Cybersecurity training for the Energy Sector, Electricity Subsector


Overview

Philosopher Friedrich Nietzsche has said that "those who were seen dancing, were thought to be insane by those who could not hear the music". Today we could also say that those who see state-sponsored attacks against the electrical infrastructure, are thought to be insane by those who do not understand the modus operandi in the recent hybrid war.

A combination of physical destruction, sabotage and cyberattacks can harm or destroy the electrical infrastructure and cause vast blackouts across every country. Adversaries plan, prepare and test all three options.

In 2015, a sniper fired on an electrical substation and caused a blackout in Silicon Valley, and $15 million in damage. The press called it "another strange, isolated attack".

Shootings at two electrical substations in North Carolina had left 40,000 customers without power for days. This is not an isolated incident. Duke Energy reported gunfire at a hydroelectric power plant in South Carolina. There are incidents of sabotage (that may be seen as “vandalism”) to US power facilities in Oregon and Washington in October and November 2022.

Is it vandalism? According to the FBI, vandalism is the attempt or the act to willfully or maliciously destroy, injure, disfigure, or deface any public or private property, real or personal, without the consent of the owner or person having custody or control by cutting, tearing, breaking, marking, painting, drawing, covering with filth, or any other such means as may be specified by local law. But the modus operandi of the intruders in Oregon (cutting through a perimeter fence, damaging equipment, causing a power outage) and Florida (half a dozen intrusions at substations) is indicating an effort to test and validate cyber security controls, and understand whether people, systems and processes are effective at detecting and responding to threats.

These cases clearly show how vulnerable the power grid remains to simple forms of sabotage.

State-sponsored hacker groups carry out operations that look like cybercrime or hacktivism, but are hidden cyberespionage or business intelligence attempts.

Cyber intrusions to electricity facilities, often starting with simple phishing attacks, gather intelligence and steal credentials. According to the Wolf Creek nuclear facility in Kansas (another "isolated" target of cyber attacks), the attacks did not impact operations at all because the operation systems were separate from the networks that were targeted. It is clear that adversaries first target people, credentials, systems, and when preparation meets opportunity, they may attack the critical infrastructure.

Cyberattacks organized by state-sponsored adversaries can cause catastrophic, widespread, and lengthy blackouts. The effect on business, trade, products, services, government entities, hospitals, the police, banks, the retail market, and families can be disastrous.


Modules of the tailor-made training

Introduction.

- Important developments in the Energy Sector, Electricity Subsector.

- Understanding the challenges in electricity generation, transmission, and distribution.

- Countries having the capability to launch cyberattacks that could disrupt electrical infrastructure.


The modus operandi

An overview of some attacks that are suitable for the objectives of the training. At the end of the presentation we will cover one or more of these attacks in depth.

CISA Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors.
- Indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by cyber actors on compromised victim networks.
- The multi-stage intrusion campaign, as it was characterized by the DHS and the FBI, by state-sponsored cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.

- How could all these attacks succeed?


Understanding the tactics, techniques, and procedures (TTPs).
- spear-phishing emails (from compromised legitimate account),
- watering-hole domains,
- credential gathering,
- open-source and network reconnaissance,
- host-based exploitation, and
- targeting industrial control system (ICS) infrastructure.


Who is the “attacker”?

- Countries, competitors, criminal organizations, small groups, individuals, employees, insiders, service providers.

- Hacktivists and the Electricity Subsector.

- Professional criminals and information warriors.


How do the adversaries plan and execute the attack?

- Step 1 – Collecting information about persons and systems.

- Step 2 – Identifying possible targets and victims.

- Step 3 – Evaluation, recruitment, and testing.

- Step 4 - Privilege escalation.

- Step 5 – Identifying important clients and VIPs.

- Step 6 – Critical infrastructure.


Employees and their weaknesses and vulnerabilities.

- Employee collusion with external parties.

- Blackmailing employees: The art and the science.

- Romance fraudsters and webcam blackmail: Which is the risk for the Electricity Subsector?


Malware.

- Trojan Horses and free programs, games, and utilities.

- Ransomware.


Social Engineering.

- Reverse Social Engineering.

- Common social engineering techniques

- 1. Pretexting.

- 2. Baiting.

- 3. Something for something.

- 4. Tailgating.


Phishing attacks.

- Spear-phishing.

- Clone phishing.

- Whaling – phishing for executives.

- Smishing and Vishing Attacks.


Cyber Hygiene.

- The online analogue of personal hygiene.

- Personal devices.

- Untrusted storage devices.


- Best practices for managers and employees in the Energy Sector, Electricity Subsector.

- What to do, what to avoid.


Case studies.

We will discuss the mistakes and the consequences in one or more case studies.

Closing remarks and questions.


Target Audience

The program is beneficial to all persons working for the Energy Sector, Electricity Subsector. It has been designed for all persons having authorized access to systems and data.


Duration

One hour to half day, depending on the needs, the content of the program and the case studies.


Delivery format of the training program

a. In-House Instructor-Led Training,
b. Online Live Training, or
c. Video-Recorded Training.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html


Cyber Risk GmbH, some of our clients