.

The joint analysis identifies several distinct indicators of the malicious activity and paints a troubling picture on the breadth and scope of the campaign. Initially, the alert says, the Russian-linked actors targeted “staging targets,” such as trusted third-party supplier networks, in order to set up malware repositories. Using those staging targets as a pivot point, the malicious actors were then better positioned to compromise the networks of their “intended targets”—government and private sector ICS operators. The DHS and FBI discovered that the campaign employed a wide range of techniques to infiltrate target networks, ranging from sophisticated spear-phishing and open-source reconnaissance to host-based exploitation. For example, the Russian-linked actors used planted scripts to create local accounts disguised as legitimate backups that could be used for remote access to energy sector networks. The report also describes the campaign’s misuse of everyday applications, such as Microsoft Word, to capture user credentials.

The steady pace of reported cyberattacks in recent years—now including an alleged state-sponsored cyber campaign—highlights the need for ICS operators in critical sectors to pay close attention to applicable cybersecurity compliance requirements. This includes electric utilities subject to the Critical Infrastructure Protection (CIP) reliability standards by the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) and nuclear licensees subject to Nuclear Regulatory Commission cybersecurity requirements. The DHS/FBI alert also underscores the importance of updating detection and response mechanisms and providing effective cybersecurity awareness training practices to employees and contractors.

Staging attacks through the exploitation of trusted third-party suppliers presents a risk that in the energy sector can be very difficult to address because those networks, employees, and hardware and software products of third-party suppliers are outside the control of ICS operators. To address that risk, companies in the energy sector should carefully vet their suppliers using stringent criteria and consider revisiting the terms and conditions in their vendor agreements to reflect best practices for supply chain risk management. Although these third-party risks can never be completely resolved, strong partnerships with outside vendors can substantially reduce the surface area for attacks on energy sector ICS and enable a quick response to remediate and identify vulnerabilities.