By Cameron Camp, Security Researcher, ESET
Industroyer, the recent complex malware targeting industrial control systems, offers attackers a modular complex way to attack systems like the power grid. What are the implications of this?
For years, adversaries have been quietly testing the defenses of bulk critical infrastructure like gas and oil systems, hydroelectric dams and the power grid. In recent years, starting with Stuxnet in 2010, more focused attempts at directly manipulating industrial systems have started to gain prominence, including Industroyer, which attempt to directly interact with power system automation. The motivations behind such tests are both alarming and easy to imagine. If a malicious actor can switch off the power across a whole city, for example, that can impact a region’s ability to do business, keep the traffic signals working, keep drinking water running and so on. This can have the effect at disruption similar in some ways to a traditional kinetic attack – exploding ordnance to disrupt a city center, for example.
The first test of this type of attack strategy was leveled against the Ukrainian power grid in 2015, shutting off customers’ services by causing related production equipment systems to fail. A similar attack took place in December 2016; the malware used in this case was identified by ESET as Win32/Industroyer.
In the malware world, bad actors like to reuse effective tools as long as possible. Due to the current modular approach to attack software, modules can be swapped out with others to suit a particular target and opportunity. That is why they are so difficult to detect and stop, because no two look exactly the same. In this case, that means they used standard protocols like IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA). These are ubiquitous in use across power systems worldwide, not just in Ukraine (though more worldwide use would likely involve supporting the DNP3 protocol), and are noteworthy in that the attackers took special efforts to use these standards as they were intended – making it very difficult to detect based on malformed commands or network traffic. Basically, the systems were doing exactly what they were supposed to do. It is only when viewed as a whole can a pattern be seen that these facilities were under attack. For example, it is normal to switch large control equipment on or off, but not hundreds of times in quick succession.
Meanwhile, the providers of critical infrastructure, already tapped by budget constraints, are faced with upgrading decades-old systems with defenses that weren’t even imagined when they were originally built.
But the expected lifespan of this equipment might be 30 to 40 years or even more. So when the operators hear about some new network-hardened version of the same equipment, the motivation to swap a working, super-expensive piece of gear is understandably low.
As companies are forced to roll out centralized management to these old, stable systems, problems can start to occur.
There are companies rolling out network defenses aimed at critical infrastructure, but as malware-based attacks have taught us, speed is everything. Scammers want maximum return on investment, and fast.
We get asked whether these complex attacks use super specialized zero-day attacks. The answer is “no.” They focus on standard tools that are difficult to ban from a typical working environment. It would be like trying to ban screwdrivers from a car mechanic shop, it just won’t happen. Since they mash these tools up quickly into an ecosystem aimed at a particular target, no two attacks look the same.
If you’re the victim, the first thing you want to know is what is happening, but the second is who did it? That’s a tough question. Certainly, in the case of Industroyer, there were hints that Russian-speakers were involved in the construction, but that’s far from conclusive. Eager to lay blame, it’s tempting to combine this with a perceived strong motive and paint with large strokes that it was a particular actor, in this case, actors in Russia. But cybersecurity is more nuanced. If a bad actor wanted to paint Russia as a target, this would also be a tactic they might use. So there’s no conclusive way to name an attacker here.
Interestingly, however, the attacks rely on the victims using older, unpatched systems to gain access, along with operators who are not necessarily tech-savvy who might fall victim to things like targeted phishing attacks, or plugging in infected USB drives.
So the infrastructure providers scramble to educate their employees, train new recruits about network-based attacks, and keep the whole system running smoothly in the meantime, no easy task. Luckily, these providers are also starting to engage security specialists who can help them get up to speed and try to tune their defenses accordingly.
In any case, there seems to be a generational knowledge gap in ICS. Many operators who are regarded as experts and run large systems went to college when there was no internet, let alone threats coming over the internet. Since many are nearing retirement, they see little incentive to learn about packets, ports, protocols and protecting systems that have been working smoothly for decades. They’re probably at the top of their pay scale, so there’s little financial incentive for them really.
But as they retire, and new engineers, who were raised during an internet generation, will start to replace the old guard, they are bringing with them a new approach to keeping these systems safe.
By working together, we hope to bring the right tools and expertise to bear on the bigger job of keeping us all a bit safer, and with all our lights, water and industrial systems working fine for the long term.
What Modular, Network-based ICS Threats Mean to Your Systems
By Cameron Camp, Security Researcher, ESET Industroyer, the recent complex malware targeting industrial control systems, offers attackers a modular complex way to attack systems like the power grid. What are the implications of this? For years, adversaries have been quietly testing the defenses of bulk critical infrastructure like gas and oil systems, hydroelectric dams and the power grid. In recent years, starting with Stuxnet in 2010, more focused attempts at directly manipulating industrial systems have started to gain prominence, including Industroyer, which
How Vulnerable are Our Industrial Control Systems? What We Learned From ICS Attacks of 2016
Multiple cyberattacks on critical infrastructure facilities in 2016 resulted in mere inconvenience or embarrassment. How long can dumb luck keep us from harm? By Michael Shalyt, VP Product, APERIO Systems When the U.S. Energy Department released a nearly 500 page report this month warning of an “imminent” threat to the electrical grid, it was the latest reminder of just how dependent our day-to-day existence is on critical infrastructure networks — from power grids and water supplies to transportation networks and more. In 2016, attackers clearly
Bechtel Opens Industrial Cyber Security Lab
Global engineering and construction giant Bechtel has opened a new cyber security lab aimed at protecting industrial equipment and software that control facilities such as power plants, chemical plants, and other large-scale critical infrastructure operations. With the goal of protecting industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems from cyber threats, Bechtel says the lab will leverage its experience designing and implementing National Institute of Standards and Technology Risk Management Framework (NIST-RMF) solutions for its government
Rockwell Automation Partners With Claroty on Industrial Network Security
Rockwell Automation is teaming up with industrial cybersecurity startup Claroty to combine their security products and services into future, combined security offerings. Rockwell, an industrial automation giant with more than 22,000 employees, said that after a competitive review process it selected Claroty for its anomaly-detection software purpose built for industrial network security. Armed with $32 million in funding through Series A and a Series B rounds, Claroty exited stealth mode in September 2016 to announce a security platform designed to provide “extreme
Overhyped Media Reports Bad For ICS Security, Experts Say
(SecurityWeek / Ed Kovacs) - Overblown media reports describing critical infrastructure incidents can have a negative impact on cybersecurity in the industrial control systems (ICS) sector, experts have warned. The number of attacks aimed at ICS has reportedly increased in the past year and several incidents have been disclosed to the public. However, some of the mainstream media reports covering these attacks have been sensationalized or inaccurate. For instance, reports of an incident involving the Burlington Electric Department in Vermont initially led
Exploring Risks of IT Network Breaches to Industrial Control Systems (ICS)
(SecurityWeek / Eduard Kovacs) - There have been several incidents recently where a critical infrastructure organization’s IT systems were breached or became infected with malware. SecurityWeek has reached out to several ICS security experts to find out if these types of attacks are an indicator of a weak security posture, which could lead to control systems also getting hacked. Security incidents involving critical infrastructure organizations There are only a few publicly known examples of cyberattacks targeting an organization’s industrial control systems (ICS), including
Kaspersky Launches Industrial Control Systems CERT
Kaspersky Lab has launched a new global computer emergency response team (CERT) focusing on industrial control systems (ICS). Through the Kaspersky Lab ICS-CERT, the security firm wants to share its knowledge and experience in securing industrial systems and coordinate the exchange of information between stakeholders. Officially launched last month, the new initiative aims to provide information on the latest threats, vulnerabilities, security incidents, mitigation strategies, incident response, compliance and investigations. Since it’s a non-commercial project, the Kaspersky Lab ICS-CERT will offer information and
Siemens Fixes Vulnerabilities in SIMATIC, License Manager Products
(SecurityWeek) - Siemens has released software updates to address several vulnerabilities in its SIMATIC and Automation License Manager (ALM) products. According to advisories published last week by both ICS-CERT and Siemens, the ALM, which allows customers to centrally manage licenses for their Siemens products, is affected by three vulnerabilities. The security holes, including one rated high severity and one rated critical, were reported to the vendor by researchers from Kaspersky Lab’s critical infrastructure team. The critical vulnerability, tracked as CVE-2016-8565, is a
Live Demo: Destructive Cyber Attack on “Air-gapped” Systems
By: Joe Weiss All too often, people claim their systems are air-gapped, and therefore have no cyber vulnerability. But Alternating Current (AC) power cords cross the ostensible “air gap”, and power supplies for laptops, servers, ICSs, etc. have rarely been addressed for cyber security vulnerabilities. On October 26, Alex McEachern from Power Standards Laboratory will provide a hands-on demonstration of two types of attack-to-failure of a real, air-gapped ICS at SecurityWeek's 2016 ICS Cyber Security Conference. McEachern’s demonstration will remotely cyber attack and
Demo: Hacking a Protective Relay and Taking Control – the Grid is at Risk
By: Joe Weiss Protective relays are critical to the operation of the electric grid and the protection of large electric equipment in many industries including electric, nuclear, manufacturing, etc. Protective relays were originally electro-mechanical switches but have progressed to complex networked digital devices with enormous computing capabilities making them intelligent electronic devices (IEDs). Consequently, IEDs are now cyber vulnerable from both IT network and control system issues. In March 2007, the Idaho National Laboratory (INL) demonstrated the Aurora vulnerability by using