Ukraine, Vermont Utility Cyberattacks Highlight Need for Robust ICS Security in 2017

Date: Jan 2, 2017 By: Heather MacKenzie

2016 ended with reports of 2 electric utility organizations, on different sides of the world, citing cyberattacks or cyber infections. The first was the December 17, 2016 incident where a substation in Pivnichna, Ukraine was cut off from the main power grid, causing power outages to residential neighborhoods. Ukrenergo, a Ukrainian energy provider, said “Among the possible causes of failure are considered hacking and equipment malfunction.”

The second was the report that a laptop used by Burlington Electric in Vermont, U.S. was infected by malware attributed by the U.S. administration to a Russian hacking operation called Grizzly Steppe. Although the laptop was not connected to the utility’s grid system and no power system interruption occurred, the infection raised alarms about the cybersecurity and safety of U.S. critical infrastructure.

Example of ICS Security Breach Lifecycle

In the case of the Vermont utility incident, the level of threat a single infected laptop represents was certainly not underplayed by politicians who made comments like “This is a direct threat to Vermont and we do not take it lightly.”

While the politicians may not understand the full context, a single infected laptop can indeed represent a situation of high concern. That’s because critical infrastructure cyberattacks can be multi-faceted, prolonged campaigns that start in apparently innocuous ways.

While the December 2016 Ukraine cyberattack is still being analyzed, a somewhat similar December 2015 attack on the Ukraine electric system has been thoroughly studied. A well written report summarizing the earlier incident by Booz Allen Hamilton, “When the Lights Went Out: Ukraine Cybersecurity Threat Briefing”, highlights the 2015 attack’s complexity and duration as well as the high skill level of the attackers.

The report includes an attack walkthrough that identifies 17 steps:

STEPNAMEDESCRIPTIONLOCATION
1Reconnaissance and Intelligence GatheringThreat actors likely begin intelligence gathering on the target organization(s) from public sources.External Infrastructure
2Malware Development and WeaponizationMalware (“BlackEnergy 3”) is developed or acquired. Includes creating weaponized documents used to deliver the malware via email.External Infrastructure
3Deliver Remote Access Trojan (RAT) Emails with malicious document attachments are sent to people in the organization, a technique known as phishing.Corporate Network
4Install RATEmployees open the weaponized MS Office email attachments and enable macros. The malware is installed on the systems of 3 Ukrainian electricity distributors.Corporate Network

arrow

The Corporate Network is Infected via an Employee Computer

arrow

STEPNAMEDESCRIPTIONLOCATION
5Establish Control and Command ConnectionA connection is established between the target network and the attacker’s command and control (CC) server.Corporate Network
6Deliver Malware PluginsThe malware on the target network is updated to include plugin software to collect system access credentials and do reconnaissance activity on the internal network.Corporate Network
7Harvest CredentialsCredentials are collected and network discovery occurs.Corporate Network
8Lateral Movement and Target Identification on Corporate NetworkThe corporate network is explored to discover potential targets and expand access.Corporate Network
9Lateral Movement and Target Identification on ICS NetworkStolen credentials are used to access the control network and then do reconnaissance work on this network.ICS Network

arrow
The Industrial Control Network is Infected Via Stolen Credentials

arrow

STEPNAMEDESCRIPTIONLOCATION
10Develop Malicious FirmwareSoftware called firmware is developed to impact a component of the ICS network called serial-to-Ethernet converters.External Infrastructure
11Deliver Data Destructive Malware
Destructive software called KillDisk malware is installed on the network share and a policy is set to execute upon system reboot. This will take place when attacks on breakers occur.Corporate and ICS Network
12Schedule UPS DisruptionThe Uninterruptible Power Source (UPS), or backup power for telephone communication systems and data center systems is scheduled to be taken offline.Corporate and ICS Network
13Trip BreakersNative Remote Access and valid credentials are used to open breakers and disrupt the power supply within 3 distribution areas.ICS Network

arrow
Power is Disrupted to over 225,000 Customers

arrow

STEPNAMEDESCRIPTIONLOCATION
14Sever Connection to Field Devices
The firmware developed in Step 10 is delivered to the serial-to-Ethernet converters and connections between the control center and the substations are severed.ICS Network
15Telephone Denial of Service AttackThe telephone call center at one of the distributors is overwhelmed with automated calls, preventing customers from reporting outages.Corporate Network
16Disable Critical Systems Via UPS OutageThe previously scheduled outage of the UPS occurs, so that communication to remote sites, as well as the monitoring of power service, is disrupted.Corporate Network
17Destroy Critical System DataThe scheduled KillDisk malware attack is executed on targeted machines across the corporate and ICS networks, making them inoperable and destroying critical data.Corporate and ICS Network

Summary of the Attack Steps Taken to Cause the 2015 Ukraine Power Outage
Source: When the Lights Went Out: Ukraine Cybersecurity Threat Briefing, Booz Allen Hamilton

 

Defending Against Advanced Threats Requires a Multi-Layered Approach

The 2015 Ukraine power outage demonstrated that corporate computers can be the entry points for ICS cyberattacks. Therefore, while we do not know much about the malware found on the laptop of Burlington Electric, it is rightly a situation to be taken seriously, which thankfully has been done in this case.

Protection from prolonged attacks involving Advanced Persistent Threats, as the 2015 Ukraine attack was, require a multi-layered approach involving things like employee security awareness training, network segmentation, threat intelligence, strong passwords, multifactor authentication for remote access and more.

One type of defense that was called out in the Booz Allen Hamilton report is the use of OT monitoring environments that capture and correlate events. Such tools “take advantage of the predictability in control system traffic by establishing a baseline of ICS network communications and conduct active monitoring for anomalies.” Nozomi Networks’ SCADAguardian is an innovative product that does just that, and is an example of how advanced cybersecurity technology is an important part of providing safe and reliable power globally.

If you would like to see how Nozomi Networks’ technology would have identified the Ukraine 2015 cyberattack, allowing early detection and mitigation, please contact us.

Related Links

Ukraine and Vermont Cyberattacks

Nozomi Networks’ Real-time Cybersecurity and Visibility Solution

Tagged , , , , , , , , ,