On December 17, 2016, a second successful attack – dubbed CrashOverride – against the Ukrainian electric grid, caused loss of electric service to customers. This incident is a likely state sponsored attack against infrastructure and Industrial Control Systems (ICS). US-CERT has evaluated the risk as YELLOW (medium): “A medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.” Researchers have documented the attack and the timelines and methodologies used. Full details can be accessed at the site of security researchers Dragos, Inc. and US-CERT Advisory.
This incident is an example of a well-coordinated sophisticated attack against industrial processes. Most of the attacks we have seen to date are not as extensive, although they often follow the same basic methodology. These systems are increasingly network-connected, primarily to cut costs for equipment and manpower. However, these business advantages come with certain risks.
The level of sophistication of the tools used in this incident marks a significant advance in the attackers’ capabilities. These tools allow attackers to allocate more resources to target the industrial processes controlled by the digital ICS and therefore obtain the opportunity to have a larger impact. This evolution is not unexpected, but it does indicate the levels of maturity of different threat actor types at this point in time, which will evolve and mature as these and similar tools become more available.
The version of the tools used in this incident are targeted specifically at electric grid operators. The tools can be reused by these or other actors to develop attacks targeted at industrial enterprises of any type, regardless of the brand of ICS equipment used by the targeted organization.
At Unisys, we work with industrial operators on all aspects of these issues as a regular practice. This provides us with an informed perspective on the state of industrial security and effective methodologies. This incident indicates to us certain actions industrial operators should consider:
A well thought-out response plan is critical to dealing with attacks, as recommended in the Dragos report. While many ICS users have plans for other disasters there is typically not a cybersecurity response plan in place. A core component of Unisys security engagements involves developing and maintaining incident response plans and capabilities, so we can attest to the often less than adequate state of response planning for these events. More importantly, we can attest to the ability of industrial operators to develop and maintain adequate plans with reasonable and prudent resources, and recommend such organizations strongly consider pursuing this path.
Corporate wide policies and processes should be developed and maintained regarding industrial cybersecurity. Many organizations do not handle ICS security in the same way as traditional information assets, resulting in less institutional structure. Often a belief in “air gaps” or the most recent technical solution impedes effective security. To quote the Dragos report, “Air gapped networks, unidirectional firewalls, anti-virus in the ICS, and other passive defenses and architecture changes are not appropriate solutions for this attack.” These and/or other technical and procedural tools should be applied based on corporate polices and processes that take into account the detailed nature of the organization and its industrial processes, and should be managed by appropriate human resources. Organizations should maintain achievable roadmaps to provide sustainable and measurable improvement of the technical and organizational areas of most consequence to their operations.
This attack would have been detected as an increase in chatter between ICS systems (specifically OPC protocol network traffic) by a reasonable ICS network monitoring implementation, had one been in place. This is achievable now using standard tools such as SIEM and Managed Security Services, as is being done today by Unisys for our customers. So operators should consider implementing such solutions.
US-CERT recommends “operators segment networks into logical enclaves and restrict host-to-host communications paths.” ISA-99/IEC-62443 compliant zoning can be achieved using microsegmentation tools that can be added to an ICS environment without disruption or service interruptions, which is critical in many industries. This can provide operators technical advantages which help reduce the impact and likelihood of successful attacks. Unisys has experience implementing zoning using microsegmentation with ICS vendor equipment and our microsegmentation technology. We can attest that such architectures are achievable and meet standards requirements. The cost and complexity of implementing physical zoning is commonly a barrier to adopting these industry standards. We recommend industrial operators consider achieving standards compliance with microsegmentation as an attainable alternative.
Incidents such as CrashOverride only underline the issues boards, C-Suites and technical operations staff are increasingly focusing on regarding industrial cybersecurity. Our experience providing the technical and services platforms necessary to address these issues for industrial enterprises gives us confidence that these organizations can achieve the business value of modern digital infrastructure trends while effectively managing risk.