Recently, researchers exposed ‘CRASHOVERRIDE’ (a.k.a. Industroyer) a malware that was used in an ICS cyber attack that disrupted an insecure electrical grid in Kiev last December (2016). One of the main things that makes this advanced malware exceptional, is the fact that it was designed to disrupt Industrial Control Systems (ICS) without the need to exploit any zero-day vulnerabilities or known vulnerabilities on unpatched systems. Instead, it sent legitimate commands over industrial protocols, exploiting the fact that these communications lack security controls that can prevent unauthorized access and changes.
Furthermore, due to the robust protocol implementation the functionality of this advanced malware can be easily extended and enhanced.
Exploiting Industrial Protocols
The CRASHOVERRIDE framework includes modules specific to ICS protocol stacks including IEC 101, IEC 104, IEC 61850, and OPC. These are all standard industrial protocols used in substation automation for power system monitoring, control & associated communications for telecontrol, teleprotection, and associated telecommunications for electric power systems. They enable the operators to operate physical equipment through controllers like Remote Terminal Units (RTUs), Programmable Logic Controllers (PLCs), and other control elements which control the circuit breakers. There are some differences between implementations in different countries but the overall process and engineering practices are largely the same.
Many electric sector infrastructures were designed and installed decades ago with limited security in mind. As such, they don’t include security controls to restrict access to these systems or prevent unauthorized commands. In addition, there are also no logs, or audit trails, that keep a historical trace of access and changes to control devices (this includes the Historian). As a result, an adversary who gains network access, has unfettered access to the automation systems including the RTUs. By sending legitimate commands to control systems, the adversary can open and close the substation breakers disruption the power balance across the grid.
Interestingly, CRASHOVERRIDE can be extended to include a DNP3 protocol stack: DNP3 (Distributed Network Protocol) is a set of communications protocols used in process automation systems. It is commonly used in North American utilities such as electric and water companies. This means that if CRASHOVERRIDE is extended to include a DNP3 protocol stack, it will become a significant threat to the nation’s critical infrastructure.
How Would Indegy Detect CRASHOVERRIDE?
CrashOverride is composed of a backdoor and four payload components that can be used to control the substation switches and circuit breakers:
During the reconnaissance phase, the malware mapped out the target devices and studied the grid operations. It then provided access to the ICS network flows through a backdoor module that facilitates access and enables the adversary to execute commands on the system. This phase generates anomalous network activity that is detected by and alerted on by the Indegy Industrial Cyber Security Platform in real-time.
As the attack progresses the data wiper module clears registry keys, erase files, and kill processes running on the system. It targets ICS configuration files across the local hard drive and mapped network drives. While Indegy can’t detect local activity on the infected machine, it identifies and alerts on the new and unauthorized attempts to map out the network drives.
Next, depending on the configuration file, the malware utilizes the industrial protocols to manipulate the RTUs. This type of activity is not necessary anomalous, but as demonstrated in this attack, it is a sensitive activity that must be tracked. The Indegy platform detects, documents and alerts on new usage of industrial protocols and anomalous activities providing detailed information about the events to enable ICS engineering and security professionals the quickly pinpoint the source of the problem and mitigate the threat.
Research shows that CRASHOVERRIDE gives adversaries a platform to conduct attacks against electrical grids in various environments. It is not limited to a specific vendor platforms and can be easily extended to other platforms. The way it utilizes industrial protocols makes it an advanced threat and poses a challenge for those responsible to secure electrical grids around the world.
The key to securing these and other industrial control systems is visibility and having the ability to understand ICS activity in real time. By monitoring network activity and access to critical devices, detecting anomalous activity and usage of industrial protocols, ICS engineers and security professionals can identify suspicious activity and mitigate threats before they impact these critical systems.
To learn more about Indegy’s response to recent ICS incidents you are welcome to download the following infographic: "Industrial Cybersecurity Incidents that Made the Headlines."