Share this article on:
Dragos has released a new report that provides a snapshot of the cyber activities threatening electric organisations in Australia.
A few key elements are currently influencing the Australian industrial control systems (ICS) and operational technology (OT) threat landscape and its elevated levels of cyber risk. These include the constant evolution of ICS/OT targeting adversaries, increased ransomware activity, the prevalence of supply chain threats, and the existence of sub-optimal security controls.
As part of our ongoing and regular industry-focused threat hunts, which are designed to help inform our customers, Dragos has recently released a new report to share the outcome of threat hunts specifically focused on Australian electric utilities to help ICS/OT security defenders stay ahead of the threat landscape.
One of the more concerning (albeit unsurprising) findings is that Australia, despite its geographical isolation, is by no means exempt from the increased adversarial targeting experienced by industrial organisations globally. On this note, a range of criminal and state-sponsored adversaries have targeted Australian electric organisations, with at least six out of the 19 Dragos-designated threat groups either directly targeted or have the assessed capability to target electric organisations within the country.
Adversaries' offensive cyber tactics
Adversaries targeting ICS/OT continue to seek initial access to electric utility networks to enable future attacks against these organisations. Additionally, numerous adversaries have demonstrated the capability of utilising offensive cyber tactics to disrupt electric operations through the misuse of control systems, employing specialised malware and leveraging a deep knowledge of the target operating environment.
One example is the PIPEDREAM malware framework developed by the CHERNOVITE threat group, which poses a significant potential risk to industrial organisations globally. CHERNOVITE's PIPEDREAM malware could theoretically cause disruption, degradation, or destruction of industrial environments, irrespective of the associated geography or industry vertical.
Ransomware's continuous threat
Ransomware remains a continuous threat with the demonstrated potential to impact information technology (IT) and OT infrastructure. This is especially the case in target environments where both IT and OT networks possess a flat architecture and inadequate segmentation. Additionally, with the existence of ransomware strains that either directly or indirectly target ICS environments, the ability to achieve disruption to the electric system is an ever-present threat. Such a disruption would have the potential to lead to significant financial loss, physical damage, reputational decline and potentially loss of life. Concerningly, these criminal groups have targeted an increasing number of Australian electric organisations.
The increased level of software/supply chain dependencies and the prevalence of vendor remote access within the Australian electric sector also poses a significant threat to electric operators. This operational reliance can introduce a range of third-party security risks into the customer's environment, including the possibility of targeted supply chain attacks. Numerous adversaries, such as the Dragos-tracked threat group XENOTIME, have historically used these techniques in an attempt to gain access to target ICS environments, thus indicating the prevalence of this initial access technique.
Inadequate security controls
Moreover, the lack of adequate security controls in many industrial organisations may increase the risk of adversaries gaining access to OT networks and achieving their intended objectives. Numerous threat groups have historically leveraged the exploitation of vulnerable externally facing infrastructure/applications as part of initial access operations. This exploitation activity presents substantial risks to industrial organisations, as subsequent access obtained may be leveraged to perform internal reconnaissance, pivot from IT to OT, or deploy malicious tooling such as ransomware.
All the above elements come together to increase the overall risk of an intrusion-facilitated power disruption event. Such an event could occur at various points in electric system operations, including control centres, dispatch centres, or within the actual generation, transmission, or distribution environments.
It is possible that in the future, the subsequent disruption could be an intended objective of a cybercriminal operation to incentivise ransom payment. However, state-sponsored entities could also leverage this same disruption to support larger political goals. However, irrespective of the underlying intent, as adversaries and their sponsors invest more resources into obtaining disruptive capabilities, the risk of a disruptive or destructive attack on the electric industry significantly increases.
Comprehensive security strategies
This observed threat activity ultimately highlights the critical importance of Australian electric organisations adopting comprehensive security strategies with associated controls across both IT and OT environments. As part of this, organisations should focus on essential elements such as defensible architecture, monitoring and visibility, ICS incident response plans, remote access authentication, key vulnerability management, and comprehensive security policies.
Get your free copy of the Dragos Australian Cyber Threat Perspective report here.