This article was updated on October 10, 2019.
Recent industrial security news has focused on Industroyer (also known as CrashOverride or Win32/Industroyer). Not since Stuxnet has the world seen an advanced malware that was designed and deployed to disrupt physical infrastructure, notably power grids. Industroyer is believed to have been used in attacks on Ukraine that took place on December 17, 2016 that shut down electrical power to a large area of its capital city, Kiev.
Industroyer employs industrial communication protocols used worldwide in power supply infrastructure to directly control electricity substation switches and circuit breakers. It is concerning because it uses protocols in the way they were designed to be used, making it, at a high level, hard to detect and mitigate. Furthermore, it is designed as a toolset with configurable payloads, which, in the hands of a capable attacker, could be adapted for multiple environments.
Fortunately, advanced ICS intrusion detection is available that would both identify this type of malware’s presence and help protect against its impacts. Let’s examine the phases of the Industroyer campaign and how anomaly detection and rule capabilities work together to defend against this threat.
The Three Main Phases of the Industroyer Malware Campaign
Like other advanced persistent threats Industroyer goes through multiple steps to achieve its goals. It’s main three phases are:
|Phase 1 - Infection||In this phase Industroyer is not specific to ICS. It establishes itself on a network and uses backdoors to beacon out to an external Command and Control Sever (C&C). Once contact has been made, commands from the C&C direct Phases 2 and 3 of the attack.|
|Phase 2 - Discovery||Industroyer works to learn about the network and control system of the infected power grid, sending commands using four standard industrial protocols. It maps the host environment and identifies key targets, enabling the threat actors to design an attack tailored to harm a specific environment.
|Phase 3 - Attack||In this phase the malware can directly control the switches and circuit breakers of substations in its host environment. Once it has achieved its objective, a Data Wiper module makes machines unusable and helps cover the tracks of the attackers.|
Industroyer / CrashOverride Mitigation and Remediation
Nozomi Networks Guardian utilizes a layered approach of anomaly detection and rule analysis to quickly discover Industroyer at all three of its attack phases.
1. Anomaly Detection
Anomaly detection is a foundational capability of Guardian. It involves the product’s ability to learn normal network and process behavior and detect suspicious activity. During Phase 1, Guardian would identify that Industroyer was trying to connect to a public IP address and generate an alarm that would be visible on dashboards and in email alerts.
Phase 2 is when Industroyer engages in the learning that is critical for achieving its objective. Guardian excels here by quickly identifying any changes in standard communication behavior.
For example, it would detect unusual OPC traffic as Industroyer uses it to scan all devices on the network. It would also identify systems leveraging the protocols that have not done so before, and new networks flows using them. This gives the ICS practitioner the opportunity to implement remediation actions immediately.
Because of alerts provided in Phases 1 and 2, ideally action would be taken that would prevent Phase 3. However, if the attack does proceed to this level, Guardian would assist by rapidly detecting irregular commands to switches or circuit breakers. This would allow security or operations staff to implement new firewall rules to stop further attack commands.
Alternatively, through integration with a firewall such as Fortinet’s FortiGate, once Guardian detects nefarious commands, it can automatically trigger the implementation of rules that block the attack.
2. Yara Rules
Yara rules is a repository of malware samples that has been built by an open community of global IT researchers. Guardian embeds this knowledge into its platform, allowing it to learn and advance as fast as the collective body does. At this time, Guardian includes five Yara rules that identify specific files associated with Industroyer in phases 1 and 3. If these files are identified on a network, alarms are generated.
Assertions are a rule building and querying capability in Guardian that allow the detection of data and specific events parsed from a stream of network traffic. They are an adaptive way to recognize subtle changes in device behavior and they allow operators to be as proactive as possible in a changing threat landscape. Assertions could be used in Phases 1 and 3 to identify Industroyer.
The use of assertions, in combination with Guardian’s anomaly detection and Yara rules, is a powerful way for ICS practitioners to identify and mitigate advanced threats like Industroyer.
Improving ICS Cyber Security with Anomaly Detection and Rules
Increasing cyber threats from malware like Industroyer are driving power generation, substation and electric grid operators to improve the resiliency of their systems with enhanced ICS cyber security programs and strategies. When considering how to prevent and improve remediation of advanced malware attacks, know that comprehensive intrusion detection is included in Guardian.
Its anomaly detection identifies increased or variable usage of the specific protocols appropriated by Industroyer as compared to baselines established for an environment. It also identifies systems leveraging these protocols that have not done so before, and identifies new networks flows using them.
Yara rules are embedded into Guardian and can be leveraged to provide a high level of confidence regarding Industroyer infection and may be more reliable than using other indicators of compromise (IOCs).
Finally, the product’s assertions capability gives operators of power systems a powerful, flexible and fast way to check data flows for unusual traffic and irregular behavior.
To help you defend your systems against Industroyer / CrashOverride, two resources are available:
1. Nozomi Networks “Industroyer Mitigation Brief”
Nozomi Networks Industroyer Mitigation Brief
This brief explains:
3 main phases of Industroyer
How anomaly detection mitigates impacts
What Yara rules are and how they help
How “assertions” facilitate threat hunting
How real-time ICS monitoring provides cyber resiliency
2. White Paper “Improving ICS Cyber Security for Substations and Power Grids”
Improving ICS Cyber Security for Substations and Power Grids
Real-time ICS Anomaly Detection and Operational Visibility Use Cases
Read this paper to learn:
Power grid cyber security technical challenges
Sample architectures for cyber resiliency
Cyber security use cases
Operational visibility use cases
How ICS anomaly detection improves cyber security
- Blog: Advancing IEC Standards for Power Grid Cyber security
- ESET Report: WIN32/INDUSTROYER” A new threat for industrial control systems
- Dragos Report: CRASHOVERRIDE” Analysis of the Threat to Electrical Operations
- Solution Overview: Nozomi Networks
- Data Sheet: Guardian
- Fortinet Video: Understanding Industrial IoT Demo (excellent 6:40 minute video, Nozomi Networks’ solution is described starting at 1:50)
ICS Security Specialist, Nozomi Networks
Heather MacKenzie has worked in the field of industrial cyber security since 2008, authoring over 150 articles and multiple white papers on the subject. She is passionate about helping IT/OT teams responsible for ICS networks understand their cyber risks, and how to use operational visibility and cyber security tools to build resiliency. As ICS Security Specialist at Nozomi Networks, Heather is actively working to protect the world’s critical infrastructure and manufacturing from cyber threats.