‘..the first known power outage caused by hackers and also the most complex cyber-attack on infrastructure to date.’ The Institute of Engineering and Technology, Jan 19, 2016
On December 23, 2015 an outage in Western Ukraine’s Prykarpattya Oblenergo and Kyivoblenergo power distribution networks lost power between three to six hours, affecting between 80,000-700,000 customers. Recently the Department of Homeland Security Industrial Control Systems Cybersecurity Emergency Response Team (ICS-CERT) reported that the outage was likely caused by a well-coordinated cyber-attack.
The attack was well-coordinated, and done with knowledge of the power utility’s internal systems, as they affected multiple business processes. According to the US based security firm SANS Institute’s Industrial Control Systems (SANS ICS) blog the attackers used Blackenergy3 malware to shield their actions from system operators, accessed infected computers and opened breakers to cause the outage, and then flooded the call centers so customers calling could not report the outage. Also found was the KillDisk disk eraser program. It is thought to have been used to wipe disks in order to delay or prevent the use of SCADA for restoration efforts and to cover the attacker’s electronic tracks.
The Blackenergy3 malware and Killdisk application appear to have entered the Utility via a spear phishing attack via a Microsoft Office related attachment. Once infected, the attackers accessed and navigated the Utility network through infected control system workstations which were connected to the Internet.
ICS-CERT state recommends that utilities take defensive measures to minimize the risk of exploitation due to this unsecure device configuration. Specifically, utility leaders should:
- Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
- Locate control system networks and devices behind firewalls and isolate them from the corporate business network.
- If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
- Remove, disable, or rename any default system accounts wherever possible.
- Apply patches in the ICS environment when possible to mitigate known vulnerabilities.
- Implement policies requiring the use of strong passwords.
- Monitor the creation of administrator level accounts by third-party vendors.
In addition to the ICS-CERT recommendations, I recommend the following additional actions:
- Train employees in proper email security techniques and methods.
- Separate the Operational Technology (OT) network from the Information Technology (IT) network, either with a physical air gap (if possible) or with the implementation firewall and routing technologies to logically separate them.
- Restrict physical access to the Utility network and network connected devices.
- Disable or lock down all ports (USB, Network) that are not used in connected devices.
- Perform rigorous validation and testing of any new devices that are allowed on the Utility network.
- Manage user profile privileges based on user job responsibility.
- Restrict external access to the OT network through the implementation of AAA (Authentication, Authorization, and Accounting) tools.
- Change all passwords at least every 90 days.
- Where possible encrypt data traffic.
- Implement IP and user credential logging and monitoring programs to detect possible attacks or anomalies. Review results on a regular basis.
- Review and update your risk management plan to include cybersecurity risks.
- Review and update your incident response plan, plan for system restoration and have ‘gold images’ available.
- Follow the recommendations of leading cybersecurity standards organizations like ICS-CERT, NIST, ISA/IEC, NERC.
Prior to the advent of the smart grid, the Utility industry’s security focus was primarily concerned with the physical security of a field site, through the use of perimeter fencing and detection, card readers, biometric readers, video cameras, etc. As the number of connected devices increases within a Utility network, past cybersecurity events, such as Stuxnet in Iran, Havex in Europe, and now the Ukraine power outage, all serve as reminders that increased cybersecurity diligence is required in the Utility power grid.