CybersecuritySecurity experts worry BlackEnergy technology could soon be available to bad non-state actors

BlackEnergy uses files slide1.gif and slide1.inf to create a backdoor // Source: ne.jp

On Monday, the Homeland Security News Wire reported on a DHS cyber threat alert issued to critical infrastructure firms warning of the malicious software called BlackEnergy, a variant of a Trojan horse believed to have originated from Russian government-sponsored hackers. Several industrial control systems, including GE Cimplicity, Siemens WinCC, and Advantech/Broadwin WebAccess, have been affected. BlackEnergy is similar to another Russian issued malware called Sandworm, which was used in a 2013 Russian cyber-espionage campaign against NATO, the European Union, and overseas telecommunication and energy assets. DHS believes the attack on U.S. critical systems is “part of a broader campaign by the same threat actor.”

The link to Russia makes BlackEnergy dangerous, but security experts fear that the technology could soon be available to other bad actors. “I think we should be scared and take this very seriously because it could be a nation-state issue. But the fact is, once the tools are there they could just leave it out and anyone could do (the attack),” said James Joshi, a University of Pittsburgh associate professor and lead faculty member of the school’s Information Assurance Program.

The Pittsburgh Post-Gazette reports that there are no signs that affected systems have been hijacked via BlackEnergy, but DHS is on high alert as the malware could have infiltrated yet-to-be discovered files and systems. “It’s really a very serious issue and the fact that sometimes it’s very difficult to detect (this type of malware) and sometimes the places that house industrial control systems may or may not follow very consistent, very rigorous, security practices creates a huge problem,” said Joshi.

PJM Interconnection, a grid operator responsible for the largest grid in the U.S., covering Pennsylvania and twelve surrounding states, said the organization is aware of the threats, “however, like all cybersecurity threats, we continually monitor and arm ourselves with the best strategies to protect the grid and our market,” said spokesman Paula DuPont-Kidd. Peoples Natural Gas, which manages 14,000 miles of pipeline in its network, does not use any of the software identified as the target of BlackEnergy and the company operates its critical assets through offline systems. “This eliminates over 99 percent of these malicious threats,” said spokesman Barry Kukovich.

Scott Aaronson, senior director of national security policy for the Edison Electric Institute, has been aware of BlackEnergy for about a month, and urges all critical firms to review the safety of their systems regularly. DHS believes there are several entities that are unaware that they have been hacked. “There are two kinds of companies: those that have been attacked and those that don’t know it yet,” Aaronson said. He added that there is no such thing as 100 percent security, “what we’re doing is not risk elimination, it’s risk management.”

Anderson notes that while companies may not be able to guard against all threats, more emphasis needs to be placed on how to recover after an attack on critical systems. “How do you make sure that any damage that is done is not catastrophic, but is simply a nuisance?” he asked. The National Institute of Technology recommends best practices for critical infrastructure firms to guard and recover from cyberattacks, but some companies may fail to follow standards as rigorously as they should.