By Galina Antova and Yiftach Keshet, Claroty
The power sector is facing a new reality. It is one we have spoken about in theoretical terms. Hollywood has used it as a scenario in its disaster films, and legislators have warned about it as a potential “Cyber Pearl Harbor.”
The “red lines” that conventional wisdom once held would prevent disruptive or destructive attacks against electric utilities have been crossed numerous times. Given the lack of serious repercussions, we can safely assume they will be crossed again. The notion of cold-war era “Mutually Assured Destruction” as a deterrent force has dimmed and cyber criminals have taken notice.
With Stuxnet, the 2013 New York Dam attack, the 2014 “Sandworm Team” campaign against U.S. electric utilities, the December 2015 Ukraine power-grid attack, and with IBM releasing an end of 2016 report pointing to a 110-percent increase year-over-year in industrial control system attacks, the writing is clearly on the wall.
The threat is growing and the time is now to take serious action to secure the Industrial Control/Operational Technology (OT) networks that light the world.
To do this, we should start digging deeper into the potential pathways adversaries may use to conduct these attacks. We will examine a few scenarios in this article and discuss ways to counter them.
|Combined Cycle Single Shaft Generation Unit Anatomy|
Attackers are Attracted to Electric Utilities
Electric utilities are a distinct target for threat actors that seek to inflict financial or strategic harm. In the well documented 2015 Ukraine attack, adversaries were able to inflict serious harm with just a multi-hour outage…imagine the harm they could inflict with an outage lasting days?
The increasing interconnectivity between automation control systems and IT networks across power generation, transmission and distribution introduces a growing attack surface within the Electric Utilities ecosystem and introduces a security imperative upon this industry’s key stakeholders worldwide. For the purposes of the attack scenarios in this article, we will focus in on power generation plants but it should be noted that across transmission and distribution the potential for attack is real and growing.
Understanding the Ecosystem in Attack Scenarios
A power generation unit is a multi-component environment, consisting of a core-turbine and generator and various auxiliary systems that handle energy availability and utilization. The nature of these systems varies per the generation unit energy source (i.e., thermal, hydro, etc.).
Our attack scenarios relate to a combined-cycle generation unit. A combined cycle generation unit includes both gas and steam turbines, and uses the excess thermal heat of the former to generate steam for the latter.
|Combined Cycle Generation Unit OT Network|
The main auxiliary components include:
- Heat Recovery System Generator (HRSG) that captures the excess heat to generate steam from water, and streams it to the steam turbine.
- Condenser that captures the excess steam from the steam from the steam turbine and condenses it back to water. This water is then streamed back to the HRSG for another reheating cycle.
These attack scenarios will focus on a single shaft 1X1X1 unit, in which one gas turbine and one steam turbine share a common generator.
A Look into Potential Attack Scenarios:
The sound operation of the generation unit relies on the integrity of its OT networks that gather, process and take action based on real-time temperature, pressure and flow data.
An attacker seeking to inflict long-lasting damage on a power plant would likely refrain from a movie-style hit and run approach. Indeed, power plants are typically designed with sufficient redundancy to withstand a sudden component failure. Thus the approach taken would be to inflict continuous small scale damage which aggregates over time into severe damage to equipment and plant safety.
An attacker would typically know in advance what systems within the generation unit to target. However, the attacker would try to establish an initial foothold on the most vulnerable point. There are numerous entry point possibilities, from outdated XP engineering stations to misconfigured servers or endpoints that initiate internet-facing communication.
|Parallel Bypass Diagram|
Upon completion of the initial compromise, the attacker would begin to carefully explore the environment and seek a path to the system it has predefined as the desirable target. As a case in point, it is suspected that the Ukrainian attackers used spear-phishing as a penetration point and then spent months conducting reconnaissance before perpetrating their attack. This path varies in respect to the initial compromise vector, but it will typically include breaching an engineering station and altering the configuration of a controlled PLC.
Attacking the HP Bypass System
The bypass system is a critical component in combined cycle generation units. Its main purpose is to isolate the steam turbine from the flowing steam, which is accomplished by redirecting the superheated steam to dedicated piping leading to the condenser. Steam bypassing is necessary during startup, shutdown or steam turbine trip.
Startup and shutdown require the use of the bypass system due to the difference between the gas and steam turbines. The gas turbine takes a considerably shorter timeframe to achieve full operating speed, versus the steam turbine which should not be started before the metal in the rotor and blades reaches the steam temperature. Thus, the gas turbine excess thermal energy is available to the HRSG steam generation before the steam turbine can accept it. In such a case, the bypass system redirects the generated steam directly to the condenser.
In a similar manner, in a controlled shutdown the bypass system enables the steam turbine to be taken offline at its own pace, increasingly reducing the provided steam load. However, in a case of an emergency trip, the bypass system will be operated immediately in full gear.
The tasks of the control system involve the throttling of the redirection, pressure letdown, and attemperation valves. The orchestration of these operations relies mostly on processing of temperature and pressure data. Typically, the respective PLC set-points are determined and configured upon the initial system setup.
Malfunction of the bypass system directly impacts the generation unit components’ lifespan, exposing the turbine metal to thermal stress and undermining the metal reliability. Another example is a scenario in which the bypass system operates as expected, but a failure occurs in the process of steam attemperation. In this case the condenser will be exposed to steam at a temperature level it is not equipped to handle.
We have now established why the bypass system might appeal to an attacker. In addition, let us remember that this system is not part of the day-to-day routine operation of the power plant, and changes that an attacker inflicts on its respective PLC’s set points will not have an immediate disrupting effect, and thus will likely go unnoticed by the generation unit operators.
|Attacking the Bypass Valve|
Attack Vector 1: Attacking the Bypass Valve
Object: damage the steam turbine
Method: causing the steam turbine to start prior to metal parts reaching required temperature.
Path: the PLC sends the valve actuator openclose instructions that are based on temperature data it receives from the steam turbine’s IO. Once the metal temperature in the steam turbine reaches the required temperature, the PLC instructs the actuator to open the bypass valve and assume standard steam flow from the HRSG to the turbine.
The attacker alters the temperature set points in the engineering station of the respective PLC, causing the redirection valves to prematurely cease bypass and allow superheated steam to flow into the turbine.
|Attacking the Steam Conditioning Valves|
Attack Vector 2: Attacking the Steam Conditioning Valves
Object: damage the condenser
Method: allowing superheated and high pressure steam to enter the condenser.
Path: The temperature and pressure of the superheated steam from the HRSG must be reduced prior to entering the condenser. This process is known as steam conditioning, and involves the use of attemperation and pressure letdown valves on the steam prior to its entering the condenser. Steam conditioning is required, because the condenser is initially built for the post turbine excess steam which features significantly lower temperature and pressure levels. Introducing superheated high pressure steam to the condenser would cause aggregated damage to its metal parts.
The PLC controls the throttling of the valves based on steam temperature and pressure data. Similar to the scenario above, the attacker lowers the temperature set points in the engineering station of the respective PLC, causing the spray valve to prematurely cease and exposing the condenser to superheated steam it is not designed for.
Counter these Threats with Deep Visibility into your OT Networks
In both scenarios outlined above, what enables such an attack to succeed is the lack of sound monitoring tools for OT networks. Without visibility into network asset communications attackers can reside undetected, learn the network layout and system behavior and gain the knowledge to inflict harm. Having visibility includes, for example, knowing when a high-risk change to a set point on a key PLC happens. But it also includes visibility into the actions and activities of an attacker before the attack – when the adversary is trying to investigate the environment and move laterally to the target. There is a great deal of discussion at current surrounding Deep Packet Inspection for OT networks – as exemplified by recent discussions at the annual S4 conference. Look into these security solutions for your networks – because you should have a deeper level of visibility into what is going on within them than your adversaries.