U.S. Power Grid Documents First Ever Cyber Disruption

We’ve talked critical infrastructure vulnerabilities quite a bit on this blog through the years but until today, our conversations have been confined to hypotheticals.

First Ever Cyber Disruption

According to an interview conducted May 4, 2019 on NPR the United States first cyber power grid disruption has been reported to the Department of Energy.

The disruption took place in March of this year in a geographic area reported broadly as “Utah, Wyoming and California – Southern California”.

No loss of power or service interruptions were reported in association with the “disruption” and the event was categorized as a “loss of visibility”. Essentially, operators were unable to see what was going on on the grid during the event.

Targeted DDOS

While specifics are short at this time, the root cause of the event has been attributed to a targeted DDOS attack directed at the network.

While in general DDOS attacks are fairly rudimentary tools in the hacking toolbox this particular DDOS showed signs that the hackers were familiar with the network and were able to exploit a flaw particular to it.

“In this case, the denial of service exploited a particular vulnerability, so it was a little bit more targeted than that. The hacker or hackers knew what they were doing and were able to actually find a particular flaw in this network equipment and send a certain type of packet or string of data to really make it stop working.”

How Vulnerable is the Grid?

That is the million dollar question. The U.S. power grid is a massively complicated and interconnected beast with connections to utilities large and small, sophisticated and philistine. The potential for infiltration and disruption has been documented and now proven, albeit in a rather minor way.

How Vulnerable is your network?

In a recent poll by eSecurityPlanet.com about 64 percent of respondents said they conduct penetration testing at least annually, and 60 percent conduct threat hunting exercises at the same rate. Do you? Our team of engineers and account executives has the skills and resources to quickly and efficiently determine the vulnerability of your network and offer solutions for any weaknesses found.

If you are interested in getting an outside, independent and unbiased analysis of your network’s security, simply give us a call or click here: https://konsultek.com/executive-risk-assessment/.

The first 20 respondents will receive a complimentary Executive Risk Assessment. This assessment will not only show you the risk and impact to your most critical digital assets but demonstrate the likelihood of a breach happening.

Critical Infrastructure Attacks Become More Ominous

Critical infrastructure attacks are a concern for every nation and every citizen alike. A disruption to any of our major utilities such as Power, gas and water could cripple entire metro-areas here in the United States.

We’ve written about the vulnerability of critical infrastructure many times. In 2017 we discussed a hack of a Texas tornado warning system and last year we discussed sub-station vulnerabilities.

From IT to OT

The typical infrastructure attack unfolds as follow. The IT network gets hacked from any of the usual attack vectors (phishing, spearphishing, unpatched vulnerability etc.). Once the hacker has control he makes his way over to the OT network and begins working to achieve some level of operational control capability.

From OT to SIS

In the latest twist on critical infrastructure vulnerability, FireEye is now reporting that hacking groups are using a sophisticated piece of malware known as Triton to move beyond the OT systems and into the SIS (Safety Instrumented System). This is a serious concern since the hacker’s might be able to override or disable safety warnings and protocols that would otherwise prevent potentially dangerous situations.

FireEye first reported on Triton in late 2017 after uncovering it as part of a sophisticated critical infrastructure attack. Triton has now been found again. Here is what FireEye reports:

“After establishing an initial foothold on the corporate network, the TRITON actor focused most of their effort on gaining access to the OT network. They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment.

The actor was present in the target networks for almost a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. Throughout that period, they appeared to prioritize operational security.”

Industrial Control Systems are Vulnerable

FireEye’s research indicates that the malicious actor deploying Triton and related tools has been operational since 2014 which leads to speculation that the number of affected (infected?) critical infrastructure networks could by this time be quite large. FireEye’s advice is that ICS asset owners should implement security solutions that focus on both detection and defense across their IT and OT Windows based systems.

Konsultek Holistic Security Solutions

Konsultek specializes in holistic security solutions that detect, defend and neutralize threat actors using cutting edge technologies from the world’s leading security companies.

If you are interested in getting an outside, independent and unbiased analysis of your network’s security, simply give us a call or click here: https://konsultek.com/executive-risk-assessment/.

The first 20 respondents will receive a complimentary Executive Risk Assessment. This assessment will not only show you the risk and impact to your most critical digital assets but demonstrate the likelihood of a breach happening.


Power Transmission Substation Honeypot Yields Unexpected Results

We’ve discussed the security of critical infrastructure many times on this blog. From the hijacking of the Dallas, TX tornado warning system, to discussions at Davos, selfies revealing sensitive information and even a video showing a white hat hacker team physically compromising a substation security system.

The security of the nation’s critical infrastructure is, well, critical, so we were quite intrigued by a recent honeypot experiment conducted by researchers at Cybereason.

Honeypot Yields Unexpected Results

Looking to further understand the threats facing critical infrastructure Cybereason set up a honey pot late in Q2 2018 that emulated the network of a major electric provider’s power transmission substation. All significant network systems including an IT environment, an OT environment and HMI (human machine interface) management system were included in the honeypot to make it appear as legitimate a network as possible.


Cybereason expected the honeypot to reveal attack vectors that targeted individuals with network access. Instead what they found was that the honeypot was compromised by a set of actors who sourced their access tools off a dark web forum!

According to Cybereason CISO Israel Barak, the honeypot infrastructure was first discovered by a black-market seller conducting a broad internet reconnaissance. “The seller was able to compromise a single machine in the honeypot and posted it for sale in a black market called xDedic – along with the network identifiers of the compromised environment, which disclosed its probable affiliation with a large utility provider.”

Dark Web = Lights Out?

While the genesis of the threat, purchasing access off the darkweb, was unexpected Cybereason believes that those using the purchased access are very familiar with ICS environments. They moved quickly from the honeypot’s IT environment into the OT (operational technology) environment which is the system environment that actually controls the equipment used to deliver the utility in question whether it be electricity, natural gas or water.  The attackers appear to have been singularly focused on getting to the OT network. And, while some of their techniques were sloppy and raised red flags that would have likely elicited a security team’s response, had they been left unchallenged for some reason it appears possible they would have achieved their goal.

Can We Help You Achieve Your Goals?

When it comes to security, having an end goal in mind makes sense. Let us help you discover what goals make sense for your organization. It’s simple to get started, we’re just a phone call away.



Loudest Cyberattack in History Leaves Dallas Citizens Wailing

The sirens started at 11:42 p.m. Friday 4/7/17 and weren’t silenced until 1:20 a.m. Saturday 4/8/17. During that time millions of Dallas residents repeatedly had their dreams interrupted by no fewer than 156 tornado emergency sirens.

The alarms have a duration of 90 seconds per cycle and were activated 15 times during the cyberattack.

Hackers Were Local

What was at first described as a “malfunction” by officials was later deemed to be a hack of the emergency system. According to the Washington Post

“Officials have ruled out a remote hack — telling reporters someone gained physical access to a hub connecting all the sirens, which may not be turned on again until Monday as the city tries to figure out who, how and why.”

Critical Infrastructure Attacks Remain a Global Concern

Last January we reported that critical infrastructure vulnerability was a hot topic at the annual Davos conference and 15 months later the Dallas incident has literally and figuratively sounded the critical infrastructure alarm.

According to federal data, critical infrastructure attacks are on the rise. In 2012 less than 200 attacks were documented. By 2015 that number had risen to nearly 300.

Regardless of the intent of the hackers and regardless of the fact that the “hack” appears to have required physical access it serves as another example of how critical infrastructure can be compromised with apparent ease.

As Texas and federal officials continue their investigation it will be interesting to learn the motives, the details surrounding the vulnerabilities that were exploited and exactly how the hack was orchestrated.

Konsultek Knows Security

Our customized security solutions don’t stop with technology. A comprehensive Konsultek security assessment looks at all aspects of information and network security including human factors and physical security procedures. Is your information vulnerable? Let us help you find out. Call today to learn more about our comprehensive security assessments.


© Copyright 2018 Konsultek