Leaked cybersecurity centre's warning raises alarm over energy sector intrusion
Image credit: Pexels
Technologically savvy foreign state-sponsored hackers have been gathering sensitive information on the inner workings of the UK’s power distribution infrastructure, document suggests.
Foreign hackers may have been gathering sensitive information that could allow them to cause damage to critical infrastructure, a leaked National Cyber Security Centre (NCSC) warning suggests.
The revelations came as one IT specialist with expertise in this area told E&T that the data centres on which Britain’s power distribution network depends are vulnerable on account of their use of decades-old communications protocols like BACnet, Modbus and SNMP, which were designed for a different era and apparently lack sufficient encryption, authentication and other security features.
The protocols are universally used by critical cooling and power systems like fans, pumps and circuit breakers, and could be exploited to damage power generation and distribution capacity.
Technology website Motherboard reported that it had obtained a copy of a private warning sent out by the NCSC, which is part of spy agency GCHQ, suggesting a number of industrial control systems were “likely to have been compromised” by attackers.
A spokesman for the agency later said it was working with those affected in the UK to better understand the threat and manage any risks arising from it.
The leaked document also stated: “The NCSC is aware of connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors, who are known to target the energy and manufacturing sectors.”
However, it is said not to have clarified which “hostile threat actors” the NCSC was referring to.
The recent wave of activity began early last month and roughly coincided with intrusions into the energy infrastructure of other western countries, including Ireland and the USA.
It is possible attackers may be using multiple tools, including phishing emails masquerading as official correspondence, aimed at stealing sensitive information such as passwords. Installing malware to penetrate further and further into the systems running power networks has also been a favoured tactic among these types of criminals in the past.
Ukraine’s energy network has in recent years fallen victim several times to cyber interference leading to blackouts. Some experts have previously suggested the ex-Soviet country was being used as a testing ground by hackers loyal to the Kremlin. Because there is no obvious personal gain to be had from attacking countries’ power networks, these attacks are often said to be likely to be state-sponsored, though Moscow has denied directing them. NATO has been seeking to put together a common protocol in terms of how to respond to any such attacks.
One recent incident affecting Ukraine consisted partly of a denial of service tool that exploits a well-known vulnerability in some Siemens devices.
Earlier this year Yves Neimer from Siemens warned at a conference about power networks: “The consequence is that an attack on your network can bring blackouts. If you are in production in nuclear plants and you can have someone accessing your nuclear plants, it can bring a lot of trouble.”
Such problems are often said to fall neatly between the IT security and mechanical and engineering teams within organisations, meaning they are sometimes not adequately addressed.
New regulations in the US require operators of data centres and cloud storage providers to significantly beef up their security by way of better patch management and ensuring remote access is secure.