Data security firm Symantec has been sounding alarm bells with reports of an ongoing cyber espionage campaign by a group dubbed Dragonfly aimed primarily at the energy sector. The group's initial targets were defense and aviation companies in the U.S. and Canada, but in early 2013 the focus shifted to U.S. and European energy firms. According to Symantec, Dragonfly has managed to compromise a number of strategically important organizations for spying purposes and could potentially damage or disrupt energy supplies.
A disruption to parts of the U.S. energy grid could be disastrous and put data center providers and customers through some rough times. While data centers generally have multiple layers of infrastructure redundancy and backup power supplies to ride out utility outages, prolonged grid-power interruptions could lead to data center outages.
The Dragonfly group has a range of malware tools at its disposal and could launch attacks in multiple ways. Also known as "Energetic Bear," it has been in operation since at least 2011. Symantec says it bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. Based on an analysis of when they attack, the company says the attackers are likely based in Eastern Europe.
The group started with planting malware in phishing emails sent to personnel in target firms. It moved on to watering-hole attacks, compromising websites likely to be visited by employees in the energy sector with exploit kits. The third phase of the campaign was the Trojanizing of legitimate software bundles belonging to three different Industrial Control System equipment manufacturers. Two of them were identified as MB Connect Line, a German maker of industrial routers and remote-access appliances, and eWon, a Belgian firm that makes virtual private network software used to access industrial control devices. The third vendor has not been identified. Through a Trojan, companies installed malware when downloading software updates for computers running ICS equipment.
The previous major malware campaign to target ICS equipment was Stuxnet, which specifically targeted Iran’s nuclear program with the goal of sabotaging it. Dragonfly’s goals are broader, with a focus on espionage and persistent access immediately with sabotage as an option down the line.
Anything connected to Internet
Ron Bradburn, director of technology for Vancouver-based data center provider Peer 1 Hosting, says anything connected or able to connect to the Internet is vulnerable to attacks by such a sophisticated group. “What I found interesting about all of this is the possible linkage to state sponsored espionage, the level of sophistication that these groups are exhibiting, and the growing concerns in the market place to privacy and security,” he says. "The scale of this event is quite large, and the adept way they leveraged different attack vectors make it well organized and strategic in nature."
Long-term utility outages real threat to data center uptime
It would be difficult to use the tactics used in attacking utilities to create data center outages, but data centers rely on utilities for long-term power supply. “I don’t think data centers themselves could be as attackable as utilities because many of the building management systems run off the Internet," Vincent Rais, who does business development at EvoSwitch, an Amsterdam-based service provider. "There’s no remote turning on and off for most data centers."
Jason Yaeger, of Ann Arbor, Michigan-based Online Tech, however, says, "The scary truth is that the data center industry is not as prepared for this kind of electrical grid scenario as clients expect our industry to be. That’s because not all data center and cloud companies have the kinds of systems and protocols in place to be prepared for a lengthy power outage."
ITC Holdings, a major utility serving Michigan, where Online Tech's data centers are, has recently filed a cyber-attack incident report, but later said it was a false alarm. Other utilities, Duke Energy and NRG Energy, each filed a report last year detailing suspected cyber attacks. Duke isolated and removed several computers from the rest of the company’s systems and all software was stripped, reinstalled and tested again.
The only way for data center operators to maintain uptime during prolonged utility outages is to sign fuel delivery contracts with multiple vendors to keep their backup generators running.
Mike Terlizzi, executive vice president of engineering and construction at New York-based Telx, said, “When we set up our [fuel] contracts we figure out logistically how they fulfill their SLAs." If a distributor's fuel truck has to cross a river to get to a data center, for example, there has to be a contract with another distributor whose trucks have a path without a river in the way.
Human error, natural disasters more worrying than Dragonfly
While the doomsday attack scenario is a scary one, data center providers are generally more concerned with outages that are more common. “While I do think the system has some inherent vulnerabilities, my concerns typically center around an outage caused by human error, such as the September 8, 2011 Southwest Blackout, or the Aug 13, 2003 Northeast outage,” says Todd Gale, vice president of data center architecture and innovation at ViaWest, a Greenwood Village, Colorado-based provider.
“The grid is certainly a concern, but natural disasters are a greater concern,” says Terlizzi. Telx faced a natural disaster firsthand in 2012, when Hurricane Sandy made landfall in the U.S. northeast . “In Manhattan, the whole island was down, but we did not lose any of our critical power,” he says.
Gale is not too worried about a system-wide outage because of the way it is set up. "The US power system is not a single 'thing," he says. "The power system is, at the highest level, comprised of three independently operated interconnections, that are then managed by dozens of control centers. For example, the western U.S. is one system, but has several major entities that manage the flow of power and the reliability of the system."
It would still be difficult to contain incidents that affect large portions of the grid however. Tom Popik, founder of the Foundation for Resilient Societies, pointed out during a presentation at last year's Data Center World Fall, that the problem of the interdependence of the North American electrical grid made it difficult to isolate some types of failures.
"It's already in many ways an arms race out there with the latest hacking technologies being sold to the highest bidder," says Peer 1's Bradburn. "The espionage aspect is scary, however the potential to do damage or disrupt services in a system as large as the U.S. power grid is of grave concern."