ESET researchers have been analyzing samples of dangerous malware (detected by ESET as Win32/Industroyer, and named “Industroyer”) capable of performing an attack on power supply infrastructure. The malware was likely involved in the December 2016 cyberattack on Ukraine’s power grid that deprived part of its capital, Kiev, of power for over an hour.
“The recent attack on the Ukrainian power grid should serve as a wake-up call for all those responsible for the security of critical systems around the world,” warns ESET Senior Malware Researcher Anton Cherepanov.
ESET researchers discovered that Industroyer is capable of directly controlling electricity substation switches and circuit breakers. It uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure. The potential impact may range from simply turning off power distribution, triggering a cascade of failures, to more serious damage to equipment.
“Industroyer’s ability to persist in the system and to directly interfere with the operation of industrial hardware makes it the most dangerous malware threat to industrial control systems since the infamous Stuxnet, which successfully attacked Iran’s nuclear program and was discovered in 2010,” concludes Cherepanov.
Additional technical details on the malware and analysis can be found in an article and in a white paper on ESET’s blog, WeLiveSecurity.com.
Cybersecurity experts from Imperva and Tripwire commented on the threat:
Terry Ray, chief product strategist for Imperva said:
We are beginning to see an uptick in infrastructure attacks, and in the case of Industroyer, the attackers seem to have extensive knowledge about industrial control protocols. Since the industrial controls used in the Ukraine are the same in other parts of Europe, the Middle East and Asia, we could see more of these attacks in the future. And while these attackers seem to be content to disrupt the system, it’s not outside the realm of possibility that they could take things a step further and inflict damage to the systems themselves.
While ICS are used heavily in energy and water, both certainly critical infrastructure, it is also used in large scale automation, which can include, manufacturing, shipping, aerospace and other industries that should also take note of such exploits.
Many of these industrial control systems have been in operation for years with little or no modification (no anti-virus updates or patches). This leaves them open to a wide range of cyber threats. It is therefore imperative that we find alternative measures to manage the risk.
Paul Edon, director of international customer services for Tripwire said:
Historically Industrial networks have used airgap and diode based architecture to defend against the risks associated with corporate intranet and Internet communications. However, due to economic pressures i.e. increasing costs and decreasing numbers of skilled resources, it has become necessary for many organizations to centralize some of the management and control functions that would have previously been local to industrial plants, refineries, distribution facilities etc. This centralization has meant expanding the reach of the enterprise network into the industrial environment, and in doing so, exposing those industrial environments to levels of cyber risk for which they were neither secured nor designed.
Post design security is always a much greater challenge than the “security by design and default” that we would expect today. However, the majority of attacks can still be defended against by employing the same strategy as that used for the enterprise i.e. “Security Best Practise,” “Defence in Depth,” and “Foundational Controls.”
For Security Best Practices, select suitable frameworks such as NIST, ISO, CIS, ITIL etc. to help direct, manage and drive security programmes and ensure your strategy includes all three pillars of security; People, Process and Technology.
For defence in depth, protection should apply at all levels; Perimeter, Network and End Point. Again, make sure you are supporting your efforts using all three pillars of security; People, Process and Technology.
For Foundational Controls, select the foundational controls that best suit your environment. Firewalls, IDS/IPS, Encryption, Duel Factor Authentication, System Integrity Monitoring, Change Management, Off-line Backup, Vulnerability Management and Configuration Management to name but a few. Don’t forget – ensure you are taking advantage of all three pillars of security; People, Process and Technology.
We will continue to see the introduction of new threats targeting the industrial technologies, but it is important to understand that good security hygiene will greatly reduce the effectiveness and therefore the success.”
Senator Maria Cantwell (D-Washington), the top Democrat on the Energy and Natural Resources panel, told Politico that the malware illustrated the dangers of the fiscal 2018 budget proposed by President Donald Trump. For instance, the Trump budget proposes a reduction in funding for the Energy Department’s Office of Electricity Delivery and Energy Reliability, which works to strengthen grid defenses against hackers. “Instead of responsibly performing the requested assessment that today we’ve discovered is more necessary than ever, the administration has proposed slashing funding to the very offices tasked with protecting our grid from Russian cyberattack,” Cantwell said.
“This is where you really see the convergence of cyber and physical into destructive attacks,” Caitlin Durkovich, a former assistant secretary for infrastructure protection and now a director at Toffler Associates, told Politico. “It is concerning.” Yet she added: “We have had a very good battle rhythm and partnership between government and industry. In the last three or four years, there has been more unity of effort around the protection of the grid.” She said DHS has been, or likely would be, offering malware analysis and advice to industry and convening calls with top energy company officials. In fact, DHS’s Computer Emergency Readiness Team issued an alert Monday evening.