By Jeannine Anderson, News Editor
Cyber attackers who hit three electric distribution companies in Ukraine in late December — causing 225,000 outages that lasted for a few hours — had sophisticated knowledge of utility systems that allowed them to take advantage of vulnerabilities in supervisory control and data acquisition, or SCADA, networks, says a March 18 report on the attack.
It appears that the attackers began their reconnaissance of the utility systems six months or more before the actual attack was carried out on Dec. 23, 2015, but their intrusion into the systems was not detected, according to the report. This enabled them to invade utility control systems and to hit the three utilities with coordinated cyber attacks that were carried out within 30 minutes of each other, the report said. The report, Analysis of the Cyber Attack on the Ukrainian Power Grid, was written by a joint team from the North American Electric Reliability Corp.’s Electricity Information Sharing and Analysis Center, or E-ISAC, and SANS Industrial Control Systems.
The attackers - whose identity remains unknown - demonstrated especially strong capabilities, “not in their choice of tools or in their expertise, but in their capability to perform long-term reconnaissance operations required to learn the environment and execute a highly synchronized, multistage, multisite attack,” said the analysis.
ICS Cyber Kill Chain
The coordinated attack on the Ukrainian power grid followed the “ICS cyber kill chain” that was outlined last year by Michael Assante and Robert M. Lee of the SANS Institute, the report noted.
“The American Public Power Association applauds the development and public release of the Ukrainian power outage cyber attack analysis by E-ISAC and SANS,” said Nathan Mitchell, APPA’s senior director of electric reliability standards and security. “The ICS cyber kill chain mapping helps utilities understand how the attacker formulates a plan for an attack, Mitchell said. The defense lessons explained in the report “point to basic cyber security practices as useful tools to disrupt a cyber attack,” he said.
“The description of possible techniques used for future attacks is a clear warning that any utility which does not follow basic cyber security practices is at risk of a similar cyber attack,” Mitchell said.
APPA recommends that public power utilities sign up for the E-ISAC portal to receive similar reports on other threats and vulnerabilities of concern to the electricity industry, Mitchell noted. Some of those reports are not released to he general public. To sign up for the E-ISAC portal, contact [email protected], www.esisac.com, or call the 24-hour hotline at 404-446-9780 and press 2.
Phishing, Malware Were Used to Access Control Systems
The report by E-ISAC and SANS described how the attackers used a variety of tools, “including spear phishing emails, variants of the BlackEnergy 3 malware, and the manipulation of Microsoft Office documents that contained the malware to gain a foothold” into the electricity companies’ information technology networks. They used virtual private networks, or VPNs, to enter the industrial control systems, or ICS network.
The attackers “showed expertise, not only in network connected infrastructure, such as uninterruptable power supplies,” but also in operating the ICS network, through a supervisory control system such as the human machine interface, or HMI, the report said.
When they were ready to execute their attack on the ICS network, “the adversaries used the HMIs in the SCADA environment to open the breakers,” the report said. At least 27 substations were taken offline across the three Ukrainian energy companies.
At the same time, “the attackers uploaded the malicious firmware to the serial-to-Ethernet gateway device,” the report explained. “This ensured that even if the operator workstations were recovered, remote commands could not be issued to bring the substations back online,” a process known as blowing the bridges. Attackers also used a remote telephonic denial of service to make sure that
affected customers could not report the outages.
The report noted that once the attackers had caused the SCADA distribution management systems to open breakers and cause a power outage, “they followed this with destructive attacks against workstations, servers, and embedded devices that provide industrial communication in their distribution substations.”
“The mitigation recommended here is to understand where this type of information exists inside your business network and ICSs,” the report said. “Minimizing where the information resides and controlling access is a priority for an ICS dependent organization.”
“It is extremely important to note that neither BlackEnergy 3, unreported backdoors, KillDisk, nor the malicious firmware uploads alone were responsible for the outage,” the report said. “Each was simply a component of the cyber attack for the purposes of access and delay of restoration. The actual cause of the outage was the manipulation of the ICS itself and the loss of control due to direct interactive
operations by the adversary.”
Remote Access Can Provide Opening
Once attackers have learned a system and have stolen information, they “may be able to develop additional attack approaches,” the report warned. One place that attackers may start looking for ways to get into utility networks is through trusted third-party networks or through remote support employee connections, the report pointed out. Those trying to protect their systems against attacks “are reminded that having remote access through a trusted connection is advantageous for an attacker.”
Preparing for a multifaceted attack “is not easy and it requires careful plan review, testing, integrated defense, and operations exercises,” the report said. “Rehearsing steps to more quickly sever or prevent remote access, to safely separate the ICSs from connected networks, or to contain and isolate suspicious hosts is critical.”
Among the report’s many recommendations for utilities is to limit remote connections only to personnel that need them, and when personnel do need remote access, to ensure that they do not have access to control elements. Utilities also would be wise to consider the use of a system event monitoring system “configured and monitored specifically for high-value ICS/SCADA systems,” the report said.
The possibility that a cyber attack could affect grid operations “is something the North American electric power sector has been preparing for over many years,” said the Electricity Subsector Coordinating Council in a February 2016 statement on the Ukraine incident. “These preparations include employing technologies and rigorous security standards, forging close partnerships to protect our systems and respond to incidents, and engaging in active information sharing about threats and vulnerabilities. It’s important to note that this comprehensive approach to security is the basis for our North American security posture.”