A malware attack on a Ukrainian electrical utility that cut power for several hours to 1.4 million people just before Christmas is a wake-up call to the industry, says the CIRO of a Canadian hydro supplier.
“It confirms our suspicions this sort of thing can happen,” Robert Wong, vice-president and chief information and risk officer at Toronto Hydro said in an interview today. “It it’s a call to action that we should take this thing very seriously and we need to act now and try to enhance our security postures.”
According to researchers at security vendor ESET, the Prykarpattya Oblenergo utility was the victim of the BlackEnergy trojan, which typically infects an enterprise through a phishing attack that carries a document with an infected Microsoft Word macro. From there malware would try to be used to find a way onto the utility’s SCADA (supervisory control and data acquisition) network, which controls electrical systems.
While it may come as a surprise that a Word macro could lead to the failure of a power grid, Wong says it can happen if a utility hasn’t separated its enterprise network from the electrical operational network.
This case, he added, might also speak to the security culture of the Ukrainian utility and lack of awareness training.
According to ESET, the malware package that hit the Ukrainian utility included a variant of the KillDisk virus that usually only denies the ability of a system to reboot, but in this case included functionality specifically intended to sabotage industrial systems.
“Firstly, it was possible to set a specific time delay after which the destructive payload was activated. Then, apart from the regular KillDisk functionality, it would try to terminate two non-standard processes: komut.exe and sec_service.exe. The second process, sec_service.exe, may belong to software called ELTIMA Serial to Ethernet Connector or to ASEM Ubiquity, a platform commonly used in Industrial Control Systems (ICS). If this process is found on the target system, the trojan will not only terminate it but will also overwrite its corresponding executable file on the hard drive with random data in order to make restoration of the system more difficult.”
While ESET researchers said the trojan they looked at was theoretically capable of causing a power outage it was also possible those attacking the Ukrainian utility also used BlackEnergy to remotely shut down critical systems.
Industries have known for some time about BlackEnergy. Two weeks before the Ukrainian power outage the U.S. industrial control systems cyber emergency response team (ICS-CERT) updated an earlier warning of the spread of a “sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware.”
ICS-CERT first warned American industries about BlackEnergy going after industrial control systems in 2014. That campaign, it added, had started at least as far back as 2011. Products being targeted included devices from GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC with human-machine interfaces (HMI), some of which connect to the Internet.
Suspicions of the source of the attack against Prykarpattya Oblenergo have first fallen on Russia, which has recently had conflicts with Ukraine and sent troops into the country in 2014. Last year it annexed Crimea.
In 2014 a large number of government agencies and businesses in Ukraine and Poland were attacked by BlackEnergy.
According to ESET, the BlackEnergy trojan was first seen in 2007 when it was a vehicle for denial of service attacks. It has since evolved into a sophisticated piece of modern malware with a modular architecture that can be used for a variety of attacks. BlackEnergy version 2, which featured rootkit techniques, was documented by SecureWorks in 2010, and includes plug-ins for file infections, network discovery and remote code execution and data collection.
Few organizations have full visibility into their industrial control networks. Many use standard network security monitoring tools like Wireshark, or connect a SCADA firewall to create a virtual closed network. Network security appliances from vendors such as Palo Alto Networks, Attvio Networks, Radiflow and Sophos’ Cyberoam are increasingly available.
Next month an Israel-based startup called Indegy will release an appliance it says will also give visibility and analyze traffic in SCADA networks. “There are two layers an industrial facility needs to protect itself,” CEO Barak Perleman said in an interview today: The perimeter, to prevent malware getting in by conventional means over the Internet, and the industrial control/operations network. “You need visibility into the operations in the network,” he said. Security teams need to know if a computer in the network instructs an industrial controller to change its way of operation — to change the threshold temperature of a generator, or revolutions per minute of a turbine or oil pressure in a pumping station.
While network segregation is advisable, almost all of the companies Indegy has spoken to aren’t doing it, Perleman said, in part because today it’s almost impossible. “If you have distributed equipment across thousands of miles of pipeline or substations you don’t want to send a team to a remote location every time something happens. You want a centralized location to gather information. Everywhere we looked they say they separate, but actually they (only) install a firewall.”
“It’s still the case in North America utilities and industrial infrastructure are still more worried about insider threats and not malware originating from other states,” he added. If a foreign country launches an attack against the U.S., he said, these companies think it’s the responsibility of the Department of Homeland Security to protect them. Companies are only starting to realize they have a duty to protect themselves from outside attacks, Perleman said