Learning from Ukraine’s power grid malware

Richard Piggin | 28 Jan 2016 | Comments

What lessons can we learn from the recent malware attack on Ukraine’s power grid? And what impact will governments, banks and insurers’ increasing focus on cyber risk have on organisations operating critical national infrastructure control systems?

On 23 December 2015, Ukrainian media reported a cyber-attack had left half the homes and 1.4 million people in the Ivano-Frankivsk region without electricity. Although services were restored within a few hours, this was largely due to manual intervention rather than by recovering compromised automation systems. Slovakian security firm ESET later reported that the initial incident was not isolated, and that multiple electricity companies had been affected simultaneously. Reuters also reported similar malware was found in Kiev's Boryspil airport, on IT networks which included air traffic control. Ukraine blamed Russia.

This incursion is one of a few confirmed against the grid, although no direct causal link has been established between the malware and the outage. However, previous events have caused physical harm, including Stuxnet (2010) which targeted the Iranian nuclear programme, and the German blast furnace destruction (2014).

While physical damage is rare, reconnaissance of the power grid has been widely reported before, with warnings of conventional retaliation made by the US. These prompted President Obama to order the development of the Cyber Security Framework for critical infrastructure.

ICS-CERT, the US Industrial Control Systems Computer Emergency Response Team is working with Ukraine’s CERT-UA and has confirmed the presence of Black Energy 3 malware. The ICS-CERT alert is a further warning regarding an ongoing sophisticated malware campaign compromising Industrial Control Systems (ICS), dating back to 2011. Black Energy 2 (2014) used vulnerabilities in ICS products directly connected to the internet to deliver malware. It had reconnaissance functionality, without destructive modules deployed by the perpetrators. In contrast, the new Black Energy 3 variant appears to have been launched using a spear phishing campaign with a malicious Microsoft Office (MS Word) attachment. A further round of spear phishing attacks used a malicious Microsoft Excel macro, purporting to require a newer version Microsoft Office to thwart security.

By comparison, the Havex malware targeted and compromised Energy sector control systems in 2013 and 2014, using multiple infection routes including spear phishing, infected ICS software downloads from legitimate websites, and compromised industry websites. The malware was used for intelligence gathering. However, an unfortunate by-product from the adversary’s perspective was the noisy reconnaissance, which had the unintended consequence of causing a denial of service on the ICS communication servers.

Both the Havex Trojan and Black Energy perpetrators have been described as ‘sophisticated actors’. They also demonstrate a deep knowledge of industrial software and protocols in the development of ICS malware for reconnaissance, compromise and potentially physical damage.

Attribution and motivation can be problematic to ascertain, as some developing commentary suggests. However, publically available evidence clearly demonstrates increasing risk, with the recent US ICS-CERT year in review highlighting a 20% increase on reported ICS cyber incidents last year. It also confirmed cyber-attacks against manufacturing companies had doubled.

The increasing focus on cyber risk, incidents, and ICS vulnerabilities is bound to affect organisations operating control systems, and their stakeholders. Standard & Poor's Ratings Services has begun challenging banks on their cybersecurity readiness, even asking about board-level cyber expertise. Moody’s rating agency went so far as to issue a warning that they will consider cyber risk when setting company credit ratings, potentially making borrowing more expensive to higher risk organisations, particularly utility suppliers. Insurers would be fool hardy not to follow suit, although whether an assessment could potentially deem an organisation uninsurable or premiums more expensive is debatable.

All of these organisations are likely to demand evidence of an ICS-focused cyber security strategy, governance, supply chain management and appropriate risk-based measures to defend against cyber-attack. Most importantly, cyber events are inevitable and well developed incident response plans to enable rapid restoration of operations are essential.

So what measures might provide suitable evidence to third parties that ICS systems have appropriate protection measures?

Collaboration and information sharing are highly recommended via the UK Control Systems Information Exchanges and the Cyber-security Information Sharing Partnership (CiSP) to appreciate vulnerabilities, understand threats, learn from events and share good practice.

The UK CPNI has recently issued updated guidance on securing ICS, and there are more complex security standards that might be applicable. However, I suggest that a more simplistic approach is likely to be followed in the absence of suitable accreditation (such as a Cyber Essentials for ICS).

The Seven Steps to Effectively Defend Industrial Control Systems might be a starting point for manageable good practice along with an in depth defence strategy. These Steps describes strategies that would have detected or prevented ICS cyber incidents, illustrated using real events. The application of these strategies can dramatically improve security, and will serve as excellent evidence for ICS-specific cyber security. Similarly, the 10 basic cyber security measures developed for water utilities offers complementary guidance, with additional advice for successful programme implementation.