According to a recent report on 2016’s CrashOverride malware attack by ICS cyber security company Dragos, the possibility of the malware strain permeating critical infrastructure around the world is evidence that plants and power systems continue to be under targeted attack, and countries and their private partners involved in infrastructure need to be prepared.
The CrashOverride attack on a single transmission substation in the Ukrainian capital Kiev in December 2016 was the first malware framework to be designed and deployed on an electric grid, the fourth piece of ICS-tailored malware to be used against targets (after STUXNET, BLACKENERGY 2 and HAVEX) and the second ever (first was STUXNET) to be designed and deployed for disrupting physical industrial processes.
Dragos has now ascertained that the malware built by adversary group Electrum was purpose built to impact electric grid operations and facilitate the impact of electric grids in other countries as part of a broader ICS attack and manipulation framework.
The Dragos report says the malware tried to understand and codify the knowledge of the industrial process to disrupt operations by leveraging the OPC protocol to map the environment and select targets.
CrashOverride also targeted libraries and configuration files of HMIs and leveraged them to connect to Internet-connected locations when possible, resulting in the downing of 30 substations on Ukraine’s power grid which left 230,000 residents without power.
The sophistication of the attack gave Electrum a platform to attack against grid operations systems in other environments and marked an advancement in capability.
Dragos warns that adversaries are not only getting smarter but are growing in their ability to learn industrial processes and codify and scale that knowledge, and defenders must also adapt.
While a lot of these attacks have been against electricity infrastructure they could just have easily been targeting mining infrastructure.
In response to the Dragos report cyber security company Ixia told companies that attacks were rapidly evolving and, with nation-state support, would continue doing so.
Ixia principal security research engineer Chuck McAuley said the work required to create malware targeting specific ICS indicates nation-state sponsorship, as “one does not simply go out and build a mirror lab of an electrical grid in their basement”.
According to McAuley human intelligence backed with strong technical knowledge was needed to create this type of software, and operators need to be ready for cyber-attack at all times.
He said the CrashOverride attack illustrates that flipping breakers on and off repeatedly should trigger warnings from both remote terminal units and networking equipment.
“Rate limiting, inline mitigation, and machine learning defences are quite mature and can easily be adapted to help provide protection in the ICS space,” he said.
“If a hacker’s intent is simply to cause disruption, they do not need to use tradecraft of the nth degree, as this case shows the malware leveraged no zero day at all, choosing instead to leverage design flaws in the ICS network.”
McAuley added the adversary would only expose and use as much of their arsenal as they needed to obtain their objective.
Ixia has four main realms of advice for companies to prevent cyber-attacks: stay offline; share and care; get the whole picture; and be prepared.
It says if companies were not capable of maintaining their ICS networks with up to date countermeasures then they needed to disconnect the Internet and remove any direct reliance on IP communications.
While air gapping – where computers are removed from the network – can help, it is not an effective barrier against malware entering a network.
On the sharing and caring front Ixia said a culture of information sharing between the public and private sector should be encouraged, because the enemy relied on slow communications, legal tie-ups, and other bureaucratic clutter.
Because visibility is key to thwarting industrial attacks, therefore, it said, network visibility should be a cornerstone of any security posture. Also, rate limiting functions and alerting functions should be used with a strong visibility platform to notify operators when anomalies occur.
Finally, preparation is key.
Ixia said companies should prepare by not just testing their network equipment but by testing their people, as putting people under real-world conditions using tabletop and cyber range exercises enabled them to learn how to perform and think outside the box like a hacker.
McAuley said the more you could see, the quicker and easier you could react.
“If the CrashOverride victims had tapped their ICS network, they would have immediately noticed a change in traffic patterns like the scanning for OPC-based services and the IEC 104 commands that repeatedly closed and opened breakers,” he said.
“And network monitoring equipment would be able see and alert on these transactions in real-time.”