2016 ended with reports of 2 electric utility organizations, on different sides of the world, citing cyberattacks or cyber infections. The first was the December 17, 2016 incident where a substation in Pivnichna, Ukraine was cut off from the main power grid, causing power outages to residential neighborhoods. Ukrenergo, a Ukrainian energy provider, said “Among the possible causes of failure are considered hacking and equipment malfunction.”
The second was the report that a laptop used by Burlington Electric in Vermont, U.S. was infected by malware attributed by the U.S. administration to a Russian hacking operation called Grizzly Steppe. Although the laptop was not connected to the utility’s grid system and no power system interruption occurred, the infection raised alarms about the cyber security and safety of U.S. critical infrastructure.
Example of ICS Security Breach Lifecycle
In the case of the Vermont utility incident, the level of threat a single infected laptop represents was certainly not underplayed by politicians who made comments like “This is a direct threat to Vermont and we do not take it lightly.”
While the politicians may not understand the full context, a single infected laptop can indeed represent a situation of high concern. That’s because critical infrastructure cyberattacks can be multi-faceted, prolonged campaigns that start in apparently innocuous ways.
While the December 2016 Ukraine cyberattack is still being analyzed, a somewhat similar December 2015 attack on the Ukraine electric system has been thoroughly studied. A well written report summarizing the earlier incident by Booz Allen Hamilton, “When the Lights Went Out: Ukraine Cyber security Threat Briefing”, highlights the 2015 attack’s complexity and duration as well as the high skill level of the attackers.
The report includes an attack walkthrough that identifies 17 steps:
- Reconnaissance and Intelligence Gathering
- Malware Development and Weaponization Malware (“BlackEnergy 3”) is developed or acquired.
- Deliver Remote Access Trojan (RAT) Emails with malicious document attachments are sent to people in the organization, a technique known as phishing.
- Install RAT- Employees open the weaponized MS Office email attachments and enable macros.
- The Corporate Network is Infected via an Employee Computer
- Establish Control and Command Connection- A connection is established between the target network and the attacker’s command and control (CC) server.
- Deliver Malware Plugins- The malware on the target network is updated to include plugin software to collect system access credentials and do reconnaissance activity on the internal network.
- Harvest Credentials- Credentials are collected and network discovery occurs.
- Lateral Movement and Target Identification on Corporate Network- The corporate network is explored to discover potential targets and expand access. Stolen credentials are used to access the control network and then do reconnaissance work on this network.
- The Industrial Control Network is Infected Via Stolen Credentials
- Deliver Data Destructive Malware- Destructive software called KillDisk malware is installed on the network share and a policy is set to execute upon system reboot. This will take place when attacks on breakers occur.
- Schedule UPS Disruption- The Uninterruptible Power Source (UPS), or backup power for telephone communication systems and data center systems is scheduled to be taken offline.
- Trip Breakers- Native Remote Access and valid credentials are used to open breakers and disrupt the power supply within 3 distribution areas. Power is Disrupted to over 225,000 Customers.
- Sever Connection to Field Devices- The firmware developed in Step 10 is delivered to the serial-to-Ethernet converters and connections between the control center and the substations are severed.
- Telephone Denial of Service AttackThe telephone call center at one of the distributors is overwhelmed with automated calls, preventing customers from reporting outages.
- Disable Critical Systems Via UPS Outage- The previously scheduled outage of the UPS occurs, so that communication to remote sites, as well as the monitoring of power service, is disrupted.
- Destroy Critical System DataThe scheduled KillDisk malware attack is executed on targeted machines across the corporate and ICS networks, making them inoperable and destroying critical data.
Source: When the Lights Went Out: Ukraine Cyber security Threat Briefing, Booz Allen Hamilton
Defending Against Advanced Threats Requires a Multi-Layered Approach
The 2015 Ukraine power outage demonstrated that corporate computers can be the entry points for ICS cyberattacks. Therefore, while we do not know much about the malware found on the laptop of Burlington Electric, it is rightly a situation to be taken seriously, which thankfully has been done in this case.
Protection from prolonged attacks involving Advanced Persistent Threats, as the 2015 Ukraine attack was, require a multi-layered approach involving things like employee security awareness training, network segmentation, threat intelligence, strong passwords, multifactor authentication for remote access and more.
One type of defense that was called out in the Booz Allen Hamilton report is the use of OT monitoring environments that capture and correlate events. Such tools “take advantage of the predictability in control system traffic by establishing a baseline of ICS network communications and conduct active monitoring for anomalies.” Nozomi Networks’ Guardian is an innovative product that does just that, and is an example of how advanced cyber security technology is an important part of providing safe and reliable power globally.
If you would like to see how Nozomi Networks’ technology would have identified the Ukraine 2015 cyberattack, allowing early detection and mitigation, please contact us.