Anti-Malware
,
Breach Response
,
Cybersecurity
Experts Detail Lessons Learned, SCADA Cybersecurity Inaction
Mathew J. Schwartz (euroinfosec) •
January 6, 2016
Power plant control room (Source:
Magnetic Rahim/Creative Commons)
Reports to date about the hack of Ukrainian energy supplier Prykarpattyaoblenergo last month have so far left many crucial questions unanswered. Who was responsible? Did malware directly trigger a three-hour blackout? Are other power suppliers are at risk from similar attacks (see Ukrainian Power Grid: Hacked)?
See Also: 2015 Financial Services Cybersecurity Agenda: An Inside Out Look at a New Risk Mitigation Approach
The Computer Emergency Response Team of Ukraine - CERT-UA - has confirmed to Information Security Media Group that that it is investigating the blackouts, which involved hackers gaining remote access to power production systems. The agency also confirms reports that the BlackEnergy espionage Trojan - and KillDisk wiper malware - infected systems of the hacked energy supplier, which suffered a three-hour electricity blackout on Dec. 23, after multiple electrical substations went offline, leaving about 1.4 million homes in the country's western Ivano-Frankivsk region without power. Ukrainian officials have blamed the blackout on Russia, but as yet released no evidence to back up that claim.
Multiple cybersecurity experts say that these are the questions they're now asking in the wake of the Ukrainian hack attack reports:
1. Who's Surprised?
Cybersecurity experts have warned for years that the supervisory control and data acquisition - SCADA - systems that provide remote control and monitoring of industrial environments are too often insecure, yet also Internet-connected and easy pickings for would-be hackers.
Indeed, a 2004 Congressional Research Service report - prepared for the U.S. Congress - includes warnings from industrial control system cybersecurity expert Joe Weiss that the industry desperately needs to develop and implement "firewalls, intrusion detection, encryption, and other technology" to safeguard control systems. Such systems are used in numerous industries, ranging from energy production and chemical plants to train networks and inside aircraft.
More than a decade later, however, Weiss says too little has been done, and that the industry continues to build, deploy and rely on systems that remain too easy for attackers to remotely exploit. "The real question," he says, is "why are people so unprepared for cyber threats to industrial infrastructures?"
Making such systems remotely controllable also hasn't led to increased security, warns Mark Weatherford, chief cybersecurity strategist for data security firm vArmour, and a former Deputy Undersecretary for Cybersecurity at the U.S. Department of Homeland Security, as well as CSO for NERC, the North American Electric Reliability Corp. "There are still too many control systems connected to the Internet," he says. "It's convenient and makes economic sense, but it's dumb from a security perspective." He urges anyone who's operating an Internet-connected ICS to "at least be monitoring egress attack paths to see what is leaving," as well as to plan "in advance" how they'll respond if they do suffer an attack.
2. Did Wiper Malware Directly Trigger Blackout?
What's still not yet known about the Ukraine hack, however, is exactly how the attack and the blackouts might be connected. So far, CERT-UA has confirmed a report from security firm ESET that BlackEnergy had been used to install wiper malware called KillDisk, a.k.a. Disakil, which is designed to delete computer hard drives and leave systems unbootable.
"I am still trying to piece this together," says Dublin-based information security consultant Brian Honan, who is a cybersecurity adviser to the association of European police agencies known as Europol. "We have reports of a power outage and reports of systems being infected with a computer virus, but no connection - at least a publicly acknowledged one - that the two are related. In other words, how would a wiper-type virus stop the station from producing power?"
3. Did Attackers Blend Techniques?
Michael Assante, formerly a CSO at NERC, says in a Jan. 5 SANS Institute newsletter that attackers likely blended multiple techniques to trigger and extend the disruption. "A file-wiper function can certainly disrupt the SCADA system, but that alone does not account for the outage," he says. "We suspect an attacker manually interacted with an infected machine, like an HMI - human-machine interface - to command breakers to open," although adds that this is still just a theory. "The wiper function could then have been used to extend the outage by denying the SCADA system, but the impacted Ukrainian utility was still capable of resorting to manual operations to re-close breakers and energize their system."
He also referenced reports that the Ivano-Frankivsk region suffered a cellular telephone network denial-of-service attack at the same time as the power outages. Such an attack could have prevented energy operators from remotely controlling the affected systems as well as coordinating their response.
"The Ukraine has had power grid reliability problems in the past, so that probably means they were dependent on remote access," Weiss says, noting that such remote access may be provided just not via the Internet, but also via cellular networks.
4. Was Ukraine Attack Targeted?
What's also unclear is whether attackers were directly targeting the Ukrainian power supplier. "Was this a targeted attack, or did some systems get infected in some way? If so how?" Honan asks. "Were the infected systems Internet-connected? If so why? Are there other power stations around the world running similar infrastructure that should take lessons from this?"
If BlackEnergy malware - or another piece of malware that the Trojan loaded onto infected systems - was used to disrupt energy generation systems, it would represent an escalation in the types of attacks that have been seen targeting energy firms (see Hackers Target Energy Firms). "Until now, BlackEnergy has focused on exfiltrating information, not infrastructure impact," Weiss says. He also cautions that such malware "targets Siemens and GE systems," meaning it could be used to disrupt more than just power providers.
5. Why Does Industry Still Lack Forensics?
One complicating factor when investigating these types of outages, however, is that too many control systems still lack any kind of logging or digital-forensic review capabilities, Weiss says. "There have been many demonstrations of vulnerabilities in control systems and there have been many control system incidents - attacks and unintentional incidents. But we have minimal control system forensics when you get below the Windows/IP layer," he says. "So ... if the lights go out, you don't necessarily know if you've been hacked."
6. Was Hack a Military Test?
While the Ukrainian blackout might seem like a nuisance-level type of attack - no one was reportedly injured, nothing exploded - SANS Institute director of research Alan Paller says that such disruptions have military applications. "Cyber weapons can be pre-positioned inside power companies to do the job of a missile, before a nation even knows it is under attack," he writes in the Jan. 5 SANS newsletter. "Once power and communications are disabled, a country's ability to coordinate defense and mount counterattacks is severely disabled."
7. Will Government Agencies Do Something?
But those risks have long been known, Weiss says, and regularly detailed to the likes of Congress and the U.S. Department of Energy and Department of Homeland Security. "Obviously, DOE and DHS haven't been very successful at improving the cybersecurity of the electric grid, because our grids and other critical infrastructure are still really vulnerable, and there have been more than 250 actual control system cyber incidents to date," Weiss says. "And are [those systems] vulnerable to BlackEnergy? Yes."
8. Will ICS Vendors Improve Their Security?
If government agencies have been ineffective, Weiss says ICS providers and users often fail to identify many incidents as being cyber-related, as well as to eliminate simple flaws from their products. This week, for example, researchers presenting at the Chaos Communication Congress in Hamburg released the latest version of SCADAPass, which details hardcoded and known passwords in 100 different ICS and SCADA products - including switches, controllers, programmable logic controllers, Web servers, wireless management stations - from such manufacturers as B&B Electronics, Emerson, Rockwell Automation, Samsung, Schneider Electric and Siemens.
Special #SCADAPASS #32C3 Release. Please contribute. Vendors! Don't use default passwords in industrial systems. https://t.co/ed7RtCkDhl
Last month, meanwhile, DHS warned that multiple Schneider Electric PLC products have a zero-day vulnerability that attackers could remotely exploit to take control of the devices. The devices are used in numerous different types of environments, including power plants, nuclear reactors, and for water and wastewater treatment.
9. What Will Trigger Changes?
If government agencies have so far proven to be ineffective at helping bring about ICS security, Weiss says there's hope from another source: ratings services (see Moody's Warns Cyber Risks Could Impact Credit Ratings).
"Moody's and Standard and Poor's and the insurance companies are beginning to realize that cyber risks to critical infrastructure can be very significant," Weiss says.
But he adds that too often, DHS has done too little, citing the example of the recently revealed 2013 hack attack against a dam in Rye, New York, in which Iranian hackers reportedly gained access to the dam's flood gates, although failed to gain access to the full control system.
"DHS had not disclosed this information to the city of Rye for more than a year," Weiss says. "The system is broken."