Defending Against Industroyer with ICS Anomaly Detection

Date: June 29, 2017 By: Heather MacKenzie

Recent industrial security news has focused on Industroyer (also known as CrashOverride or Win32/Industroyer). Not since Stuxnet has the world seen an advanced malware that was designed and deployed to disrupt physical infrastructure, notably power grids. Industroyer is believed to have been used in attacks on Ukraine that took place on December 17, 2016 that shut down electrical power to a large area of its capital city, Kiev.

Industroyer employs industrial communication protocols used worldwide in power supply infrastructure to directly control electricity substation switches and circuit breakers. It is concerning because it uses protocols in the way they were designed to be used, making it, at a high level, hard to detect and mitigate. Furthermore, it is designed as a toolset with configurable payloads, which, in the hands of a capable attacker, could be adapted for multiple environments.

Fortunately, advanced ICS intrusion detection is available that would both identify this type of malware’s presence and help protect against its impacts. Let’s examine the phases of the Industroyer campaign and how anomaly detection and rule capabilities work together to defend against this threat.

Industroyer / CrashOverride directly controls substation switches and circuit breakers. It is the second known malware, after Stuxnet, designed to disrupt physical infrastructure.

The Three Main Phases of the Industroyer Malware Campaign

 Like other advanced persistent threats Industroyer goes through multiple steps to achieve its goals. It’s main three phases are:

Phase 1 - Infection In this phase Industroyer is not specific to ICS. It establishes itself on a network and uses backdoors to beacon out to an external Command and Control Sever (C&C). Once contact has been made, commands from the C&C direct Phases 2 and 3 of the attack.
Phase 2 - DiscoveryIndustroyer works to learn about the network and control system of the infected power grid, sending commands using four standard industrial protocols. It maps the host environment and identifies key targets, enabling the threat actors to design an attack tailored to harm a specific environment.
Phase 3 - AttackIn this phase the malware can directly control the switches and circuit breakers of substations in its host environment. Once it has achieved its objective, a Data Wiper module makes machines unusable and helps cover the tracks of the attackers.

Industroyer / CrashOverride Mitigation and Remediation

Nozomi Networks’ SCADAguardian utilizes a layered approach of anomaly detection and rule analysis to quickly discover Industroyer at all three of its attack phases.

1. Anomaly Detection

Anomaly detection is a foundational capability of SCADAguardian. It involves the product’s ability to learn normal network and process behavior and detect suspicious activity. During Phase 1, SCADAguardian would identify that Industroyer was trying to connect to a public IP address and generate an alarm that would be visible on dashboards and in email alerts.

Phase 2 is when Industroyer engages in the learning that is critical for achieving its objective. SCADAguardian excels here by quickly identifying any changes in standard communication behavior.

For example, it would detect unusual OPC traffic as Industroyer uses it to scan all devices on the network. It would also identify systems leveraging the protocols that have not done so before, and new networks flows using them. This gives the ICS practitioner the opportunity to implement remediation actions immediately.

Because of alerts provided in Phases 1 and 2, ideally action would be taken that would prevent Phase 3.  However, if the attack does proceed to this level, SCADAguardian would assist by rapidly detecting irregular commands to switches or circuit breakers. This would allow security or operations staff to implement new firewall rules to stop further attack commands.

Alternatively, through integration with a firewall such as Fortinet’s FortiGate, once SCADAguardian detects nefarious commands, it can automatically trigger the implementation of rules that block the attack.

Detect and mitigate advanced ICS threats with  a real-time cybersecurity and visibility solution that includes anomaly detection, YaraRules and assertions capabilities.

2. YaraRules

YaraRules is a repository of malware samples that has been built by an open community of global IT researchers. SCADAguardian embeds this knowledge into its platform, allowing it to learn and advance as fast as the collective body does. At this time, SCADAguardian includes five YaraRules that identify specific files associated with Industroyer in phases 1 and 3. If these files are identified on a network, alarms are generated.

3. Assertions

Assertions are a rule building and querying capability in SCADAguardian that allow the detection of data and specific events parsed from a stream of network traffic. They are an adaptive way to recognize subtle changes in device behavior and they allow operators to be as proactive as possible in a changing threat landscape. Assertions could be used in Phases 1 and 3 to identify Industroyer.

The use of assertions, in combination with SCADAguardian’s anomaly detection and YaraRules, is a powerful way for ICS practitioners to identify and mitigate advanced threats like Industroyer.

Improving ICS Cybersecurity with Anomaly Detection and Rules

Increasing cyber threats from malware like Industroyer are driving power generation, substation and electric grid operators to improve the resiliency of their systems with enhanced ICS cybersecurity programs and strategies. When considering how to prevent and improve remediation of advanced malware attacks, know that comprehensive intrusion detection is included in SCADAguardian.

It’s anomaly detection identifies increased or variable usage of the specific protocols appropriated by Industroyer as compared to baselines established for an environment. It also identifies systems leveraging these protocols that have not done so before, and identifies new networks flows using them.

YaraRules are embedded into SCADAguardian and can be leveraged to provide a high level of confidence regarding Industroyer infection and may be more reliable than using other indicators of compromise (IOCs).

Finally, the product’s assertions capability gives operators of power systems a powerful, flexible and fast way to check data flows for unusual traffic and irregular behavior.

To help you defend your systems against Industroyer / CrashOverride, two resources are available:

1. Nozomi Networks “Industroyer Mitigation Brief”

Nozomi Networks Industroyer Mitigation Brief

This brief explains:
3 main phases of Industroyer
How anomaly detection mitigates impacts
What YaraRules are and how they help
How “assertions” facilitate threat hunting
How real-time ICS monitoring provides cyber resiliency



2. White Paper “Improving ICS Cybersecurity for Substations and Power Grids”

Improving ICS Cybersecurity for Substations and Power Grids
Real-time ICS Anomaly Detection and Operational Visibility Use Cases

Read this paper to learn:
Power grid cybersecurity technical challenges 
Sample architectures for cyber resiliency 
Cybersecurity uses cases 
Operational visibility uses cases 
How ICS anomaly detection improves cybersecurity



Related Links

Tagged , , , , , , , , ,