Spear-phishing attacks in power utility firms are using Word documents

And analysts previously thought hackers were using Excel.

Whether it is a gang of criminals trying to disrupt the electricity for extortion, terrorists attempting to damage it for headlines, or nation states attacking it as part of their intelligence or combat strategy, the end result of a successful attack against the power grid is blackouts, economic damage, and potentially weeks or months of repair. The risk of a successful attack is no longer theoretical, said David Allott, director of Cyberdefence, Intel Security.

"Earlier this year we reported on the role of BlackEnergy Trojan in the Ukrainian power grid disruption in late December 2015. The attack resulted in hundreds of thousands of citizens plunging into darkness for hours. We determined the initial attack vector was via a spear-phishing campaign, using a weaponized Excel attachment containing a dropper, which once launched allowed the payload to be downloaded. Our investigations also revealed that spear-phishing campaigns in Ukraine appear to have continued into January 2016, using Word documents instead of Excel," he added.

Building security into the power grid is challenging, due to the importance of service availability and the amount of legacy infrastructure. There are multiple zones that must be secured, including enterprise IT, SCADA, and industrial control systems (ICS), and each of these zones has unique technical and political challenges.

Air gaps and security through obscurity, which once provided a somewhat more secure buffer, have been replaced by greater interconnectivity through wired and wireless networks running over IP and cellular solutions.

Many SCADA and ICS systems run atop common hardware with popular operating systems and applications. While these changes have introduced greater operational efficiencies, flexibility, and reduced cost, they have also introduced a new layer of risk.

"Security requirements of energy providers are situational awareness, multi-zone protection, native support for SCADA and ICS solutions, and continuous compliance: Employ solutions that supply situational awareness across data, network, and endpoint controls; Implement controls that work across IT, SCADA, and ICS zones and can correlate information across all three; Take advantage of solutions that are purpose-built for critical infrastructure environments and don’t negatively impact availability; Leverage anti-malware solutions that are not scan based, have small footprints and resource requirements, and don’t require frequent updating or even network access, and; Demand solutions that can help demonstrate compliance with regulatory mandates and offer capabilities that map directly to mandates," Allott said.

Industrial control systems and plant operations need to ensure increased availability, reliability, and safety. This requires tighter collaboration among manufacturers, security developers, and industrial process vendors to protect control systems from known and unknown cyber-threats and misuse.

Greater cooperation and public-private partnerships with national and international agencies are important to keep pace with the escalating threat landscape.